kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Merge pull request #26 from send/x-content-type-options

Browse source 
X-Content-Type-Options feature
This commit is contained in:
Konstantin Haase 2012-06-28 05:13:57 -07:00
commit 47c9f73934
2 changed files with 25 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
rack-protection/lib/rack/protection/xss_header.rb
View file

@ -12,10 +12,15 @@ module Rack
# Options: # Options:
# xss_mode:: How the browser should prevent the attack (default: :block) # xss_mode:: How the browser should prevent the attack (default: :block)
class XSSHeader < Base class XSSHeader < Base
default_options :xss_mode => :block default_options :xss_mode => :block, :nosniff => true
def header def header
{ 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" } headers = {
'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
'X-Content-Type-Options' => "nosniff"
}
headers.delete("X-Content-Type-Options") unless options[:nosniff]
headers
end end
def call(env) def call(env)

18
rack-protection/spec/xss_header_spec.rb
View file

@ -21,4 +21,22 @@ describe Rack::Protection::XSSHeader do
mock_app with_headers("X-XSS-Protection" => "0") mock_app with_headers("X-XSS-Protection" => "0")
get('/').headers["X-XSS-Protection"].should == "0" get('/').headers["X-XSS-Protection"].should == "0"
end end
it 'should set the X-Content-Type-Options' do
get('/').header["X-Content-Type-Options"].should == "nosniff"
end
it 'should allow changing the nosniff-mode off' do
mock_app do
use Rack::Protection::XSSHeader, :nosniff => false
run DummyApp
end
get('/').headers["X-Content-Type-Options"].should be_nil
end
it 'should not override the header if already set X-Content-Type-Options' do
mock_app with_headers("X-Content-Type-Options" => "sniff")
get('/').headers["X-Content-Type-Options"].should == "sniff"
end
end end