From d1fa8cd48cd54bb99fe19309e4023741590f9f4f Mon Sep 17 00:00:00 2001 From: takuya kodama Date: Tue, 20 Aug 2024 10:28:43 +0800 Subject: [PATCH] config action_dispatch: update default headers to remove `X-Download-Options` (#56) GitHub: ref GH-34 In Rails v7.1, this setting is default. ref: https://guides.rubyonrails.org/v7.1/configuring.html#config-action-dispatch-default-headers `X-Download-Options` is used only by Internet Explorer. It will be deprecated soon. ref: https://github.com/rails/rails/issues/43948 --- config/initializers/new_framework_defaults_7_1.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/initializers/new_framework_defaults_7_1.rb b/config/initializers/new_framework_defaults_7_1.rb index 9771bd6..864c530 100644 --- a/config/initializers/new_framework_defaults_7_1.rb +++ b/config/initializers/new_framework_defaults_7_1.rb @@ -13,13 +13,13 @@ # Remove the default X-Download-Options headers since it is used only by Internet Explorer. # If you need to support Internet Explorer, add back `"X-Download-Options" => "noopen"`. #++ -# Rails.application.config.action_dispatch.default_headers = { -# "X-Frame-Options" => "SAMEORIGIN", -# "X-XSS-Protection" => "0", -# "X-Content-Type-Options" => "nosniff", -# "X-Permitted-Cross-Domain-Policies" => "none", -# "Referrer-Policy" => "strict-origin-when-cross-origin" -# } +Rails.application.config.action_dispatch.default_headers = { + "X-Frame-Options" => "SAMEORIGIN", + "X-XSS-Protection" => "0", + "X-Content-Type-Options" => "nosniff", + "X-Permitted-Cross-Domain-Policies" => "none", + "Referrer-Policy" => "strict-origin-when-cross-origin" +} ### # Do not treat an `ActionController::Parameters` instance