Skip to content

Lowercase header issue: SecureHeaders::OPT_OUT Fails to Remove Non-Lowercase Headers in Rails Default Config #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GabDesilets opened this issue Jan 8, 2025 · 0 comments
Open

Lowercase header issue: SecureHeaders::OPT_OUT Fails to Remove Non-Lowercase Headers in Rails Default Config #541

GabDesilets opened this issue Jan 8, 2025 · 0 comments

Comments

@GabDesilets
Copy link

GabDesilets commented Jan 8, 2025
edited
Loading

Bug

Gem version: 7.1.0
Rails: 6.1
Ruby: 3.3.6

Following this change from this pull-request
It introduce a regression and an unwanted behavior with some headers.

While using SecureHeaders::OPT_OUT as a value to override the X-Frame-Options header we're not deleting the header.

It happens because here in railtie.rb
we are only looking for the lowercase key values.
The default written X-Frame-Options never get match because keys are case sensitive.

This is a potential bigger issue since looking a recent version of rails action_dispatch here it is still using the non lowercase keys.

Expected outcome

  1. The header is removed from the headers list in the response when using SecureHeaders::OPT_OUT.

Actual outcome

  1. Any Non downcase header with the SecureHeaders::OPT_OUT value doesn't get remove.

Suggestions:

default_headers = Rails.application.config.action_dispatch.default_headers
unless default_headers.nil?
  default_headers.each_key do |header|
    if conflicting_headers.include?(header.downcase)
      default_headers.delete(header)
    end
  end
end
obrie added a commit to Tapjoy/secure_headers that referenced this issue Mar 20, 2025
@obrie
Remove non-lowercase headers in Rails default configuration (fixes gi…
7237dc2 
…thub#541)

While this gem now uses lowercase headers, the Rails default configuration still
defines non-lowercase headers.  As a result, our Railtie will not remove those
conflicting headers.

This change ensures that we're accounting for both lowercase and non-lowercase
default headers in Rails.
@obrie obrie mentioned this issue Mar 20, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GabDesilets