Merge pull request #26 from send/x-content-type-options

X-Content-Type-Options feature
sinatra · Jun 28, 2012 · 5012be0 · 5012be0
2 parents e0a7186 + 4b563b2
commit 5012be0
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/lib/rack/protection/xss_header.rb b/lib/rack/protection/xss_header.rb
@@ -12,10 +12,15 @@ module Protection
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block
+      default_options :xss_mode => :block, :nosniff => true
 
       def header
-        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
+        headers = {
+          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
+          'X-Content-Type-Options' => "nosniff"
+        }
+        headers.delete("X-Content-Type-Options") unless options[:nosniff]
+        headers
       end
 
       def call(env)

diff --git a/spec/xss_header_spec.rb b/spec/xss_header_spec.rb
@@ -21,4 +21,22 @@
     mock_app with_headers("X-XSS-Protection" => "0")
     get('/').headers["X-XSS-Protection"].should == "0"
   end
+
+  it 'should set the X-Content-Type-Options' do
+    get('/').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    get('/').headers["X-Content-Type-Options"].should be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    get('/').headers["X-Content-Type-Options"].should == "sniff"
+  end
 end