Merge branch 'tests_for_csp_override_action'

Author: oreoshake

fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb

@@ -3,4 +3,18 @@ class OtherThingsController < ApplicationController
   def index
 
   end
+
+  def other_action
+    render :text => 'yooooo'
+  end
+
+  def secure_header_options_for(header, options)
+    if params[:action] == "other_action"
+      if header == :csp
+        options.merge(:style_src => 'self')
+      end
+    else
+      options
+    end
+  end
 end

fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -12,11 +12,17 @@
       expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
 
-    it "sets the X-WebKit-CSP header" do
+    it "sets the CSP header" do
       get :index
       expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
     end
 
+    it "sets per-action values based on secure_header_options_for" do
+      # munges :style_src => self into policy
+      get :other_action
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
+    end
+
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'

fixtures/rails_4_1_8/app/controllers/other_things_controller.rb

@@ -2,4 +2,4 @@ class OtherThingsController < ApplicationController
   def index
 
   end
-end
+end

lib/secure_headers.rb

@@ -50,12 +50,6 @@ def ensure_security_headers options = {}
       before_filter :set_x_download_options_header
       before_filter :set_x_permitted_cross_domain_policies_header
     end
-
-    # we can't use ||= because I'm overloading false => disable, nil => default
-    # both of which trigger the conditional assignment
-    def options_for(type, options)
-      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
-    end
   end
 
   module InstanceMethods
@@ -80,7 +74,7 @@ def set_csp_header(req = nil, config=nil)
       end
 
       config = self.class.secure_headers_options[:csp] if config.nil?
-      config = self.class.options_for :csp, config
+      config = secure_header_options_for :csp, config
 
       return if config == false
 
@@ -140,7 +134,7 @@ def set_hsts_header(options=self.class.secure_headers_options[:hsts])
 
     def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
       return unless request.ssl?
-      config = self.class.options_for :hpkp, options
+      config = secure_header_options_for :hpkp, options
 
       return if config == false || config.nil?
 
@@ -158,8 +152,15 @@ def set_x_permitted_cross_domain_policies_header(options=self.class.secure_heade
 
     private
 
+    # we can't use ||= because I'm overloading false => disable, nil => default
+    # both of which trigger the conditional assignment
+    def secure_header_options_for(type, options)
+      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
+    end
+
+
     def set_a_header(name, klass, options=nil)
-      options = self.class.options_for name, options
+      options = secure_header_options_for name, options
       return if options == false
 
       header = klass.new(options)