Merge pull request #239 from twitter/fix-regression-with-overrides

oreoshake · oreoshake · commit 96cd67692ab5 · 2016-03-30T09:54:29.000-10:00
Regression: overrides were not carrying configuration values forward
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -121,6 +121,13 @@ def dup
       copy.csp = self.class.send(:deep_copy_if_hash, @csp)
       copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
       copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
+      copy.x_content_type_options = @x_content_type_options
+      copy.hsts = @hsts
+      copy.x_frame_options = @x_frame_options
+      copy.x_xss_protection = @x_xss_protection
+      copy.x_download_options = @x_download_options
+      copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
+      copy.hpkp = @hpkp
       copy
     end
 
@@ -133,6 +140,7 @@ def opt_out(header)
     end
 
     def update_x_frame_options(value)
+      @x_frame_options = value
       self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
     end
 
diff --git a/spec/lib/secure_headers/configuration_spec.rb b/spec/lib/secure_headers/configuration_spec.rb
@@ -41,6 +41,14 @@ module SecureHeaders
       end
     end
 
+    it "regenerates cached headers when building an override" do
+      Configuration.override(:test_override) do |config|
+        config.x_content_type_options = OPT_OUT
+      end
+
+      expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
+    end
+
     it "stores an override of the global config" do
       Configuration.override(:test_override) do |config|
         config.x_frame_options = "DENY"
diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -21,7 +21,7 @@ module SecureHeaders
     end
 
     describe "#header_hash_for" do
-      it "allows you to opt out of individual headers" do
+      it "allows you to opt out of individual headers via API" do
         Configuration.default
         SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
         SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
@@ -31,6 +31,23 @@ module SecureHeaders
         expect(hash['X-Content-Type-Options']).to be_nil
       end
 
+      it "Carries options over when using overrides" do
+        Configuration.default do |config|
+          config.x_download_options = OPT_OUT
+          config.x_permitted_cross_domain_policies = OPT_OUT
+        end
+
+        Configuration.override(:api) do |config|
+          config.x_frame_options = OPT_OUT
+        end
+
+        SecureHeaders.use_secure_headers_override(request, :api)
+        hash = SecureHeaders.header_hash_for(request)
+        expect(hash['X-Download-Options']).to be_nil
+        expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
+        expect(hash['X-Frame-Options']).to be_nil
+      end
+
       it "allows you to opt out entirely" do
         Configuration.default
         SecureHeaders.opt_out_of_all_protection(request)
