Skip to content
Permalink
Browse files
Add secure X-Download-Options and `X-Permitted-Cross-Domain-Policie…
…s` to default headers set.
  • Loading branch information
guilleiguaran committed Dec 9, 2017
1 parent 55d4cf2 commit 5d7b70f
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 4 deletions.
@@ -1,3 +1,8 @@
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
default headers set.

*Guillermo Iguaran*

* Add headless firefox support to System Tests.

*bogdanvlviv*
@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc:
config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff"
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
}

config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
@@ -9,7 +9,7 @@ def hello
end
end

def test_response_has_default_headers
def test_response_does_not_have_default_headers
original_default_headers = ActionDispatch::Response.default_headers

ActionDispatch::Response.default_headers = {
@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html
end
end

test "read x_frame_options, x_content_type_options and x_xss_protection" do
test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
original_default_headers = ActionDispatch::Response.default_headers
begin
ActionDispatch::Response.default_headers = {
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff",
"X-XSS-Protection" => "1;"
"X-XSS-Protection" => "1;",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
}
resp = ActionDispatch::Response.create.tap { |response|
response.body = "Hello"
@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html
assert_equal("DENY", resp.headers["X-Frame-Options"])
assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
assert_equal("1;", resp.headers["X-XSS-Protection"])
assert_equal("noopen", resp.headers["X-Download-Options"])
assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
ensure
ActionDispatch::Response.default_headers = original_default_headers
end

0 comments on commit 5d7b70f

Please sign in to comment.