From 4c74529929bc53b1dfbdce54229916219cc03885 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Mon, 10 Dec 2012 16:48:21 +0100
Subject: [PATCH] use upper case for frame options, fixes #25

---
 .../lib/rack/protection/frame_options.rb          |  7 ++++++-
 rack-protection/spec/frame_options_spec.rb        | 15 +++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/rack-protection/lib/rack/protection/frame_options.rb b/rack-protection/lib/rack/protection/frame_options.rb
index 4f2ff686..2939748b 100644
--- a/rack-protection/lib/rack/protection/frame_options.rb
+++ b/rack-protection/lib/rack/protection/frame_options.rb
@@ -18,8 +18,13 @@ module Rack
     #                 to allow embedding from the same origin (default).
     class FrameOptions < XSSHeader
       default_options :frame_options => :sameorigin
+
       def header
-        { 'X-Frame-Options' => options[:frame_options].to_s }
+        @header ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          { 'X-Frame-Options' => frame_options.to_str }
+        end
       end
     end
   end
diff --git a/rack-protection/spec/frame_options_spec.rb b/rack-protection/spec/frame_options_spec.rb
index 7f0616fe..a34ab0ad 100644
--- a/rack-protection/spec/frame_options_spec.rb
+++ b/rack-protection/spec/frame_options_spec.rb
@@ -4,7 +4,7 @@ describe Rack::Protection::FrameOptions do
   it_behaves_like "any rack application"
 
   it 'should set the X-Frame-Options' do
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "sameorigin"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
   end
 
   it 'should not set the X-Frame-Options for other content types' do
@@ -18,7 +18,18 @@ describe Rack::Protection::FrameOptions do
       run DummyApp
     end
 
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "deny"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
+  end
+
+
+  it 'should allow changing the protection mode to a string' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+      run DummyApp
+    end
+
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
   end
 
   it 'should not override the header if already set' do