From 2a290f7f7cdf775491eda05b3690be6d96cd9bf6 Mon Sep 17 00:00:00 2001 From: Egor Homakov Date: Thu, 9 Aug 2012 16:45:30 +0300 Subject: introduce default_headers config --- actionpack/lib/action_dispatch/http/response.rb | 5 +++++ actionpack/lib/action_dispatch/railtie.rb | 1 + .../lib/rails/generators/rails/app/templates/config/application.rb | 5 +++++ 3 files changed, 11 insertions(+) diff --git a/actionpack/lib/action_dispatch/http/response.rb b/actionpack/lib/action_dispatch/http/response.rb index d336808e7c..5014ad80aa 100644 --- a/actionpack/lib/action_dispatch/http/response.rb +++ b/actionpack/lib/action_dispatch/http/response.rb @@ -58,6 +58,7 @@ module ActionDispatch # :nodoc: LOCATION = "Location".freeze cattr_accessor(:default_charset) { "utf-8" } + cattr_accessor(:default_headers) include Rack::Response::Helpers include ActionDispatch::Http::Cache::Response @@ -96,6 +97,10 @@ module ActionDispatch # :nodoc: def initialize(status = 200, header = {}, body = []) super() + if self.class.default_headers.respond_to?(:merge) + header = self.class.default_headers.merge(header) + end + self.body, self.header, self.status = body, header, status @sending_file = false diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb index 62f906219c..e7f3f07390 100644 --- a/actionpack/lib/action_dispatch/railtie.rb +++ b/actionpack/lib/action_dispatch/railtie.rb @@ -23,6 +23,7 @@ module ActionDispatch ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding + ActionDispatch::Response.default_headers = app.config.action_dispatch.default_headers ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses) ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates) diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb index 1ee90e88f2..f20dd78031 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/application.rb +++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb @@ -41,6 +41,11 @@ module <%= app_const_base %> # Configure sensitive parameters which will be filtered from the log file. config.filter_parameters += [:password] + config.action_dispatch.default_headers = { + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-XSS-Protection' => '1; mode=block' + } + # Use SQL instead of Active Record's schema dumper when creating the database. # This is necessary if your schema can't be completely dumped by the schema dumper, # like if you have constraints or database-specific column types. -- cgit v1.2.3 From 98c18d0058a01e47f3acb10b3a105d79bd1597bf Mon Sep 17 00:00:00 2001 From: Egor Homakov Date: Thu, 9 Aug 2012 17:12:11 +0300 Subject: some tests --- actionpack/test/dispatch/response_test.rb | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb index e2903d4b36..71609d7340 100644 --- a/actionpack/test/dispatch/response_test.rb +++ b/actionpack/test/dispatch/response_test.rb @@ -176,6 +176,33 @@ class ResponseTest < ActiveSupport::TestCase ActionDispatch::Response.default_charset = original end end + + test "read x_frame_options and x_xss_protection" do + ActionDispatch::Response.default_headers = { + 'X-Frame-Options' => 'DENY', + 'X-XSS-Protection' => '1;' + } + resp = ActionDispatch::Response.new.tap { |response| + response.body = 'Hello' + } + resp.to_a + + assert_equal('DENY', resp.headers['X-Frame-Options']) + assert_equal('1;', resp.headers['X-XSS-Protection']) + end + + test "read custom default_header" do + ActionDispatch::Response.default_headers = { + 'X-XX-XXXX' => 'Here is my phone number' + } + resp = ActionDispatch::Response.new.tap { |response| + response.body = 'Hello' + } + resp.to_a + + assert_equal('Here is my phone number', resp.headers['X-XX-XXXX']) + end + end class ResponseIntegrationTest < ActionDispatch::IntegrationTest -- cgit v1.2.3