Skip to content

Commit

Permalink
Merge pull request #239 from twitter/fix-regression-with-overrides
Browse files Browse the repository at this point in the history
Regression: overrides were not carrying configuration values forward
  • Loading branch information
oreoshake committed Mar 30, 2016
2 parents cd56394 + 34c8129 commit 96cd676
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 1 deletion.
8 changes: 8 additions & 0 deletions lib/secure_headers/configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,13 @@ def dup
copy.csp = self.class.send(:deep_copy_if_hash, @csp)
copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
copy.x_content_type_options = @x_content_type_options
copy.hsts = @hsts
copy.x_frame_options = @x_frame_options
copy.x_xss_protection = @x_xss_protection
copy.x_download_options = @x_download_options
copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
copy.hpkp = @hpkp
copy
end

Expand All @@ -133,6 +140,7 @@ def opt_out(header)
end

def update_x_frame_options(value)
@x_frame_options = value
self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
end

Expand Down
8 changes: 8 additions & 0 deletions spec/lib/secure_headers/configuration_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ module SecureHeaders
end
end

it "regenerates cached headers when building an override" do
Configuration.override(:test_override) do |config|
config.x_content_type_options = OPT_OUT
end

expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
end

it "stores an override of the global config" do
Configuration.override(:test_override) do |config|
config.x_frame_options = "DENY"
Expand Down
19 changes: 18 additions & 1 deletion spec/lib/secure_headers_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ module SecureHeaders
end

describe "#header_hash_for" do
it "allows you to opt out of individual headers" do
it "allows you to opt out of individual headers via API" do
Configuration.default
SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
Expand All @@ -31,6 +31,23 @@ module SecureHeaders
expect(hash['X-Content-Type-Options']).to be_nil
end

it "Carries options over when using overrides" do
Configuration.default do |config|
config.x_download_options = OPT_OUT
config.x_permitted_cross_domain_policies = OPT_OUT
end

Configuration.override(:api) do |config|
config.x_frame_options = OPT_OUT
end

SecureHeaders.use_secure_headers_override(request, :api)
hash = SecureHeaders.header_hash_for(request)
expect(hash['X-Download-Options']).to be_nil
expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
expect(hash['X-Frame-Options']).to be_nil
end

it "allows you to opt out entirely" do
Configuration.default
SecureHeaders.opt_out_of_all_protection(request)
Expand Down

0 comments on commit 96cd676

Please sign in to comment.