2011-05-23 04:07:54 -04:00
|
|
|
require 'rack/protection'
|
|
|
|
|
|
|
|
module Rack
|
|
|
|
module Protection
|
2011-05-24 05:18:44 -04:00
|
|
|
##
|
|
|
|
# Prevented attack:: Clickjacking
|
|
|
|
# Supported browsers:: Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
|
|
|
|
# Safari 4.0, Chrome 4.1.249.1042 and later
|
2011-05-24 06:23:22 -04:00
|
|
|
# More infos:: https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
|
2011-05-24 05:18:44 -04:00
|
|
|
#
|
2011-05-24 06:16:29 -04:00
|
|
|
# Sets X-Frame-Options header to tell the browser avoid embedding the page
|
|
|
|
# in a frame.
|
|
|
|
#
|
2011-05-24 05:18:44 -04:00
|
|
|
# Options:
|
2011-05-24 06:16:29 -04:00
|
|
|
#
|
2011-05-24 05:18:44 -04:00
|
|
|
# frame_options:: Defines who should be allowed to embed the page in a
|
|
|
|
# frame. Use :deny to forbid any embedding, :sameorigin
|
|
|
|
# to allow embedding from the same origin (default).
|
2013-02-28 23:36:05 -05:00
|
|
|
class FrameOptions < Base
|
2011-05-23 11:35:22 -04:00
|
|
|
default_options :frame_options => :sameorigin
|
2012-12-10 10:48:21 -05:00
|
|
|
|
2013-02-28 23:36:05 -05:00
|
|
|
def frame_options
|
|
|
|
@frame_options ||= begin
|
2012-12-10 10:48:21 -05:00
|
|
|
frame_options = options[:frame_options]
|
|
|
|
frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
|
2013-02-28 23:36:05 -05:00
|
|
|
frame_options.to_str
|
2012-12-10 10:48:21 -05:00
|
|
|
end
|
2011-05-23 11:35:22 -04:00
|
|
|
end
|
2013-02-28 23:36:05 -05:00
|
|
|
|
|
|
|
def call(env)
|
|
|
|
status, headers, body = @app.call(env)
|
|
|
|
headers['X-Frame-Options'] ||= frame_options if html? headers
|
|
|
|
[status, headers, body]
|
|
|
|
end
|
2011-05-23 04:07:54 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|