Permalink
Browse files

Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policie…

…s` to default headers set.
  • Loading branch information...
guilleiguaran committed Dec 9, 2017
1 parent 55d4cf2 commit 5d7b70f4336d42eabfc403e9f6efceb88b3eff44
View
@@ -1,3 +1,8 @@
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
default headers set.
*Guillermo Iguaran*
* Add headless firefox support to System Tests.
*bogdanvlviv*
@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc:
config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff"
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
}
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
@@ -9,7 +9,7 @@ def hello
end
end
def test_response_has_default_headers
def test_response_does_not_have_default_headers
original_default_headers = ActionDispatch::Response.default_headers
ActionDispatch::Response.default_headers = {
@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html
end
end
test "read x_frame_options, x_content_type_options and x_xss_protection" do
test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
original_default_headers = ActionDispatch::Response.default_headers
begin
ActionDispatch::Response.default_headers = {
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff",
"X-XSS-Protection" => "1;"
"X-XSS-Protection" => "1;",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
}
resp = ActionDispatch::Response.create.tap { |response|
response.body = "Hello"
@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html
assert_equal("DENY", resp.headers["X-Frame-Options"])
assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
assert_equal("1;", resp.headers["X-XSS-Protection"])
assert_equal("noopen", resp.headers["X-Download-Options"])
assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
ensure
ActionDispatch::Response.default_headers = original_default_headers
end

0 comments on commit 5d7b70f

Please sign in to comment.