Skip to content
This repository has been archived by the owner on May 16, 2021. It is now read-only.

Commit

Permalink
rework protection headers, fixes #40
Browse files Browse the repository at this point in the history
  • Loading branch information
@rkh
rkh committed Mar 1, 2013
1 parent 4f7bb36 commit c823079
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 14 deletions.
14 changes: 10 additions & 4 deletions lib/rack/protection/frame_options.rb
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -16,16 +16,22 @@ module Protection
# frame_options:: Defines who should be allowed to embed the page in a # frame_options:: Defines who should be allowed to embed the page in a
# frame. Use :deny to forbid any embedding, :sameorigin # frame. Use :deny to forbid any embedding, :sameorigin
# to allow embedding from the same origin (default). # to allow embedding from the same origin (default).
class FrameOptions < XSSHeader class FrameOptions < Base
default_options :frame_options => :sameorigin default_options :frame_options => :sameorigin


def header def frame_options
@header ||= begin @frame_options ||= begin
frame_options = options[:frame_options] frame_options = options[:frame_options]
frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
{ 'X-Frame-Options' => frame_options.to_str } frame_options.to_str
end end
end end

def call(env)
status, headers, body = @app.call(env)
headers['X-Frame-Options'] ||= frame_options if html? headers
[status, headers, body]
end
end end
end end
end end
12 changes: 2 additions & 10 deletions lib/rack/protection/xss_header.rb
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -14,18 +14,10 @@ module Protection
class XSSHeader < Base class XSSHeader < Base
default_options :xss_mode => :block, :nosniff => true default_options :xss_mode => :block, :nosniff => true


def header
headers = {
'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
'X-Content-Type-Options' => "nosniff"
}
headers.delete("X-Content-Type-Options") unless options[:nosniff]
headers
end

def call(env) def call(env)
status, headers, body = @app.call(env) status, headers, body = @app.call(env)
headers = header.merge(headers) if options[:nosniff] and html?(headers) headers['X-XSS-Protection'] ||= "1; mode=#{options[:xss_mode]}" if html? headers
headers['X-Content-Type-Options'] ||= 'nosniff' if options[:nosniff]
[status, headers, body] [status, headers, body]
end end
end end
Expand Down
6 changes: 6 additions & 0 deletions spec/xss_header_spec.rb
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@
get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff" get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
end end



it 'should set the X-Content-Type-Options for other content types' do
get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
end


it 'should allow changing the nosniff-mode off' do it 'should allow changing the nosniff-mode off' do
mock_app do mock_app do
use Rack::Protection::XSSHeader, :nosniff => false use Rack::Protection::XSSHeader, :nosniff => false
Expand Down

0 comments on commit c823079

Please sign in to comment.