aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionpack/CHANGELOG.md5
-rw-r--r--actionpack/lib/action_dispatch/railtie.rb4
-rw-r--r--actionpack/test/controller/metal_test.rb2
-rw-r--r--actionpack/test/dispatch/response_test.rb8
4 files changed, 15 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 753dd8589a..209066ae07 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
+ default headers set.
+
+ *Guillermo Iguaran*
+
* Add headless firefox support to System Tests.
*bogdanvlviv*
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 855f2ffa47..95e99987a0 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -26,7 +26,9 @@ module ActionDispatch
config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
- "X-Content-Type-Options" => "nosniff"
+ "X-Content-Type-Options" => "nosniff",
+ "X-Download-Options" => "noopen",
+ "X-Permitted-Cross-Domain-Policies" => "none"
}
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
diff --git a/actionpack/test/controller/metal_test.rb b/actionpack/test/controller/metal_test.rb
index c235c9df86..c3ebcb22b8 100644
--- a/actionpack/test/controller/metal_test.rb
+++ b/actionpack/test/controller/metal_test.rb
@@ -9,7 +9,7 @@ class MetalControllerInstanceTests < ActiveSupport::TestCase
end
end
- def test_response_has_default_headers
+ def test_response_does_not_have_default_headers
original_default_headers = ActionDispatch::Response.default_headers
ActionDispatch::Response.default_headers = {
diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
index c4ee3add2a..4e350162c9 100644
--- a/actionpack/test/dispatch/response_test.rb
+++ b/actionpack/test/dispatch/response_test.rb
@@ -311,13 +311,15 @@ class ResponseTest < ActiveSupport::TestCase
end
end
- test "read x_frame_options, x_content_type_options and x_xss_protection" do
+ test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
original_default_headers = ActionDispatch::Response.default_headers
begin
ActionDispatch::Response.default_headers = {
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff",
- "X-XSS-Protection" => "1;"
+ "X-XSS-Protection" => "1;",
+ "X-Download-Options" => "noopen",
+ "X-Permitted-Cross-Domain-Policies" => "none"
}
resp = ActionDispatch::Response.create.tap { |response|
response.body = "Hello"
@@ -327,6 +329,8 @@ class ResponseTest < ActiveSupport::TestCase
assert_equal("DENY", resp.headers["X-Frame-Options"])
assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
assert_equal("1;", resp.headers["X-XSS-Protection"])
+ assert_equal("noopen", resp.headers["X-Download-Options"])
+ assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
ensure
ActionDispatch::Response.default_headers = original_default_headers
end