From 4848bf321b34cc06990bf6e3e10cbadaf992bc37 Mon Sep 17 00:00:00 2001 From: Jim Jones Date: Sat, 18 Aug 2012 15:29:58 -0700 Subject: [PATCH] Added X-Content-Type-Options to the header defaults. With a value of "nosniff", this prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. --- actionpack/CHANGELOG.md | 5 +++-- actionpack/lib/action_dispatch/railtie.rb | 3 ++- actionpack/test/dispatch/response_test.rb | 4 +++- guides/source/configuring.textile | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 95fc79b791..095957e1a2 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -51,8 +51,9 @@ *Richard Schneeman* -* Add 'X-Frame-Options' => 'SAMEORIGIN' and - 'X-XSS-Protection' => '1; mode=block' +* Add 'X-Frame-Options' => 'SAMEORIGIN' + 'X-XSS-Protection' => '1; mode=block' and + 'X-Content-Type-Options' => 'nosniff' as default headers. *Egor Homakov* diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb index 0dcf1fc4fe..5aad8dd23a 100644 --- a/actionpack/lib/action_dispatch/railtie.rb +++ b/actionpack/lib/action_dispatch/railtie.rb @@ -21,7 +21,8 @@ module ActionDispatch config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', - 'X-XSS-Protection' => '1; mode=block' + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' } initializer "action_dispatch.configure" do |app| diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb index 71609d7340..4d699bd739 100644 --- a/actionpack/test/dispatch/response_test.rb +++ b/actionpack/test/dispatch/response_test.rb @@ -177,9 +177,10 @@ class ResponseTest < ActiveSupport::TestCase end end - test "read x_frame_options and x_xss_protection" do + test "read x_frame_options, x_content_type_options and x_xss_protection" do ActionDispatch::Response.default_headers = { 'X-Frame-Options' => 'DENY', + 'X-Content-Type-Options' => 'nosniff', 'X-XSS-Protection' => '1;' } resp = ActionDispatch::Response.new.tap { |response| @@ -188,6 +189,7 @@ class ResponseTest < ActiveSupport::TestCase resp.to_a assert_equal('DENY', resp.headers['X-Frame-Options']) + assert_equal('nosniff', resp.headers['X-Content-Type-Options']) assert_equal('1;', resp.headers['X-XSS-Protection']) end diff --git a/guides/source/configuring.textile b/guides/source/configuring.textile index 5ed3ad4a6b..c29b70ad5b 100644 --- a/guides/source/configuring.textile +++ b/guides/source/configuring.textile @@ -341,7 +341,7 @@ h4. Configuring Action Dispatch * +config.action_dispatch.default_headers+ is a hash with HTTP headers that are set by default in each response. By default, this is defined as: -config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block' } +config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' } * +config.action_dispatch.tld_length+ sets the TLD (top-level domain) length for the application. Defaults to +1+.