diff options
author | Jim Jones <jjones@aantix.com> | 2012-08-18 15:29:58 -0700 |
---|---|---|
committer | Jim Jones <jjones@aantix.com> | 2012-08-18 15:29:58 -0700 |
commit | 4848bf321b34cc06990bf6e3e10cbadaf992bc37 (patch) | |
tree | c287546075524fa619e965de5ca315fd654ebf7e | |
parent | db78e58294c5e4ee6fb960c79f882c80b22afbcf (diff) | |
download | rails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.tar.gz rails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.tar.bz2 rails-4848bf321b34cc06990bf6e3e10cbadaf992bc37.zip |
Added X-Content-Type-Options to the header defaults.
With a value of "nosniff", this prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
-rw-r--r-- | actionpack/CHANGELOG.md | 5 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/railtie.rb | 3 | ||||
-rw-r--r-- | actionpack/test/dispatch/response_test.rb | 4 | ||||
-rw-r--r-- | guides/source/configuring.textile | 2 |
4 files changed, 9 insertions, 5 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 95fc79b791..095957e1a2 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -51,8 +51,9 @@ *Richard Schneeman* -* Add 'X-Frame-Options' => 'SAMEORIGIN' and - 'X-XSS-Protection' => '1; mode=block' +* Add 'X-Frame-Options' => 'SAMEORIGIN' + 'X-XSS-Protection' => '1; mode=block' and + 'X-Content-Type-Options' => 'nosniff' as default headers. *Egor Homakov* diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb index 0dcf1fc4fe..5aad8dd23a 100644 --- a/actionpack/lib/action_dispatch/railtie.rb +++ b/actionpack/lib/action_dispatch/railtie.rb @@ -21,7 +21,8 @@ module ActionDispatch config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', - 'X-XSS-Protection' => '1; mode=block' + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' } initializer "action_dispatch.configure" do |app| diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb index 71609d7340..4d699bd739 100644 --- a/actionpack/test/dispatch/response_test.rb +++ b/actionpack/test/dispatch/response_test.rb @@ -177,9 +177,10 @@ class ResponseTest < ActiveSupport::TestCase end end - test "read x_frame_options and x_xss_protection" do + test "read x_frame_options, x_content_type_options and x_xss_protection" do ActionDispatch::Response.default_headers = { 'X-Frame-Options' => 'DENY', + 'X-Content-Type-Options' => 'nosniff', 'X-XSS-Protection' => '1;' } resp = ActionDispatch::Response.new.tap { |response| @@ -188,6 +189,7 @@ class ResponseTest < ActiveSupport::TestCase resp.to_a assert_equal('DENY', resp.headers['X-Frame-Options']) + assert_equal('nosniff', resp.headers['X-Content-Type-Options']) assert_equal('1;', resp.headers['X-XSS-Protection']) end diff --git a/guides/source/configuring.textile b/guides/source/configuring.textile index 5ed3ad4a6b..c29b70ad5b 100644 --- a/guides/source/configuring.textile +++ b/guides/source/configuring.textile @@ -341,7 +341,7 @@ h4. Configuring Action Dispatch * +config.action_dispatch.default_headers+ is a hash with HTTP headers that are set by default in each response. By default, this is defined as: <ruby> -config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block' } +config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' } </ruby> * +config.action_dispatch.tld_length+ sets the TLD (top-level domain) length for the application. Defaults to +1+. |