Merge pull request #193 from twitter/calling-name-on-nil-value

oreoshake · oreoshake · commit 6c02a638dde1 · 2015-12-03T13:27:25.000-10:00
Fix issue with opting out of headers when using header_hash method
diff --git a/lib/secure_headers.rb b/lib/secure_headers.rb
@@ -52,21 +52,23 @@ def append_features(base)
 
     def header_hash(options = nil)
       ALL_HEADER_CLASSES.inject({}) do |memo, klass|
-        config = if options.is_a?(Hash) && options[klass::Constants::CONFIG_KEY]
+        # must use !options[key].nil? because 'false' represents opting out, nil
+        # represents use global default.
+        config = if options.is_a?(Hash) && !options[klass::Constants::CONFIG_KEY].nil?
           options[klass::Constants::CONFIG_KEY]
         else
           ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
         end
 
         unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
-          header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
-          memo[header.name] = header.value
+          header = get_a_header(klass, config)
+          memo[header.name] = header.value if header
         end
         memo
       end
     end
 
-    def get_a_header(name, klass, options)
+    def get_a_header(klass, options)
       return if options == false
       klass.new(options)
     end
@@ -210,7 +212,7 @@ def secure_header_options_for(type, options)
     def set_a_header(name, klass, options=nil)
       options = secure_header_options_for(name, options)
       return if options == false
-      set_header(SecureHeaders::get_a_header(name, klass, options))
+      set_header(SecureHeaders::get_a_header(klass, options))
     end
 
     def set_header(name_or_header, value=nil)
diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -8,6 +8,7 @@
   let(:request) {double(:ssl? => true, :url => 'https://example.com')}
 
   before(:each) do
+    reset_config
     stub_user_agent(nil)
     allow(headers).to receive(:[])
     allow(subject).to receive(:response).and_return(response)
@@ -171,6 +172,23 @@ def expect_default_values(hash)
       expect_default_values(hash)
     end
 
+    it "allows opting out" do
+      hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
+      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+      expect(hash['Content-Security-Policy']).to be_nil
+    end
+
+    it "allows opting out with config" do
+      ::SecureHeaders::Configuration.configure do |config|
+        config.hsts = false
+        config.csp = false
+      end
+
+      hash = SecureHeaders::header_hash
+      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+      expect(hash['Content-Security-Policy']).to be_nil
+    end
+
     it "produces a hash with a mix of config values, override values, and default values" do
       ::SecureHeaders::Configuration.configure do |config|
         config.hsts = { :max_age => '123456'}
