secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Lowercase header issue: SecureHeaders::OPT_OUT Fails to Remove Non-Lowercase Headers in Rails Default Config

Open GabDesilets opened this issue 1 year ago • 0 comments

Bug

Gem version: 7.1.0 Rails: 6.1 Ruby: 3.3.6

Following this change from this pull-request It introduce a regression and an unwanted behavior with some headers.

While using SecureHeaders::OPT_OUT as a value to override the X-Frame-Options header we're not deleting the header.

It happens because here in railtie.rb we are only looking for the lowercase key values. The default written X-Frame-Options never get match because keys are case sensitive.

This is a potential bigger issue since looking a recent version of rails action_dispatch here it is still using the non lowercase keys.

Expected outcome

  1. The header is removed from the headers list in the response when using SecureHeaders::OPT_OUT.

Actual outcome

  1. Any Non downcase header with the SecureHeaders::OPT_OUT value doesn't get remove.

Suggestions:

default_headers = Rails.application.config.action_dispatch.default_headers
unless default_headers.nil?
  default_headers.each_key do |header|
    if conflicting_headers.include?(header.downcase)
      default_headers.delete(header)
    end
  end
end

GabDesilets avatar Jan 08 '25 22:01 GabDesilets