Permalink
Browse files

rework protection headers, fixes #40

  • Loading branch information...
1 parent 4f7bb36 commit c823079365b56e902b0b7f3bf45af75eb2fa092c @rkh rkh committed Mar 1, 2013
Showing with 18 additions and 14 deletions.
  1. +10 −4 lib/rack/protection/frame_options.rb
  2. +2 −10 lib/rack/protection/xss_header.rb
  3. +6 −0 spec/xss_header_spec.rb
@@ -16,16 +16,22 @@ module Protection
# frame_options:: Defines who should be allowed to embed the page in a
# frame. Use :deny to forbid any embedding, :sameorigin
# to allow embedding from the same origin (default).
- class FrameOptions < XSSHeader
+ class FrameOptions < Base
default_options :frame_options => :sameorigin
- def header
- @header ||= begin
+ def frame_options
+ @frame_options ||= begin
frame_options = options[:frame_options]
frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
- { 'X-Frame-Options' => frame_options.to_str }
+ frame_options.to_str
end
end
+
+ def call(env)
+ status, headers, body = @app.call(env)
+ headers['X-Frame-Options'] ||= frame_options if html? headers
+ [status, headers, body]
+ end
end
end
end
@@ -14,18 +14,10 @@ module Protection
class XSSHeader < Base
default_options :xss_mode => :block, :nosniff => true
- def header
- headers = {
- 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
- 'X-Content-Type-Options' => "nosniff"
- }
- headers.delete("X-Content-Type-Options") unless options[:nosniff]
- headers
- end
-
def call(env)
status, headers, body = @app.call(env)
- headers = header.merge(headers) if options[:nosniff] and html?(headers)
+ headers['X-XSS-Protection'] ||= "1; mode=#{options[:xss_mode]}" if html? headers
+ headers['X-Content-Type-Options'] ||= 'nosniff' if options[:nosniff]
[status, headers, body]
end
end
View
@@ -34,6 +34,12 @@
get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
end
+
+ it 'should set the X-Content-Type-Options for other content types' do
+ get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
+ end
+
+
it 'should allow changing the nosniff-mode off' do
mock_app do
use Rack::Protection::XSSHeader, :nosniff => false

0 comments on commit c823079

Please sign in to comment.