1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00

Merge pull request #26 from send/x-content-type-options

X-Content-Type-Options feature
This commit is contained in:
Konstantin Haase 2012-06-28 05:13:57 -07:00
commit 47c9f73934
2 changed files with 25 additions and 2 deletions

View file

@ -12,10 +12,15 @@ module Rack
# Options:
# xss_mode:: How the browser should prevent the attack (default: :block)
class XSSHeader < Base
default_options :xss_mode => :block
default_options :xss_mode => :block, :nosniff => true
def header
{ 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
headers = {
'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
'X-Content-Type-Options' => "nosniff"
}
headers.delete("X-Content-Type-Options") unless options[:nosniff]
headers
end
def call(env)

View file

@ -21,4 +21,22 @@ describe Rack::Protection::XSSHeader do
mock_app with_headers("X-XSS-Protection" => "0")
get('/').headers["X-XSS-Protection"].should == "0"
end
it 'should set the X-Content-Type-Options' do
get('/').header["X-Content-Type-Options"].should == "nosniff"
end
it 'should allow changing the nosniff-mode off' do
mock_app do
use Rack::Protection::XSSHeader, :nosniff => false
run DummyApp
end
get('/').headers["X-Content-Type-Options"].should be_nil
end
it 'should not override the header if already set X-Content-Type-Options' do
mock_app with_headers("X-Content-Type-Options" => "sniff")
get('/').headers["X-Content-Type-Options"].should == "sniff"
end
end