mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Merge pull request #26 from send/x-content-type-options
X-Content-Type-Options feature
This commit is contained in:
commit
47c9f73934
2 changed files with 25 additions and 2 deletions
|
@ -12,10 +12,15 @@ module Rack
|
|||
# Options:
|
||||
# xss_mode:: How the browser should prevent the attack (default: :block)
|
||||
class XSSHeader < Base
|
||||
default_options :xss_mode => :block
|
||||
default_options :xss_mode => :block, :nosniff => true
|
||||
|
||||
def header
|
||||
{ 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
|
||||
headers = {
|
||||
'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
|
||||
'X-Content-Type-Options' => "nosniff"
|
||||
}
|
||||
headers.delete("X-Content-Type-Options") unless options[:nosniff]
|
||||
headers
|
||||
end
|
||||
|
||||
def call(env)
|
||||
|
|
|
@ -21,4 +21,22 @@ describe Rack::Protection::XSSHeader do
|
|||
mock_app with_headers("X-XSS-Protection" => "0")
|
||||
get('/').headers["X-XSS-Protection"].should == "0"
|
||||
end
|
||||
|
||||
it 'should set the X-Content-Type-Options' do
|
||||
get('/').header["X-Content-Type-Options"].should == "nosniff"
|
||||
end
|
||||
|
||||
it 'should allow changing the nosniff-mode off' do
|
||||
mock_app do
|
||||
use Rack::Protection::XSSHeader, :nosniff => false
|
||||
run DummyApp
|
||||
end
|
||||
|
||||
get('/').headers["X-Content-Type-Options"].should be_nil
|
||||
end
|
||||
|
||||
it 'should not override the header if already set X-Content-Type-Options' do
|
||||
mock_app with_headers("X-Content-Type-Options" => "sniff")
|
||||
get('/').headers["X-Content-Type-Options"].should == "sniff"
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue