-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set X-Frame-Options to SAMEORIGIN and add description to application.rb ... #6515
Conversation
@@ -102,6 +102,12 @@ module Finisher | |||
at_exit { app.queue_consumer.shutdown } | |||
end | |||
end | |||
|
|||
initializer :set_default_headers do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can go inside ActionDispatch::Railtie:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/railtie.rb#L22
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, Agreed! (how to fix that, PR again?)
but I think we will add https://developer.mozilla.org/en/Introducing_Content_Security_Policy pretty soon to the same initializer - and dispatch initializer is huge enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with Valim here the if is not needed just assign directly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can fix this pull request and push with -f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@homakove no need for new pull request, please do git commit --amend
to amend to the last commit and git push --force
to overwrite your branch
I found some time :) |
@@ -59,6 +59,7 @@ class Response | |||
LOCATION = "Location".freeze | |||
|
|||
cattr_accessor(:default_charset) { "utf-8" } | |||
cattr_accessor(:default_x_frame_options) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd initialize this to nil to avoid warnings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is nil by default
def cattr_reader(*syms)
options = syms.extract_options!
syms.each do |sym|
raise NameError.new('invalid attribute name') unless sym =~ /^[_A-Za-z]\w*$/
class_eval(<<-EOS, __FILE__, __LINE__ + 1)
unless defined? @@#{sym}
@@#{sym} = nil
end
def self.#{sym}
@@#{sym}
end
EOS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
true, cool :)
And test would be awesome :) |
@@ -160,6 +161,10 @@ def to_a | |||
|
|||
@header[SET_COOKIE] = @header[SET_COOKIE].join("\n") if @header[SET_COOKIE].respond_to?(:join) | |||
|
|||
if !self.class.default_x_frame_options.nil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could simply be :
if self.class.default_x_frame_options
that commit contains fixes. I thought it will copy commit message :/ |
@homakov git commit --amend change the commit message and git push -f :) |
@spastorino voila! :) |
Just a test is missing now. /cc @NZKoz wdyt? |
@@ -24,6 +24,10 @@ class Railtie < Rails::Railtie | |||
ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header | |||
ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding | |||
|
|||
if config.action_dispatch.x_frame_options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this if
really necessary? I think this PR also needs tests and documentation.
Good idea BTW!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@exviva it's just additional check. Someday we can change class attribute to another value and then it will rewrite even if it's nil and it can cause mess. So, it's not really necessary but we need it :)
I will provide 'em!
@josevalim added a test |
X-Frame-Options is responsible for displaing the website content in frames. Disallowing it we mitigate Active XSSes and Clickjacking attacks. Closes #6311
hallelujah, fixed slight mistake with 'app.config' and made it as @exviva (for now we can assign directly) |
It looks good. I am waiting for @NZKoz feedback before we merge, thanks! |
@@ -147,6 +147,16 @@ def test_response_body_encoding | |||
ActionDispatch::Response.default_charset = original | |||
end | |||
end | |||
|
|||
test "read x_frame_options" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about also adding these tests:
- when
ActionDispatch::Response.default_x_frame_options
isnil
, the'X-Frame-Options'
header is not set - when the response header is already set, it's not overwritten by
ActionDispatch::Response.default_x_frame_options
It's also good practice to reset global state after each test (in your case ActionDispatch::Response.default_x_frame_options = 'DENY'
will persist between tests).
bump :) @NZKoz |
do not merge, I got a new idea!
This config is easy to understand and maintain, and agile if you just want to add your own default header. It may also contain content security policy string. |
Good plan. I believe we already have a default headers thing? Sent from my iPhone |
do we? r u sure |
Not sure at all. :) Trust the code, not me. :) |
@josevalim trust me, we don't :)
|
...generator. Closes #6311