Skip to content

R
rails

张重言 / rails

通知 1
Star 0
Fork 0
R
rails

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 5d7b70f4 编写于 作者: G Guillermo Iguaran
浏览文件
操作

Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to default headers set.

上级 55d4cf2a
隐藏空白更改
内联 并排
Showing with 15 addition and 4 deletion
actionpack/CHANGELOG.md
浏览文件 @ 5d7b70f4
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
default headers set.
*Guillermo Iguaran*
* Add headless firefox support to System Tests. * Add headless firefox support to System Tests.
*bogdanvlviv* *bogdanvlviv*
......
actionpack/lib/action_dispatch/railtie.rb
浏览文件 @ 5d7b70f4
...@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc: ...@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc:
config.action_dispatch.default_headers = { config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN", "X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block", "X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff" "X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
} }
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
......
actionpack/test/controller/metal_test.rb
浏览文件 @ 5d7b70f4
...@@ -9,7 +9,7 @@ def hello ...@@ -9,7 +9,7 @@ def hello
end end
end end
def test_response_has_default_headers def test_response_does_not_have_default_headers
original_default_headers = ActionDispatch::Response.default_headers original_default_headers = ActionDispatch::Response.default_headers
ActionDispatch::Response.default_headers = { ActionDispatch::Response.default_headers = {
......
actionpack/test/dispatch/response_test.rb
浏览文件 @ 5d7b70f4
...@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html ...@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html
end end
end end
test "read x_frame_options, x_content_type_options and x_xss_protection" do test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
original_default_headers = ActionDispatch::Response.default_headers original_default_headers = ActionDispatch::Response.default_headers
begin begin
ActionDispatch::Response.default_headers = { ActionDispatch::Response.default_headers = {
"X-Frame-Options" => "DENY", "X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff", "X-Content-Type-Options" => "nosniff",
"X-XSS-Protection" => "1;" "X-XSS-Protection" => "1;",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
} }
resp = ActionDispatch::Response.create.tap { |response| resp = ActionDispatch::Response.create.tap { |response|
response.body = "Hello" response.body = "Hello"
...@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html ...@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html
assert_equal("DENY", resp.headers["X-Frame-Options"]) assert_equal("DENY", resp.headers["X-Frame-Options"])
assert_equal("nosniff", resp.headers["X-Content-Type-Options"]) assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
assert_equal("1;", resp.headers["X-XSS-Protection"]) assert_equal("1;", resp.headers["X-XSS-Protection"])
assert_equal("noopen", resp.headers["X-Download-Options"])
assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
ensure ensure
ActionDispatch::Response.default_headers = original_default_headers ActionDispatch::Response.default_headers = original_default_headers
end end
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册