Contents

module SecureHeaders
  class XXssProtectionBuildError < StandardError; end
  class XXssProtection < Header
    module Constants
      X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
      DEFAULT_VALUE = "1"
      VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
      CONFIG_KEY = :x_xss_protection
    end
    include Constants

    def initialize(config=nil)
      @config = config
      validate_config unless @config.nil?
    end

    def name
      X_XSS_PROTECTION_HEADER_NAME
    end

    def value
      case @config
      when NilClass
        DEFAULT_VALUE
      when String
        @config
      else
        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XXssProtection config"
        value = @config[:value].to_s
        value += "; mode=#{@config[:mode]}" if @config[:mode]
        value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
        value
      end
    end

    private

    def validate_config
      if @config.is_a? Hash
        if !@config[:value]
          raise XXssProtectionBuildError.new(":value key is missing")
        elsif @config[:value]
          unless [0,1].include?(@config[:value].to_i)
            raise XXssProtectionBuildError.new(":value must be 1 or 0")
          end

          if @config[:mode] && @config[:mode].casecmp('block') != 0
            raise XXssProtectionBuildError.new(":mode must nil or 'block'")
          end
        end
      elsif @config.is_a? String
        raise XXssProtectionBuildError.new("Invalid format (see VALID_X_XSS_HEADER)") unless @config =~ VALID_X_XSS_HEADER
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version	Path
secure_headers-2.5.3	lib/secure_headers/headers/x_xss_protection.rb
secure_headers-2.5.2	lib/secure_headers/headers/x_xss_protection.rb
secure_headers-2.5.1	lib/secure_headers/headers/x_xss_protection.rb
secure_headers-2.5.0	lib/secure_headers/headers/x_xss_protection.rb