add tests for secure_headers_options_for

oreoshake · oreoshake · commit 865ff8bfa16f · 2015-06-25T15:24:01.000-07:00
diff --git a/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb b/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
@@ -3,4 +3,18 @@ class OtherThingsController < ApplicationController
   def index
 
   end
+
+  def other_action
+    render :text => 'yooooo'
+  end
+
+  def secure_header_options_for(header, options)
+    if params[:action] == "other_action"
+      if header == :csp
+        options.merge(:style_src => 'self')
+      end
+    else
+      options
+    end
+  end
 end
diff --git a/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb b/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb
@@ -12,11 +12,17 @@
       expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
 
-    it "sets the X-WebKit-CSP header" do
+    it "sets the CSP header" do
       get :index
       expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
     end
 
+    it "sets per-action values based on secure_header_options_for" do
+      # munges :style_src => self into policy
+      get :other_action
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
+    end
+
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
diff --git a/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb b/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
@@ -2,4 +2,4 @@ class OtherThingsController < ApplicationController
   def index
 
   end
-end
+end

-Original file line number
+Diff line change
   def index
   end
 -end
 +end