aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJim Jones <jjones@aantix.com>2012-08-18 15:29:58 -0700
committerJim Jones <jjones@aantix.com>2012-08-18 15:29:58 -0700
commit4848bf321b34cc06990bf6e3e10cbadaf992bc37 (patch)
treec287546075524fa619e965de5ca315fd654ebf7e
parentdb78e58294c5e4ee6fb960c79f882c80b22afbcf (diff)
downloadrails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.tar.gz
rails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.tar.bz2
rails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.zip
Added X-Content-Type-Options to the header defaults.
With a value of "nosniff", this prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
-rw-r--r--actionpack/CHANGELOG.md5
-rw-r--r--actionpack/lib/action_dispatch/railtie.rb3
-rw-r--r--actionpack/test/dispatch/response_test.rb4
-rw-r--r--guides/source/configuring.textile2
4 files changed, 9 insertions, 5 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 95fc79b791..095957e1a2 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -51,8 +51,9 @@
*Richard Schneeman*
-* Add 'X-Frame-Options' => 'SAMEORIGIN' and
- 'X-XSS-Protection' => '1; mode=block'
+* Add 'X-Frame-Options' => 'SAMEORIGIN'
+ 'X-XSS-Protection' => '1; mode=block' and
+ 'X-Content-Type-Options' => 'nosniff'
as default headers.
*Egor Homakov*
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 0dcf1fc4fe..5aad8dd23a 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -21,7 +21,8 @@ module ActionDispatch
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN',
- 'X-XSS-Protection' => '1; mode=block'
+ 'X-XSS-Protection' => '1; mode=block',
+ 'X-Content-Type-Options' => 'nosniff'
}
initializer "action_dispatch.configure" do |app|
diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
index 71609d7340..4d699bd739 100644
--- a/actionpack/test/dispatch/response_test.rb
+++ b/actionpack/test/dispatch/response_test.rb
@@ -177,9 +177,10 @@ class ResponseTest < ActiveSupport::TestCase
end
end
- test "read x_frame_options and x_xss_protection" do
+ test "read x_frame_options, x_content_type_options and x_xss_protection" do
ActionDispatch::Response.default_headers = {
'X-Frame-Options' => 'DENY',
+ 'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1;'
}
resp = ActionDispatch::Response.new.tap { |response|
@@ -188,6 +189,7 @@ class ResponseTest < ActiveSupport::TestCase
resp.to_a
assert_equal('DENY', resp.headers['X-Frame-Options'])
+ assert_equal('nosniff', resp.headers['X-Content-Type-Options'])
assert_equal('1;', resp.headers['X-XSS-Protection'])
end
diff --git a/guides/source/configuring.textile b/guides/source/configuring.textile
index 5ed3ad4a6b..c29b70ad5b 100644
--- a/guides/source/configuring.textile
+++ b/guides/source/configuring.textile
@@ -341,7 +341,7 @@ h4. Configuring Action Dispatch
* +config.action_dispatch.default_headers+ is a hash with HTTP headers that are set by default in each response. By default, this is defined as:
<ruby>
-config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block' }
+config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' }
</ruby>
* +config.action_dispatch.tld_length+ sets the TLD (top-level domain) length for the application. Defaults to +1+.