Set X-Frame-Options to SAMEORIGIN and add description to application.rb ... #6515
Conversation
| @@ -102,6 +102,12 @@ module Finisher | |||
| at_exit { app.queue_consumer.shutdown } | |||
| end | |||
| end | |||
|
|
|||
| initializer :set_default_headers do | |||
There was a problem hiding this comment.
This can go inside ActionDispatch::Railtie:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/railtie.rb#L22
There was a problem hiding this comment.
Hmm, Agreed! (how to fix that, PR again?)
but I think we will add https://developer.mozilla.org/en/Introducing_Content_Security_Policy pretty soon to the same initializer - and dispatch initializer is huge enough.
There was a problem hiding this comment.
Agree with Valim here the if is not needed just assign directly
There was a problem hiding this comment.
You can fix this pull request and push with -f
There was a problem hiding this comment.
@homakove no need for new pull request, please do git commit --amend to amend to the last commit and git push --force to overwrite your branch
|
I found some time :) |
| @@ -59,6 +59,7 @@ class Response | |||
| LOCATION = "Location".freeze | |||
|
|
|||
| cattr_accessor(:default_charset) { "utf-8" } | |||
| cattr_accessor(:default_x_frame_options) | |||
There was a problem hiding this comment.
I'd initialize this to nil to avoid warnings
There was a problem hiding this comment.
it is nil by default
def cattr_reader(*syms)
options = syms.extract_options!
syms.each do |sym|
raise NameError.new('invalid attribute name') unless sym =~ /^[_A-Za-z]\w*$/
class_eval(<<-EOS, __FILE__, __LINE__ + 1)
unless defined? @@#{sym}
@@#{sym} = nil
end
def self.#{sym}
@@#{sym}
end
EOS
|
And test would be awesome :) |
| @@ -160,6 +161,10 @@ def to_a | |||
|
|
|||
| @header[SET_COOKIE] = @header[SET_COOKIE].join("\n") if @header[SET_COOKIE].respond_to?(:join) | |||
|
|
|||
| if !self.class.default_x_frame_options.nil? | |||
There was a problem hiding this comment.
This could simply be :
if self.class.default_x_frame_options
that commit contains fixes. I thought it will copy commit message :/ |
|
@homakov git commit --amend change the commit message and git push -f :) |
|
@spastorino voila! :) |
|
Just a test is missing now. /cc @NZKoz wdyt? |
| @@ -24,6 +24,10 @@ class Railtie < Rails::Railtie | |||
| ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header | |||
| ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding | |||
|
|
|||
| if config.action_dispatch.x_frame_options | |||
There was a problem hiding this comment.
Is this if really necessary? I think this PR also needs tests and documentation.
Good idea BTW!
There was a problem hiding this comment.
@exviva it's just additional check. Someday we can change class attribute to another value and then it will rewrite even if it's nil and it can cause mess. So, it's not really necessary but we need it :)
I will provide 'em!
|
@josevalim added a test |
X-Frame-Options is responsible for displaing the website content in frames. Disallowing it we mitigate Active XSSes and Clickjacking attacks. Closes #6311
|
hallelujah, fixed slight mistake with 'app.config' and made it as @exviva (for now we can assign directly) |
|
It looks good. I am waiting for @NZKoz feedback before we merge, thanks! |
| @@ -147,6 +147,16 @@ def test_response_body_encoding | |||
| ActionDispatch::Response.default_charset = original | |||
| end | |||
| end | |||
|
|
|||
| test "read x_frame_options" do | |||
There was a problem hiding this comment.
How about also adding these tests:
- when
ActionDispatch::Response.default_x_frame_optionsisnil, the'X-Frame-Options'header is not set - when the response header is already set, it's not overwritten by
ActionDispatch::Response.default_x_frame_options
It's also good practice to reset global state after each test (in your case ActionDispatch::Response.default_x_frame_options = 'DENY' will persist between tests).
|
bump :) @NZKoz |
|
do not merge, I got a new idea! This config is easy to understand and maintain, and agile if you just want to add your own default header. It may also contain content security policy string. |
|
Good plan. I believe we already have a default headers thing? Sent from my iPhone |
|
do we? r u sure |
|
Not sure at all. :) Trust the code, not me. :) |
|
@josevalim trust me, we don't :) |
...generator. Closes #6311