Add support for multiple policies

ptoomey3 · ptoomey3 · commit 41e87d545cc8 · 2017-11-14T12:54:18.000-07:00
diff --git a/lib/secure_headers/headers/referrer_policy.rb b/lib/secure_headers/headers/referrer_policy.rb
@@ -22,14 +22,21 @@ class << self
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
       def make_header(config = nil)
-        [HEADER_NAME, config || DEFAULT_VALUE]
+        config ||= DEFAULT_VALUE
+        [HEADER_NAME, Array(config).join(", ")]
       end
 
       def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless VALID_POLICIES.include?(config.downcase)
-          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        case config
+        when nil, OPT_OUT
+          # valid
+        when String, Array
+          config = Array(config)
+          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(', ')}")
+          end
+        else
+          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
         end
       end
     end
diff --git a/spec/lib/secure_headers/headers/referrer_policy_spec.rb b/spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -5,6 +5,7 @@ module SecureHeaders
   describe ReferrerPolicy do
     specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
     specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+    specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }
 
     context "valid configuration values" do
       it "accepts 'no-referrer'" do
@@ -60,14 +61,31 @@ module SecureHeaders
           ReferrerPolicy.validate_config!(nil)
         end.not_to raise_error
       end
+
+      it "accepts array of policy values" do
+        expect do
+          ReferrerPolicy.validate_config!(
+            %w(
+              origin-when-cross-origin
+              strict-origin-when-cross-origin
+            )
+          )
+        end.not_to raise_error
+      end
     end
 
-    context "invlaid configuration values" do
+    context "invalid configuration values" do
       it "doesn't accept invalid values" do
         expect do
           ReferrerPolicy.validate_config!("open")
         end.to raise_error(ReferrerPolicyConfigError)
       end
+
+      it "doesn't accept invalid types" do
+        expect do
+          ReferrerPolicy.validate_config!({})
+        end.to raise_error(TypeError)
+      end
     end
   end
 end
