1f4714c3f7
This header has been deprecated and the XSS auditor it triggered has been removed from all major modern browsers (in favour of Content Security Policy) that implemented this header to begin with (Firefox never did). [OWASP](https://owasp.org/www-project-secure-headers/#x-xss-protection) suggests setting this header to '0' to disable the default behaviour on old browsers as it can introduce additional security issues. Added the new behaviour as a framework default from Rails 7.0.
38 lines
1.1 KiB
Ruby
38 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "abstract_unit"
|
|
|
|
class MetalControllerInstanceTests < ActiveSupport::TestCase
|
|
class SimpleController < ActionController::Metal
|
|
def hello
|
|
self.response_body = "hello"
|
|
end
|
|
end
|
|
|
|
def test_response_does_not_have_default_headers
|
|
original_default_headers = ActionDispatch::Response.default_headers
|
|
|
|
ActionDispatch::Response.default_headers = {
|
|
"X-Frame-Options" => "DENY",
|
|
"X-Content-Type-Options" => "nosniff",
|
|
"X-XSS-Protection" => "0"
|
|
}
|
|
|
|
response_headers = SimpleController.action("hello").call(
|
|
"REQUEST_METHOD" => "GET",
|
|
"rack.input" => -> { }
|
|
)[1]
|
|
|
|
assert_not response_headers.key?("X-Frame-Options")
|
|
assert_not response_headers.key?("X-Content-Type-Options")
|
|
assert_not response_headers.key?("X-XSS-Protection")
|
|
ensure
|
|
ActionDispatch::Response.default_headers = original_default_headers
|
|
end
|
|
|
|
def test_inspect
|
|
controller = SimpleController.new
|
|
assert_match(/\A#<MetalControllerInstanceTests::SimpleController:0x[0-9a-f]+>\z/, controller.inspect)
|
|
end
|
|
end
|