diff options
| author | Jon Moss <me@jonathanmoss.me> | 2017-03-29 17:36:54 -0400 |
|---|---|---|
| committer | Jon Moss <me@jonathanmoss.me> | 2017-03-29 19:26:39 -0400 |
| commit | 9d695743dee0eb57cedd1f0e7a9dc1a16ef0b530 (patch) | |
| tree | 234936a7a79bc683e0a9be881b5ba65fe87d516e /actionpack | |
| parent | f77a6be8d23f048ced4fac54f1f4caea5e0749d7 (diff) | |
| download | rails-9d695743dee0eb57cedd1f0e7a9dc1a16ef0b530.tar.gz rails-9d695743dee0eb57cedd1f0e7a9dc1a16ef0b530.tar.bz2 rails-9d695743dee0eb57cedd1f0e7a9dc1a16ef0b530.zip | |
Do not include default response headers for AC::Metal
In Rails 4.2, `ActionController::Metal` controllers did not include the
default headers from `ActionDispatch::Response`. However, through e16afe6, and a
general shift towards having `ActionController::Metal` objects contain
`ActionDispatch::Response` objects (instead of just returning an array
of status, headers, and body), this behavior was lost. This PR helps to
restore the original behavior by having `ActionController::Metal`
controllers generate Response objects without the default headers, while
`ActionController::Base` now overrides the factory method to make sure
its version does have the default headers.
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_controller/base.rb | 6 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/base_test.rb | 27 | ||||
| -rw-r--r-- | actionpack/test/controller/metal_test.rb | 30 |
4 files changed, 64 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index 0fe0853da3..b420e00c78 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -261,6 +261,12 @@ module ActionController PROTECTED_IVARS end + def self.make_response!(request) + ActionDispatch::Response.create.tap do |res| + res.request = request + end + end + ActiveSupport.run_load_hooks(:action_controller, self) end end diff --git a/actionpack/lib/action_controller/metal.rb b/actionpack/lib/action_controller/metal.rb index 74c4153cd2..246644dcbd 100644 --- a/actionpack/lib/action_controller/metal.rb +++ b/actionpack/lib/action_controller/metal.rb @@ -129,7 +129,7 @@ module ActionController end def self.make_response!(request) - ActionDispatch::Response.create.tap do |res| + ActionDispatch::Response.new.tap do |res| res.request = request end end diff --git a/actionpack/test/controller/base_test.rb b/actionpack/test/controller/base_test.rb index 42a5157010..4e969fac07 100644 --- a/actionpack/test/controller/base_test.rb +++ b/actionpack/test/controller/base_test.rb @@ -11,6 +11,12 @@ end class EmptyController < ActionController::Base end +class SimpleController < ActionController::Base + def hello + self.response_body = "hello" + end +end + class NonEmptyController < ActionController::Base def public_action head :ok @@ -118,6 +124,27 @@ class ControllerInstanceTests < ActiveSupport::TestCase controller = klass.new assert_equal "examples", controller.controller_path end + + def test_response_has_default_headers + original_default_headers = ActionDispatch::Response.default_headers + + ActionDispatch::Response.default_headers = { + "X-Frame-Options" => "DENY", + "X-Content-Type-Options" => "nosniff", + "X-XSS-Protection" => "1;" + } + + response_headers = SimpleController.action("hello").call( + "REQUEST_METHOD" => "GET", + "rack.input" => -> {} + )[1] + + assert response_headers.key?("X-Frame-Options") + assert response_headers.key?("X-Content-Type-Options") + assert response_headers.key?("X-XSS-Protection") + ensure + ActionDispatch::Response.default_headers = original_default_headers + end end class PerformActionTest < ActionController::TestCase diff --git a/actionpack/test/controller/metal_test.rb b/actionpack/test/controller/metal_test.rb new file mode 100644 index 0000000000..e16452ed6f --- /dev/null +++ b/actionpack/test/controller/metal_test.rb @@ -0,0 +1,30 @@ +require "abstract_unit" + +class MetalControllerInstanceTests < ActiveSupport::TestCase + class SimpleController < ActionController::Metal + def hello + self.response_body = "hello" + end + end + + def test_response_has_default_headers + original_default_headers = ActionDispatch::Response.default_headers + + ActionDispatch::Response.default_headers = { + "X-Frame-Options" => "DENY", + "X-Content-Type-Options" => "nosniff", + "X-XSS-Protection" => "1;" + } + + response_headers = SimpleController.action("hello").call( + "REQUEST_METHOD" => "GET", + "rack.input" => -> {} + )[1] + + refute response_headers.key?("X-Frame-Options") + refute response_headers.key?("X-Content-Type-Options") + refute response_headers.key?("X-XSS-Protection") + ensure + ActionDispatch::Response.default_headers = original_default_headers + end +end |