kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity

rework protection headers, fixes #40

This commit is contained in:
Konstantin Haase 2013-03-01 15:36:05 +11:00
parent 45581679fe
commit 65cf3fd59b
3 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
rack-protection/lib/rack/protection/frame_options.rb
View File

@ -16,16 +16,22 @@ module Rack
# frame_options:: Defines who should be allowed to embed the page in a # frame_options:: Defines who should be allowed to embed the page in a
# frame. Use :deny to forbid any embedding, :sameorigin # frame. Use :deny to forbid any embedding, :sameorigin
# to allow embedding from the same origin (default). # to allow embedding from the same origin (default).
class FrameOptions < XSSHeader class FrameOptions < Base
default_options :frame_options => :sameorigin default_options :frame_options => :sameorigin
def header def frame_options
@header ||= begin @frame_options ||= begin
frame_options = options[:frame_options] frame_options = options[:frame_options]
frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
{ 'X-Frame-Options' => frame_options.to_str } frame_options.to_str
end end
end end
def call(env)
status, headers, body = @app.call(env)
headers['X-Frame-Options'] ||= frame_options if html? headers
[status, headers, body]
end
end end
end end
end end

12
rack-protection/lib/rack/protection/xss_header.rb
View File

@ -14,18 +14,10 @@ module Rack
class XSSHeader < Base class XSSHeader < Base
default_options :xss_mode => :block, :nosniff => true default_options :xss_mode => :block, :nosniff => true
def header
headers = {
'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
'X-Content-Type-Options' => "nosniff"
}
headers.delete("X-Content-Type-Options") unless options[:nosniff]
headers
end
def call(env) def call(env)
status, headers, body = @app.call(env) status, headers, body = @app.call(env)
headers = header.merge(headers) if options[:nosniff] and html?(headers) headers['X-XSS-Protection'] ||= "1; mode=#{options[:xss_mode]}" if html? headers
headers['X-Content-Type-Options'] ||= 'nosniff' if options[:nosniff]
[status, headers, body] [status, headers, body]
end end
end end

6
rack-protection/spec/xss_header_spec.rb
View File

@ -34,6 +34,12 @@ describe Rack::Protection::XSSHeader do
get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff" get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
end end
it 'should set the X-Content-Type-Options for other content types' do
get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
end
it 'should allow changing the nosniff-mode off' do it 'should allow changing the nosniff-mode off' do
mock_app do mock_app do
use Rack::Protection::XSSHeader, :nosniff => false use Rack::Protection::XSSHeader, :nosniff => false