From 4848bf321b34cc06990bf6e3e10cbadaf992bc37 Mon Sep 17 00:00:00 2001
From: Jim Jones <jjones@aantix.com>
Date: Sat, 18 Aug 2012 15:29:58 -0700
Subject: Added X-Content-Type-Options to the header defaults.

With a value of "nosniff", this prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
---
 actionpack/test/dispatch/response_test.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'actionpack/test/dispatch')

diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
index 71609d7340..4d699bd739 100644
--- a/actionpack/test/dispatch/response_test.rb
+++ b/actionpack/test/dispatch/response_test.rb
@@ -177,9 +177,10 @@ class ResponseTest < ActiveSupport::TestCase
     end
   end
 
-  test "read x_frame_options and x_xss_protection" do
+  test "read x_frame_options, x_content_type_options and x_xss_protection" do
     ActionDispatch::Response.default_headers = {
       'X-Frame-Options' => 'DENY',
+      'X-Content-Type-Options' => 'nosniff',
       'X-XSS-Protection' => '1;'
     }
     resp = ActionDispatch::Response.new.tap { |response|
@@ -188,6 +189,7 @@ class ResponseTest < ActiveSupport::TestCase
     resp.to_a
 
     assert_equal('DENY', resp.headers['X-Frame-Options'])
+    assert_equal('nosniff', resp.headers['X-Content-Type-Options'])
     assert_equal('1;', resp.headers['X-XSS-Protection'])
   end  
 
-- 
cgit v1.2.3