use upper case for frame options, fixes #25

rack-protection/lib/rack/protection/frame_options.rb

@@ -18,8 +18,13 @@ module Rack
     #                 to allow embedding from the same origin (default).
     class FrameOptions < XSSHeader
       default_options :frame_options => :sameorigin
+
       def header
-        { 'X-Frame-Options' => options[:frame_options].to_s }
+        @header ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          { 'X-Frame-Options' => frame_options.to_str }
+        end
       end
     end
   end

rack-protection/spec/frame_options_spec.rb

@@ -4,7 +4,7 @@ describe Rack::Protection::FrameOptions do
   it_behaves_like "any rack application"
 
   it 'should set the X-Frame-Options' do
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "sameorigin"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
   end
 
   it 'should not set the X-Frame-Options for other content types' do
@@ -18,7 +18,18 @@ describe Rack::Protection::FrameOptions do
       run DummyApp
     end
 
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "deny"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
+  end
+
+
+  it 'should allow changing the protection mode to a string' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+      run DummyApp
+    end
+
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
   end
 
   it 'should not override the header if already set' do