Add async support to wrap-xss-protection

weavejester · weavejester · commit eadd49380462 · 2016-08-12T18:06:59.000+01:00
diff --git a/src/ring/middleware/x_headers.clj b/src/ring/middleware/x_headers.clj
@@ -13,6 +13,9 @@
     (str "ALLOW-FROM " (:allow-from frame-options))
     (str/upper-case (name frame-options))))
 
+(defn- format-xss-protection [enable? options]
+  (str (if enable? "1" "0") (if options "; mode=block")))
+
 (defn- wrap-x-header [handler header-name header-value]
   (fn
     ([request]
@@ -66,6 +69,14 @@
   {:pre [(= content-type-options :nosniff)]}
   (wrap-x-header handler "X-Content-Type-Options" (name content-type-options)))
 
+(defn xss-protection-response
+  "Add the X-XSS-Protection header to the response. See: wrap-xss-protection."
+  ([response enable?]
+   (xss-protection-response response enable? nil))
+  ([response enable? options]
+   (some-> response
+           (resp/header "X-XSS-Protection" (format-xss-protection enable? options)))))
+
 (defn wrap-xss-protection
   "Middleware that adds the X-XSS-Protection header to the response. This header
   enables a heuristic filter in browsers for detecting cross-site scripting
@@ -77,9 +88,8 @@
   :mode - currently accepts only :block
 
   See: http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx"
-  [handler enable? & [options]]
-  {:pre [(or (nil? options) (= options {:mode :block}))]}
-  (let [header-value (str (if enable? "1" "0") (if options "; mode=block"))]
-    (fn [request]
-      (if-let [response (handler request)]
-        (resp/header response "X-XSS-Protection" header-value)))))
+  ([handler enable?]
+   (wrap-xss-protection handler enable? nil))
+  ([handler enable? options]
+   {:pre [(or (nil? options) (= options {:mode :block}))]}
+   (wrap-x-header handler "X-XSS-Protection" (format-xss-protection enable? options))))
diff --git a/test/ring/middleware/x_headers_test.clj b/test/ring/middleware/x_headers_test.clj
@@ -130,3 +130,22 @@
     (testing "nil response"
       (let [handler (wrap-xss-protection (constantly nil) true)]
         (is (nil? (handler (request :get "/"))))))))
+
+(deftest test-wrap-xss-protection-cps
+  (testing "nosniff"
+    (let [handler (-> (fn [_ respond _] (respond (response "hello")))
+                      (wrap-xss-protection true))
+          resp    (promise)
+          ex      (promise)]
+      (handler (request :get "/") resp ex)
+      (is (not (realized? ex)))
+      (is (= (:headers @resp) {"X-XSS-Protection" "1"}))))
+
+  (testing "nil response"
+    (let [handler (-> (fn [_ respond _] (respond nil))
+                      (wrap-xss-protection true))
+          resp    (promise)
+          ex      (promise)]
+      (handler (request :get "/") resp ex)
+      (is (not (realized? ex)))
+      (is (nil? @resp)))))
