File: x_xss_protection.rb

package info (click to toggle)
ruby-secure-headers 6.3.2-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 496 kB
  • sloc: ruby: 3,342; makefile: 5
file content (26 lines) | stat: -rw-r--r-- 976 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# frozen_string_literal: true
module SecureHeaders
  class XXssProtectionConfigError < StandardError; end
  class XXssProtection
    HEADER_NAME = "X-XSS-Protection".freeze
    DEFAULT_VALUE = "1; mode=block"
    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/

    class << self
      # Public: generate an X-Xss-Protection header.
      #
      # Returns a default header if no configuration is provided, or a
      # header name and value based on the config.
      def make_header(config = nil, user_agent = nil)
        return if config == OPT_OUT
        [HEADER_NAME, config || DEFAULT_VALUE]
      end

      def validate_config!(config)
        return if config.nil? || config == OPT_OUT
        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
        raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
      end
    end
  end
end