Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policie…

…s` to default headers set.
rails · Dec 9, 2017 · 5d7b70f4336d42eabfc403e9f6efceb88b3eff44 · 5d7b70f
1 parent 55d4cf2
commit 5d7b70f4336d42eabfc403e9f6efceb88b3eff44
Unified Split

Showing with 15 additions and 4 deletions.

+5 −0 actionpack/CHANGELOG.md

+3 −1 actionpack/lib/action_dispatch/railtie.rb

+1 −1 actionpack/test/controller/metal_test.rb

+6 −2 actionpack/test/dispatch/response_test.rb
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
+    default headers set.
+
+    *Guillermo Iguaran*
+
 *   Add headless firefox support to System Tests.

    *bogdanvlviv*
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc:
    config.action_dispatch.default_headers = {
      "X-Frame-Options" => "SAMEORIGIN",
      "X-XSS-Protection" => "1; mode=block",
-      "X-Content-Type-Options" => "nosniff"
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Permitted-Cross-Domain-Policies" => "none"
    }

    config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
diff --git a/actionpack/test/controller/metal_test.rb b/actionpack/test/controller/metal_test.rb
@@ -9,7 +9,7 @@ def hello
    end
  end

-  def test_response_has_default_headers
+  def test_response_does_not_have_default_headers
    original_default_headers = ActionDispatch::Response.default_headers

    ActionDispatch::Response.default_headers = {
diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html
    end
  end

-  test "read x_frame_options, x_content_type_options and x_xss_protection" do
+  test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
    original_default_headers = ActionDispatch::Response.default_headers
    begin
      ActionDispatch::Response.default_headers = {
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff",
-        "X-XSS-Protection" => "1;"
+        "X-XSS-Protection" => "1;",
+        "X-Download-Options" => "noopen",
+        "X-Permitted-Cross-Domain-Policies" => "none"
      }
      resp = ActionDispatch::Response.create.tap { |response|
        response.body = "Hello"
@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html
      assert_equal("DENY", resp.headers["X-Frame-Options"])
      assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
      assert_equal("1;", resp.headers["X-XSS-Protection"])
+      assert_equal("noopen", resp.headers["X-Download-Options"])
+      assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
    ensure
      ActionDispatch::Response.default_headers = original_default_headers
    end