From 34c8129356f96d6f2bfd5c2311008c76d08077fe Mon Sep 17 00:00:00 2001 From: Neil Matatall Date: Wed, 30 Mar 2016 09:34:39 -1000 Subject: [PATCH] copy forward values so header cache regeneration carries forward overrides --- lib/secure_headers/configuration.rb | 8 ++++++++ spec/lib/secure_headers/configuration_spec.rb | 8 ++++++++ spec/lib/secure_headers_spec.rb | 19 ++++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb index f4154dc4..0fca4e01 100644 --- a/lib/secure_headers/configuration.rb +++ b/lib/secure_headers/configuration.rb @@ -121,6 +121,13 @@ def dup copy.csp = self.class.send(:deep_copy_if_hash, @csp) copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp) copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers) + copy.x_content_type_options = @x_content_type_options + copy.hsts = @hsts + copy.x_frame_options = @x_frame_options + copy.x_xss_protection = @x_xss_protection + copy.x_download_options = @x_download_options + copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies + copy.hpkp = @hpkp copy end @@ -133,6 +140,7 @@ def opt_out(header) end def update_x_frame_options(value) + @x_frame_options = value self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value) end diff --git a/spec/lib/secure_headers/configuration_spec.rb b/spec/lib/secure_headers/configuration_spec.rb index 10fd4af2..24efdbbe 100644 --- a/spec/lib/secure_headers/configuration_spec.rb +++ b/spec/lib/secure_headers/configuration_spec.rb @@ -41,6 +41,14 @@ module SecureHeaders end end + it "regenerates cached headers when building an override" do + Configuration.override(:test_override) do |config| + config.x_content_type_options = OPT_OUT + end + + expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers) + end + it "stores an override of the global config" do Configuration.override(:test_override) do |config| config.x_frame_options = "DENY" diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb index 770ea39d..db956e83 100644 --- a/spec/lib/secure_headers_spec.rb +++ b/spec/lib/secure_headers_spec.rb @@ -21,7 +21,7 @@ module SecureHeaders end describe "#header_hash_for" do - it "allows you to opt out of individual headers" do + it "allows you to opt out of individual headers via API" do Configuration.default SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY) SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY) @@ -31,6 +31,23 @@ module SecureHeaders expect(hash['X-Content-Type-Options']).to be_nil end + it "Carries options over when using overrides" do + Configuration.default do |config| + config.x_download_options = OPT_OUT + config.x_permitted_cross_domain_policies = OPT_OUT + end + + Configuration.override(:api) do |config| + config.x_frame_options = OPT_OUT + end + + SecureHeaders.use_secure_headers_override(request, :api) + hash = SecureHeaders.header_hash_for(request) + expect(hash['X-Download-Options']).to be_nil + expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil + expect(hash['X-Frame-Options']).to be_nil + end + it "allows you to opt out entirely" do Configuration.default SecureHeaders.opt_out_of_all_protection(request)