Merge pull request #235 from twitter/fix-opt-out-regression

Opting out of all protection would raise an exception because the idempotency check was wrong

Author: oreoshake

lib/secure_headers/configuration.rb

@@ -71,6 +71,7 @@ def add_noop_configuration
           ALL_HEADER_CLASSES.each do |klass|
             config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
           end
+          config.dynamic_csp = OPT_OUT
         end
 
         add_configuration(NOOP_CONFIGURATION, noop_config)

lib/secure_headers/headers/policy_management.rb

@@ -196,6 +196,7 @@ def validate_config!(config)
       # additions = { script_src: %w(google.com)} then idempotent_additions? would return
       # because google.com is already in the config.
       def idempotent_additions?(config, additions)
+        return true if config == OPT_OUT && additions == OPT_OUT
         return false if config == OPT_OUT
         config == combine_policies(config, additions)
       end

spec/lib/secure_headers_spec.rb

@@ -38,6 +38,7 @@ module SecureHeaders
         ALL_HEADER_CLASSES.each do |klass|
           expect(hash[klass::CONFIG_KEY]).to be_nil
         end
+        expect(hash.count).to eq(0)
       end
 
       it "allows you to override X-Frame-Options settings" do