From c347236ce9feb8e92e0543e3c51a9bcccf319a9c Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Fri, 10 Aug 2012 21:11:56 -0500
Subject: Move AD default_headers configurations to railtie

ActionDispatch railtie is a better place for
config.action_dispatch.default_headers settings, users can continue
overriding those settings in their configuration files if needed.
---
 actionpack/lib/action_dispatch/railtie.rb                            | 5 +++++
 .../lib/rails/generators/rails/app/templates/config/application.rb   | 5 -----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index e7f3f07390..0dcf1fc4fe 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -19,6 +19,11 @@ module ActionDispatch
       :verbose => false
     }
 
+    config.action_dispatch.default_headers = {
+      'X-Frame-Options' => 'SAMEORIGIN',
+      'X-XSS-Protection' => '1; mode=block'
+    }
+
     initializer "action_dispatch.configure" do |app|
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
       ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb
index a952ff7fb0..b2b760ee7b 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/application.rb
+++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -41,11 +41,6 @@ module <%= app_const_base %>
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
 
-    config.action_dispatch.default_headers = {
-        'X-Frame-Options' => 'SAMEORIGIN',
-        'X-XSS-Protection' => '1; mode=block'
-    }
-
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types.
-- 
cgit v1.2.3


From 684b6482e4f9d966dfa088b53507847492a023c3 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Fri, 10 Aug 2012 21:41:57 -0500
Subject: Add doc for config.action_dispatch.default_headers

Add documentation for config.action_dispatch.default_headers to
Rails Configuring guide.
---
 guides/source/configuring.textile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/guides/source/configuring.textile b/guides/source/configuring.textile
index 513e3a2b2b..5ed3ad4a6b 100644
--- a/guides/source/configuring.textile
+++ b/guides/source/configuring.textile
@@ -338,6 +338,12 @@ h4. Configuring Action Dispatch
 
 * +config.action_dispatch.session_store+ sets the name of the store for session data. The default is +:cookie_store+; other valid options include +:active_record_store+, +:mem_cache_store+ or the name of your own custom class.
 
+* +config.action_dispatch.default_headers+ is a hash with HTTP headers that are set by default in each response. By default, this is defined as:
+
+<ruby>
+config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block' }
+</ruby>
+
 * +config.action_dispatch.tld_length+ sets the TLD (top-level domain) length for the application. Defaults to +1+.
 
 * +ActionDispatch::Callbacks.before+ takes a block of code to run before the request.
-- 
cgit v1.2.3