diff options
| author | Guillermo Iguaran <guilleiguaran@gmail.com> | 2017-12-09 15:41:55 -0500 |
|---|---|---|
| committer | Guillermo Iguaran <guilleiguaran@gmail.com> | 2017-12-09 15:41:55 -0500 |
| commit | 5d7b70f4336d42eabfc403e9f6efceb88b3eff44 (patch) | |
| tree | ba3ae0210fbd69372cd733d8f6f68de70ef4607e | |
| parent | 55d4cf2a9c1a6e77ed7aedb866e964039bb4a143 (diff) | |
| download | rails-5d7b70f4336d42eabfc403e9f6efceb88b3eff44.tar.gz rails-5d7b70f4336d42eabfc403e9f6efceb88b3eff44.tar.bz2 rails-5d7b70f4336d42eabfc403e9f6efceb88b3eff44.zip | |
Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to default headers set.
| -rw-r--r-- | actionpack/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/railtie.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/controller/metal_test.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/dispatch/response_test.rb | 8 |
4 files changed, 15 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 753dd8589a..209066ae07 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to + default headers set. + + *Guillermo Iguaran* + * Add headless firefox support to System Tests. *bogdanvlviv* diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb index 855f2ffa47..95e99987a0 100644 --- a/actionpack/lib/action_dispatch/railtie.rb +++ b/actionpack/lib/action_dispatch/railtie.rb @@ -26,7 +26,9 @@ module ActionDispatch config.action_dispatch.default_headers = { "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "1; mode=block", - "X-Content-Type-Options" => "nosniff" + "X-Content-Type-Options" => "nosniff", + "X-Download-Options" => "noopen", + "X-Permitted-Cross-Domain-Policies" => "none" } config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new diff --git a/actionpack/test/controller/metal_test.rb b/actionpack/test/controller/metal_test.rb index c235c9df86..c3ebcb22b8 100644 --- a/actionpack/test/controller/metal_test.rb +++ b/actionpack/test/controller/metal_test.rb @@ -9,7 +9,7 @@ class MetalControllerInstanceTests < ActiveSupport::TestCase end end - def test_response_has_default_headers + def test_response_does_not_have_default_headers original_default_headers = ActionDispatch::Response.default_headers ActionDispatch::Response.default_headers = { diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb index c4ee3add2a..4e350162c9 100644 --- a/actionpack/test/dispatch/response_test.rb +++ b/actionpack/test/dispatch/response_test.rb @@ -311,13 +311,15 @@ class ResponseTest < ActiveSupport::TestCase end end - test "read x_frame_options, x_content_type_options and x_xss_protection" do + test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do original_default_headers = ActionDispatch::Response.default_headers begin ActionDispatch::Response.default_headers = { "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff", - "X-XSS-Protection" => "1;" + "X-XSS-Protection" => "1;", + "X-Download-Options" => "noopen", + "X-Permitted-Cross-Domain-Policies" => "none" } resp = ActionDispatch::Response.create.tap { |response| response.body = "Hello" @@ -327,6 +329,8 @@ class ResponseTest < ActiveSupport::TestCase assert_equal("DENY", resp.headers["X-Frame-Options"]) assert_equal("nosniff", resp.headers["X-Content-Type-Options"]) assert_equal("1;", resp.headers["X-XSS-Protection"]) + assert_equal("noopen", resp.headers["X-Download-Options"]) + assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"]) ensure ActionDispatch::Response.default_headers = original_default_headers end |