Permalink
Browse files

use upper case for frame options, fixes #25

  • Loading branch information...
1 parent 4cbe5b8 commit cdebda5964f855f3a1981623e3b6d963f6525902 @rkh rkh committed Dec 10, 2012
Showing with 19 additions and 3 deletions.
  1. +6 −1 lib/rack/protection/frame_options.rb
  2. +13 −2 spec/frame_options_spec.rb
View
7 lib/rack/protection/frame_options.rb
@@ -18,8 +18,13 @@ module Protection
# to allow embedding from the same origin (default).
class FrameOptions < XSSHeader
default_options :frame_options => :sameorigin
+
def header
- { 'X-Frame-Options' => options[:frame_options].to_s }
+ @header ||= begin
+ frame_options = options[:frame_options]
+ frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+ { 'X-Frame-Options' => frame_options.to_str }
+ end
end
end
end
View
15 spec/frame_options_spec.rb
@@ -4,7 +4,7 @@
it_behaves_like "any rack application"
it 'should set the X-Frame-Options' do
- get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "sameorigin"
+ get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
end
it 'should not set the X-Frame-Options for other content types' do
@@ -18,7 +18,18 @@
run DummyApp
end
- get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "deny"
+ get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
+ end
+
+
+ it 'should allow changing the protection mode to a string' do
+ # I have no clue what other modes are available
+ mock_app do
+ use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+ run DummyApp
+ end
+
+ get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
end
it 'should not override the header if already set' do

0 comments on commit cdebda5

Please sign in to comment.