Include default headers by default in API mode

ActionDispatch's default headers are now moved into their own module that are by default included in both Base and API. This allows API-mode applications to take advantage of the default security headers, as well as providing an easy way to add more.
2018-04-06 15:13:28 -04:00 · 2018-04-06 15:13:28 -04:00 · f22bc41a92
parent 03bd370c02
commit f22bc41a92
5 changed files with 24 additions and 6 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,3 +1,7 @@
+*   Move default headers configuration into their own module that can be included in controllers.
+
+    *Kevin Deisz*
+
 *   Add method `dig` to `session`.

    *claudiob*, *Takumi Shotoku*
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@ -25,6 +25,7 @@ module ActionController
    autoload :ContentSecurityPolicy
    autoload :Cookies
    autoload :DataStreaming
+    autoload :DefaultHeaders
    autoload :EtagWithTemplateDigest
    autoload :EtagWithFlash
    autoload :Flash
--- a/actionpack/lib/action_controller/api.rb
+++ b/actionpack/lib/action_controller/api.rb
@ -122,6 +122,7 @@ module ActionController

      ForceSSL,
      DataStreaming,
+      DefaultHeaders,

      # Before callbacks should also be executed as early as possible, so
      # also include them at the bottom.
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@ -232,6 +232,7 @@ module ActionController
      HttpAuthentication::Basic::ControllerMethods,
      HttpAuthentication::Digest::ControllerMethods,
      HttpAuthentication::Token::ControllerMethods,
+      DefaultHeaders,

      # Before callbacks should also be executed as early as possible, so
      # also include them at the bottom.
@ -264,12 +265,6 @@ module ActionController
      PROTECTED_IVARS
    end

-    def self.make_response!(request)
-      ActionDispatch::Response.create.tap do |res|
-        res.request = request
-      end
-    end
-
    ActiveSupport.run_load_hooks(:action_controller_base, self)
    ActiveSupport.run_load_hooks(:action_controller, self)
  end
--- a/actionpack/lib/action_controller/metal/default_headers.rb
+++ b/actionpack/lib/action_controller/metal/default_headers.rb
@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ActionController
+  # Allows configuring default headers that will be automatically merged into
+  # each response.
+  module DefaultHeaders
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def make_response!(request)
+        ActionDispatch::Response.create.tap do |res|
+          res.request = request
+        end
+      end
+    end
+  end
+end