Merge pull request #57 from reedloden/master

Send X-Content-Type-Options header to Chrome users as well (not just IE) and improve tests

fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -29,6 +29,11 @@ describe OtherThingsController do
       response.headers['Strict-Transport-Security'].should == "max-age=315576000"
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == "nosniff"
+    end
+
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"

fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb

@@ -33,6 +33,11 @@ describe ThingsController do
       response.headers['Strict-Transport-Security'].should == "max-age=315576000"
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == "nosniff"
+    end
+
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"

fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -29,11 +29,16 @@ describe OtherThingsController do
       response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+    end
+
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
       end
     end
   end

fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb

@@ -33,11 +33,16 @@ describe ThingsController do
       response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+    end
+
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
       end
     end
   end

lib/secure_headers.rb

@@ -85,7 +85,7 @@ module SecureHeaders
     end
 
     def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
-      return unless brwsr.ie?
+      return unless brwsr.ie? || brwsr.chrome?
       set_a_header(:x_content_type_options, XContentTypeOptions, options)
     end
 

lib/secure_headers/headers/x_xss_protection.rb

@@ -1,6 +1,5 @@
 module SecureHeaders
   class XXssProtectionBuildError < StandardError; end
-  # IE only
   class XXssProtection
     module Constants
       X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
@@ -51,4 +50,4 @@ module SecureHeaders
       end
     end
   end
-end
+end

spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -5,32 +5,11 @@ module SecureHeaders
     specify{ StrictTransportSecurity.new.name.should == "Strict-Transport-Security" }
 
     describe "#value" do
-      it "sets Strict Transport Security headers" do
-        s = StrictTransportSecurity.new
-        s.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE
-      end
-
-      it "allows you to specify includeSubdomains" do
-        s = StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
-        s.value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"
-      end
-
-      it "accepts a string value and returns verbatim" do
-        s = StrictTransportSecurity.new('max-age=1234')
-        s.value.should == "max-age=1234"
-      end
-
-      it "allows you to specify max-age" do
-        age = '8675309'
-        s = StrictTransportSecurity.new(:max_age => age)
-        s.value.should == "max-age=#{age}"
-      end
-
-      it "allows you to specify max-age as a Fixnum" do
-        age = 8675309
-        s = StrictTransportSecurity.new(:max_age => age)
-        s.value.should == "max-age=#{age}"
-      end
+      specify { StrictTransportSecurity.new.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE}
+      specify { StrictTransportSecurity.new("max-age=1234").value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => '1234').value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => 1234).value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"}
 
       context "with an invalid configuration" do
         context "with a hash argument" do

spec/lib/secure_headers_spec.rb

@@ -80,10 +80,8 @@ describe SecureHeaders do
       it "sets all default headers for #{name} (smoke test)" do
         stub_user_agent(useragent)
         number_of_headers = case name
-        when :ie
+        when :ie, :chrome
           5
-        when :opera
-          4
         when :ios5, :safari5
           3 # csp breaks these browsers
         else
@@ -106,7 +104,6 @@ describe SecureHeaders do
     end
 
     it "does not set the X-XSS-Protection header if disabled" do
-      stub_user_agent(USER_AGENTS[:ie])
       should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
       subject.set_x_xss_protection_header(false)
     end
@@ -142,7 +139,7 @@ describe SecureHeaders do
     end
 
     context "when disabled by configuration settings" do
-      it "does not set the X-Content-Type-Options when disabled" do
+      it "does not set any headers when disabled" do
         ::SecureHeaders::Configuration.configure do |config|
           config.hsts = false
           config.x_frame_options = false
@@ -169,37 +166,56 @@ describe SecureHeaders do
     end
   end
 
-  context "when using IE" do
-    before(:each) do
-      stub_user_agent(USER_AGENTS[:ie])
+  describe "#set_strict_transport_security" do
+    it "sets the Strict-Transport-Security header" do
+      should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
+      subject.set_hsts_header
     end
 
-    describe "#set_x_xss_protection" do
-      it "sets the X-XSS-Protection header" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1')
-        subject.set_x_xss_protection_header
-      end
-
-      it "sets a custom X-XSS-Protection header" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
-        subject.set_x_xss_protection_header("0")
-      end
-
-      it "sets the block flag" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
-        subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
-      end
+    it "allows you to specific a custom max-age value" do
+      should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
+      subject.set_hsts_header(:max_age => 1234)
     end
 
-    describe "#set_x_content_type_options" do
-      it "sets the X-Content-Type-Options header" do
-        should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-        subject.set_x_content_type_options_header
-      end
+    it "allows you to specify includeSubdomains" do
+      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
+      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
+    end
+  end
 
-      it "lets you override X-Content-Type-Options" do
-        should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-        subject.set_x_content_type_options_header(:value => 'nosniff')
+  describe "#set_x_xss_protection" do
+    it "sets the X-XSS-Protection header" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
+      subject.set_x_xss_protection_header
+    end
+
+    it "sets a custom X-XSS-Protection header" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
+      subject.set_x_xss_protection_header("0")
+    end
+
+    it "sets the block flag" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
+      subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
+    end
+  end
+
+  describe "#set_x_content_type_options" do
+    [:ie, :chrome].each do |useragent|
+      context "when using #{useragent}" do
+        before(:each) do
+          stub_user_agent(USER_AGENTS[useragent])
+        end
+
+        it "sets the X-Content-Type-Options header" do
+          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
+          subject.set_x_content_type_options_header
+        end
+
+        it "lets you override X-Content-Type-Options" do
+          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
+          subject.set_x_content_type_options_header(:value => 'nosniff')
+        end
       end
     end
   end