Skip to content

Commit

Permalink
Merge pull request #235 from twitter/fix-opt-out-regression
Browse files Browse the repository at this point in the history
Opting out of all protection would raise an exception because the idempotency check was wrong
  • Loading branch information
oreoshake committed Mar 28, 2016
2 parents 171ca58 + 0358c8e commit 6399816
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/secure_headers/configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ def add_noop_configuration
ALL_HEADER_CLASSES.each do |klass|
config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
end
config.dynamic_csp = OPT_OUT
end

add_configuration(NOOP_CONFIGURATION, noop_config)
Expand Down
1 change: 1 addition & 0 deletions lib/secure_headers/headers/policy_management.rb
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,7 @@ def validate_config!(config)
# additions = { script_src: %w(google.com)} then idempotent_additions? would return
# because google.com is already in the config.
def idempotent_additions?(config, additions)
return true if config == OPT_OUT && additions == OPT_OUT
return false if config == OPT_OUT
config == combine_policies(config, additions)
end
Expand Down
1 change: 1 addition & 0 deletions spec/lib/secure_headers_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ module SecureHeaders
ALL_HEADER_CLASSES.each do |klass|
expect(hash[klass::CONFIG_KEY]).to be_nil
end
expect(hash.count).to eq(0)
end

it "allows you to override X-Frame-Options settings" do
Expand Down

0 comments on commit 6399816

Please sign in to comment.