From df83776836bbb05a2af132f42bd0c1c0ebbaa7b9 Mon Sep 17 00:00:00 2001 From: Francois Chagnon Date: Tue, 16 Sep 2014 19:26:03 +0000 Subject: [PATCH] add report=uri to X-XSS-Protection --- lib/secure_headers/headers/x_xss_protection.rb | 3 ++- spec/lib/secure_headers/headers/x_xss_protection_spec.rb | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/secure_headers/headers/x_xss_protection.rb b/lib/secure_headers/headers/x_xss_protection.rb index af8a0ac0..7860c0f3 100644 --- a/lib/secure_headers/headers/x_xss_protection.rb +++ b/lib/secure_headers/headers/x_xss_protection.rb @@ -4,7 +4,7 @@ class XXssProtection < Header module Constants X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection' DEFAULT_VALUE = "1" - VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i + VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i end include Constants @@ -26,6 +26,7 @@ def value else value = @config[:value].to_s value += "; mode=#{@config[:mode]}" if @config[:mode] + value += "; report=#{@config[:report_uri]}" if @config[:report_uri] value end end diff --git a/spec/lib/secure_headers/headers/x_xss_protection_spec.rb b/spec/lib/secure_headers/headers/x_xss_protection_spec.rb index fedf248d..8c7b2de5 100644 --- a/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +++ b/spec/lib/secure_headers/headers/x_xss_protection_spec.rb @@ -4,6 +4,7 @@ module SecureHeaders specify { expect(XXssProtection.new.value).to eq("1")} specify { expect(XXssProtection.new("0").value).to eq("0")} specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') } + specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') } context "with invalid configuration" do it "should raise an error when providing a string that is not valid" do @@ -50,4 +51,4 @@ module SecureHeaders end end -end \ No newline at end of file +end