├── .github
    └── workflows
    │   └── test.yml
├── .gitignore
├── .travis.yml
├── README.md
├── project.clj
├── src
    └── ring
    │   └── middleware
    │       ├── absolute_redirects.clj
    │       ├── authorization.clj
    │       ├── default_charset.clj
    │       ├── proxy_headers.clj
    │       └── x_headers.clj
└── test
    └── ring
        └── middleware
            ├── absolute_redirects_test.clj
            ├── authorization_test.clj
            ├── default_charset_test.clj
            ├── proxy_headers_test.clj
            └── x_headers_test.clj


/.github/workflows/test.yml:
--------------------------------------------------------------------------------
 1 | name: Tests
 2 | on: [push, pull_request]
 3 | jobs:
 4 |   test:
 5 |     runs-on: ubuntu-latest
 6 |     steps:
 7 |       - name: Checkout
 8 |         uses: actions/checkout@v3
 9 | 
10 |       - name: Prepare java
11 |         uses: actions/setup-java@v3
12 |         with:
13 |           distribution: 'zulu'
14 |           java-version: '11'
15 | 
16 |       - name: Install clojure tools
17 |         uses: DeLaGuardo/setup-clojure@10.1
18 |         with:
19 |           lein: 2.9.10
20 | 
21 |       - name: Cache clojure dependencies
22 |         uses: actions/cache@v3
23 |         with:
24 |           path: ~/.m2/repository
25 |           key: cljdeps-${{ hashFiles('project.clj', 'ring-*/project.clj') }}
26 |           restore-keys: cljdeps-
27 | 
28 |       - name: Run tests
29 |         run: lein test-all
30 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | /target
 2 | /classes
 3 | /checkouts
 4 | /codox
 5 | pom.xml
 6 | pom.xml.asc
 7 | *.jar
 8 | *.class
 9 | /.lein-*
10 | /.nrepl-port
11 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: clojure
2 | script: lein test-all
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ring-Headers [![Build Status](https://github.com/ring-clojure/ring-headers/actions/workflows/test.yml/badge.svg)](https://github.com/ring-clojure/ring-headers/actions/workflows/test.yml)
 2 | 
 3 | Ring middleware for parsing common request headers, and for adding and
 4 | manipulating common response headers.
 5 | 
 6 | ## Installation
 7 | 
 8 | Add the following dependency to your `deps.edn` file:
 9 | 
10 |     ring/ring-headers {:mvn/version "0.4.0"}
11 | 
12 | Or to your Leiningen project file:
13 | 
14 |     [ring/ring-headers "0.4.0"]
15 | 
16 | ## Documentation
17 | 
18 | * [API Docs](http://ring-clojure.github.io/ring-headers)
19 | 
20 | ## License
21 | 
22 | Copyright © 2024 James Reeves
23 | 
24 | Distributed under the MIT License, the same as Ring.
25 | 


--------------------------------------------------------------------------------
/project.clj:
--------------------------------------------------------------------------------
 1 | (defproject ring/ring-headers "0.4.0"
 2 |   :description "Ring middleware for common response headers"
 3 |   :url "https://github.com/ring-clojure/ring-headers"
 4 |   :license {:name "The MIT License"
 5 |             :url "http://opensource.org/licenses/MIT"}
 6 |   :dependencies [[org.clojure/clojure "1.9.0"]
 7 |                  [ring/ring-core "1.12.1"]]
 8 |   :plugins [[lein-codox "0.10.8"]]
 9 |   :codox {:project {:name "Ring-Headers"}
10 |           :output-path "codox"}
11 |   :aliases {"test-all" ["with-profile" "default:+1.10:+1.11:+1.12" "test"]}
12 |   :profiles
13 |   {:dev {:dependencies [[ring/ring-mock "0.4.0"]]}
14 |    :1.10 {:dependencies [[org.clojure/clojure "1.10.3"]]}
15 |    :1.11 {:dependencies [[org.clojure/clojure "1.11.3"]]}
16 |    :1.12 {:dependencies [[org.clojure/clojure "1.12.0-alpha9"]]}})
17 | 


--------------------------------------------------------------------------------
/src/ring/middleware/absolute_redirects.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.absolute-redirects
 2 |   "Middleware for replacing relative redirects with absolute redirects. Useful
 3 |   for clients that do not yet implement RFC 7231 (RFC 2616 does not allow
 4 |   relative redirects)."
 5 |   (:require [ring.util.request :as req])
 6 |   (:import  [java.net URL MalformedURLException]))
 7 | 
 8 | (defn- redirect? [response]
 9 |   (#{201 301 302 303 307} (:status response)))
10 | 
11 | (defn- get-header-key [response ^String header-name]
12 |   (->> response :headers keys
13 |        (filter #(.equalsIgnoreCase header-name %))
14 |        first))
15 | 
16 | (defn- update-header [response header f & args]
17 |   (if-let [header (get-header-key response header)]
18 |     (apply update-in response [:headers header] f args)
19 |     response))
20 | 
21 | (defn- url? [^String s]
22 |   (try (URL. s) true
23 |        (catch MalformedURLException _ false)))
24 | 
25 | (defn- absolute-url [location request]
26 |   (if (url? location)
27 |     location
28 |     (let [url (URL. (req/request-url request))]
29 |       (str (URL. url location)))))
30 | 
31 | (defn absolute-redirects-response
32 |   "Convert a response that redirects to a relative URLs into a response that
33 |   redirects to an absolute URL. See: wrap-absolute-redirects."
34 |   [response request]
35 |   (if (redirect? response)
36 |     (update-header response "location" absolute-url request)
37 |     response))
38 | 
39 | (defn wrap-absolute-redirects
40 |   "Middleware that converts redirects to relative URLs into redirects to
41 |   absolute URLs. While many browsers can handle relative URLs in the Location
42 |   header, RFC 2616 states that the Location header must contain an absolute
43 |   URL."
44 |   [handler]
45 |   (fn
46 |     ([request]
47 |      (absolute-redirects-response (handler request) request))
48 |     ([request respond raise]
49 |      (handler request #(respond (absolute-redirects-response % request)) raise))))
50 | 


--------------------------------------------------------------------------------
/src/ring/middleware/authorization.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.authorization
 2 |   (:require [clojure.string :as str]
 3 |             [ring.util.parsing :as parsing]))
 4 | 
 5 | (def ^:private re-token68
 6 |   (re-pattern "[A-Za-z0-9._~+/-]+=*"))
 7 | 
 8 | (def ^:private re-auth-param
 9 |   (re-pattern (str "(" parsing/re-token ")\\s*=\\s*(?:" parsing/re-value ")")))
10 | 
11 | (defn- parse-auth-params [auth-params]
12 |   (reduce (fn [m kv]
13 |             (if-let [[_ k v1 v2] (re-matches re-auth-param kv)]
14 |               (assoc m (str/lower-case k) (or v1 v2))
15 |               m))
16 |           {}
17 |           (str/split auth-params #"\s*,\s*")))
18 | 
19 | (defn- parse-authorization [request]
20 |   (when-let [[auth-scheme token-or-params]
21 |              (some-> (get-in request [:headers "authorization"])
22 |                      (str/split #"\s" 2))]
23 |     (cond
24 |       (empty? token-or-params)
25 |       {:scheme (str/lower-case auth-scheme)}
26 | 
27 |       (re-matches re-token68 token-or-params)
28 |       {:scheme (str/lower-case auth-scheme)
29 |        :token token-or-params}
30 | 
31 |       :else
32 |       {:scheme (str/lower-case auth-scheme)
33 |        :params (parse-auth-params token-or-params)})))
34 | 
35 | (defn authorization-request
36 |   "Parses Authorization header in the request map. See: wrap-authorization."
37 |   [request]
38 |   (if (:authorization request)
39 |     request
40 |     (assoc request :authorization (parse-authorization request))))
41 | 
42 | (defn wrap-authorization
43 |   "Parses the Authorization header in the request map, then assocs the result
44 |   to the :authorization key on the request.
45 | 
46 |   See RFC 7235 Section 2 and RFC 9110 Section 11:
47 |   * https://datatracker.ietf.org/doc/html/rfc7235#section-2
48 |   * https://datatracker.ietf.org/doc/html/rfc9110#section-11"
49 |   [handler]
50 |   (fn
51 |     ([request]
52 |      (handler (authorization-request request)))
53 |     ([request respond raise]
54 |      (handler (authorization-request request)
55 |               respond
56 |               raise))))
57 | 


--------------------------------------------------------------------------------
/src/ring/middleware/default_charset.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.default-charset
 2 |   "Middleware for automatically adding a charset to the content-type header in
 3 |   response maps."
 4 |   (:require [ring.util.response :as response]))
 5 | 
 6 | (defn- text-based-content-type? [content-type]
 7 |   (or (re-find #"text/" content-type)
 8 |       (re-find #"application/xml" content-type)))
 9 | 
10 | (defn- contains-charset? [content-type]
11 |   (re-find #";\s*charset=[^;]*" content-type))
12 | 
13 | (defn default-charset-response
14 |   "Add a default charset to a response if the response has no charset and
15 |   requires one. See: wrap-default-charset."
16 |   [response charset]
17 |   (if response
18 |     (if-let [content-type (response/get-header response "Content-Type")]
19 |       (if (and (text-based-content-type? content-type)
20 |                (not (contains-charset? content-type)))
21 |         (response/charset response charset)
22 |         response)
23 |       response)))
24 | 
25 | (defn wrap-default-charset
26 |   "Middleware that adds a charset to the content-type header of the response if
27 |   one was not set by the handler."
28 |   [handler charset]
29 |   (fn
30 |     ([request]
31 |      (default-charset-response (handler request) charset))
32 |     ([request respond raise]
33 |      (handler request #(respond (default-charset-response % charset)) raise))))
34 | 


--------------------------------------------------------------------------------
/src/ring/middleware/proxy_headers.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.proxy-headers
 2 |   "Middleware for handling headers set by HTTP proxies."
 3 |   (:require [clojure.string :as str]))
 4 | 
 5 | (defn forwarded-remote-addr-request
 6 |   "Change the :remote-addr key of the request map to the last value present in
 7 |   the X-Forwarded-For header. See: wrap-forwarded-remote-addr."
 8 |   [request]
 9 |   (if-let [forwarded-for (get-in request [:headers "x-forwarded-for"])]
10 |     (let [remote-addr (str/trim (re-find #"[^,]*$" forwarded-for))]
11 |       (assoc request :remote-addr remote-addr))
12 |     request))
13 | 
14 | (defn wrap-forwarded-remote-addr
15 |   "Middleware that changes the :remote-addr of the request map to the
16 |   last value present in the X-Forwarded-For header."
17 |   [handler]
18 |   (fn
19 |     ([request]
20 |      (handler (forwarded-remote-addr-request request)))
21 |     ([request respond raise]
22 |      (handler (forwarded-remote-addr-request request) respond raise))))
23 | 


--------------------------------------------------------------------------------
/src/ring/middleware/x_headers.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.x-headers
 2 |   "Middleware for adding various 'X-' response headers."
 3 |   (:require [clojure.string :as str]
 4 |             [ring.util.response :as resp]))
 5 | 
 6 | (defn- allow-from? [frame-options]
 7 |   (and (map? frame-options)
 8 |        (= (keys frame-options) [:allow-from])
 9 |        (string? (:allow-from frame-options))))
10 | 
11 | (defn- format-frame-options [frame-options]
12 |   (if (map? frame-options)
13 |     (str "ALLOW-FROM " (:allow-from frame-options))
14 |     (str/upper-case (name frame-options))))
15 | 
16 | (defn- format-xss-protection [enable? options]
17 |   (str (if enable? "1" "0") (if options "; mode=block")))
18 | 
19 | (defn- wrap-x-header [handler header-name header-value]
20 |   (fn
21 |     ([request]
22 |      (some-> (handler request) (resp/header header-name header-value)))
23 |     ([request respond raise]
24 |      (handler request #(respond (some-> % (resp/header header-name header-value))) raise))))
25 | 
26 | (defn frame-options-response
27 |   "Add the X-Frame-Options header to the response. See: wrap-frame-options."
28 |   [response frame-options]
29 |   (some-> response (resp/header "X-Frame-Options" (format-frame-options frame-options))))
30 | 
31 | (defn wrap-frame-options
32 |   "Middleware that adds the X-Frame-Options header to the response. This governs
33 |   whether your site can be rendered in a <frame>, <iframe> or <object>, and is
34 |   typically used to prevent clickjacking attacks.
35 | 
36 |   The following frame options are allowed:
37 | 
38 |   :deny             - prevent any framing of the content
39 |   :sameorigin       - allow only the current site to frame the content
40 |   {:allow-from uri} - allow only the specified URI to frame the page
41 | 
42 |   The :deny and :sameorigin options are keywords, while the :allow-from option
43 |   is a map consisting of one key/value pair.
44 | 
45 |   Note that browser support for :allow-from is incomplete. See:
46 |   https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"
47 |   [handler frame-options]
48 |   {:pre [(or (= frame-options :deny)
49 |              (= frame-options :sameorigin)
50 |              (allow-from? frame-options))]}
51 |   (wrap-x-header handler "X-Frame-Options" (format-frame-options frame-options)))
52 | 
53 | (defn content-type-options-response
54 |   "Add the X-Content-Type-Options header to the response.
55 |   See: wrap-content-type-options."
56 |   [response content-type-options]
57 |   (some-> response (resp/header "X-Content-Type-Options" (name content-type-options))))
58 | 
59 | (defn wrap-content-type-options
60 |   "Middleware that adds the X-Content-Type-Options header to the response. This
61 |   currently only accepts one option:
62 | 
63 |   :nosniff - prevent resources with invalid media types being loaded as
64 |              stylesheets or scripts
65 | 
66 |   This prevents attacks based around media type confusion. See:
67 |   http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
68 |   [handler content-type-options]
69 |   {:pre [(= content-type-options :nosniff)]}
70 |   (wrap-x-header handler "X-Content-Type-Options" (name content-type-options)))
71 | 
72 | (defn xss-protection-response
73 |   "Add the X-XSS-Protection header to the response. See: wrap-xss-protection."
74 |   ([response enable?]
75 |    (xss-protection-response response enable? nil))
76 |   ([response enable? options]
77 |    (some-> response
78 |            (resp/header "X-XSS-Protection" (format-xss-protection enable? options)))))
79 | 
80 | (defn wrap-xss-protection
81 |   "Middleware that adds the X-XSS-Protection header to the response. This header
82 |   enables a heuristic filter in browsers for detecting cross-site scripting
83 |   attacks. Usually on by default.
84 | 
85 |   The enable? attribute determines whether the filter should be turned on.
86 |   Accepts one additional option:
87 | 
88 |   :mode - currently accepts only :block
89 | 
90 |   See: http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx"
91 |   ([handler enable?]
92 |    (wrap-xss-protection handler enable? nil))
93 |   ([handler enable? options]
94 |    {:pre [(or (nil? options) (= options {:mode :block}))]}
95 |    (wrap-x-header handler "X-XSS-Protection" (format-xss-protection enable? options))))
96 | 


--------------------------------------------------------------------------------
/test/ring/middleware/absolute_redirects_test.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.absolute-redirects-test
 2 |   (:use clojure.test
 3 |         ring.middleware.absolute-redirects
 4 |         [ring.mock.request :only [request]]
 5 |         [ring.util.response :only [redirect response content-type created]]))
 6 | 
 7 | (deftest test-wrap-absolute-redirects
 8 |   (testing "relative redirects"
 9 |     (let [handler (wrap-absolute-redirects (constantly (redirect "/foo")))
10 |           resp    (handler (request :get "/"))]
11 |       (is (= (:status resp) 302))
12 |       (is (= (:headers resp) {"Location" "http://localhost/foo"}))))
13 | 
14 |   (testing "absolute redirects"
15 |     (let [handler (wrap-absolute-redirects (constantly (redirect "http://example.com")))
16 |           resp    (handler (request :get "/"))]
17 |       (is (= (:status resp) 302))
18 |       (is (= (:headers resp) {"Location" "http://example.com"}))))
19 | 
20 |   (testing "up path redirects"
21 |     (let [handler (wrap-absolute-redirects (constantly (redirect "../foo")))
22 |           resp    (handler (request :get "/bar/baz.html"))]
23 |       (is (= (:status resp) 302))
24 |       (is (= (:headers resp) {"Location" "http://localhost/foo"}))))
25 | 
26 |   (testing "no redirects"
27 |     (let [handler (wrap-absolute-redirects (constantly (response "hello")))
28 |           resp    (handler (request :get "/bar/baz.html"))]
29 |       (is (= (:status resp) 200))
30 |       (is (= (:headers resp) {}))
31 |       (is (= (:body resp) "hello"))))
32 | 
33 |   (testing "additional headers"
34 |     (let [handler (wrap-absolute-redirects
35 |                    (constantly (-> (redirect "/foo")
36 |                                    (content-type "text/plain"))))
37 |           resp    (handler (request :get "/"))]
38 |       (is (= (:status resp) 302))
39 |       (is (= (:headers resp) {"Location" "http://localhost/foo"
40 |                               "Content-Type" "text/plain"}))))
41 |   (testing "resource creation"
42 |     (let [handler (wrap-absolute-redirects (constantly (created "/bar/1")))
43 |           resp    (handler (request :post "/bar"))]
44 |       (is (= (:status resp) 201))
45 |       (is (= (:headers resp) {"Location" "http://localhost/bar/1"})))))
46 | 
47 | (deftest test-wrap-absolute-redirects-cps
48 |   (testing "relative redirects"
49 |     (let [handler (wrap-absolute-redirects (fn [_ respond _] (respond (redirect "/foo"))))
50 |           resp    (promise)
51 |           ex      (promise)]
52 |       (handler (request :get "/") resp ex)
53 |       (is (not (realized? ex)))
54 |       (is (= (:status @resp) 302))
55 |       (is (= (:headers @resp) {"Location" "http://localhost/foo"}))))
56 | 
57 |   (testing "absolute redirects"
58 |     (let [handler (wrap-absolute-redirects
59 |                    (fn [_ respond _] (respond (redirect "http://example.com"))))
60 |           resp    (promise)
61 |           ex      (promise)]
62 |       (handler (request :get "/") resp ex)
63 |       (is (not (realized? ex)))
64 |       (is (= (:status @resp) 302))
65 |       (is (= (:headers @resp) {"Location" "http://example.com"}))))
66 | 
67 |   (testing "no redirects"
68 |     (let [handler (wrap-absolute-redirects (fn [_ respond _] (respond (response "hello"))))
69 |           resp    (promise)
70 |           ex      (promise)]
71 |       (handler (request :get "/bar/baz.html") resp ex)
72 |       (is (not (realized? ex)))
73 |       (is (= (:status @resp) 200))
74 |       (is (= (:headers @resp) {}))
75 |       (is (= (:body @resp) "hello")))))
76 | 


--------------------------------------------------------------------------------
/test/ring/middleware/authorization_test.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.authorization-test
 2 |   (:require [clojure.test :refer :all]
 3 |             [ring.middleware.authorization :refer :all]))
 4 | 
 5 | (deftest test-authorization-request
 6 |   (testing "pre-existing authorization"
 7 |     (is (= "TEST"
 8 |            (-> {:headers       {"authorization" "Basic"}
 9 |                 :authorization "TEST"}
10 |                authorization-request
11 |                :authorization))))
12 |   (testing "no authorization"
13 |     (is (nil? (-> {:headers {}}
14 |                 authorization-request
15 |                 :authorization))))
16 |   (testing "scheme without token"
17 |     (is (= {:scheme "basic"}
18 |            (-> {:headers {"authorization" "Basic"}}
19 |                authorization-request
20 |                :authorization))))
21 |   (testing "scheme with zero-length token"
22 |     (is (= {:scheme "basic"}
23 |            (-> {:headers {"authorization" "Basic "}}
24 |                authorization-request
25 |                :authorization))))
26 |   (testing "token68"
27 |     (is (= {:scheme "basic"
28 |             :token "dGVzdA=="}
29 |            (-> {:headers {"authorization" "Basic dGVzdA=="}}
30 |                authorization-request
31 |                :authorization))))
32 |   (testing "auth-params, some malformed"
33 |     (is (= {:scheme "digest"
34 |             :params {"a"    "B"
35 |                      "c"    "d"
36 |                      "eeee" "dGVzdA=="
37 |                      "k"    "1"}}
38 |            (-> {:headers {"authorization" "Digest A=B, c=\"d\",
39 |      eeee=\"dGVzdA==\", fparam=dGVzdA==, g, \"h\"=i, =j, = ,, , k=1"}}
40 |                authorization-request
41 |                :authorization)))))
42 | 
43 | (deftest test-wrap-authorization-none
44 |   (let [handler   (wrap-authorization (fn [req respond _] (respond req)))
45 |         request   {:headers {}}
46 |         response  (promise)
47 |         exception (promise)]
48 |     (handler request response exception)
49 |     (is (nil? (:authorization @response)))
50 |     (is (not (realized? exception)))))
51 | 
52 | (deftest test-wrap-authorization-scheme-only
53 |   (let [handler   (wrap-authorization (fn [req respond _] (respond req)))
54 |         request   {:headers {"authorization" "Basic"}}
55 |         response  (promise)
56 |         exception (promise)]
57 |     (handler request response exception)
58 |     (is (= {:scheme  "basic"}
59 |            (:authorization @response)))
60 |     (is (not (realized? exception)))))
61 | 
62 | (deftest test-wrap-authorization-token68
63 |   (let [handler   (wrap-authorization (fn [req respond _] (respond req)))
64 |         request   {:headers {"authorization" "Basic dGVzdA=="}}
65 |         response  (promise)
66 |         exception (promise)]
67 |     (handler request response exception)
68 |     (is (= {:scheme  "basic"
69 |             :token "dGVzdA=="}
70 |            (:authorization @response)))
71 |     (is (not (realized? exception)))))
72 | 
73 | (deftest test-wrap-authorization-auth-params
74 |   (let [handler   (wrap-authorization (fn [req respond _] (respond req)))
75 |         request   {:headers {"authorization" "Digest A=\"B\""}}
76 |         response  (promise)
77 |         exception (promise)]
78 |     (handler request response exception)
79 |     (is (= {:params {"a" "B"}
80 |             :scheme "digest"}
81 |            (:authorization @response)))
82 |     (is (not (realized? exception)))))
83 | 
84 | (deftest test-wrap-authorization-synchronous
85 |   (let [request (atom nil)
86 |         handler (wrap-authorization (fn [req] (reset! request req)))]
87 |     (handler {:headers {"authorization" "Basic A=\"B\""}})
88 |     (is (= {:params {"a" "B"}
89 |             :scheme "basic"}
90 |            (:authorization @request)))))
91 | 


--------------------------------------------------------------------------------
/test/ring/middleware/default_charset_test.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.default-charset-test
 2 |   (:use clojure.test
 3 |         ring.middleware.default-charset
 4 |         [ring.mock.request :only [request]]
 5 |         [ring.util.response :only [charset content-type]]))
 6 | 
 7 | (deftest test-wrap-charset
 8 |   (testing "no content-type header present"
 9 |     (let [handler (wrap-default-charset (constantly {}) "utf-16")
10 |           resp    (handler request)]
11 |       (is (= resp {}))))
12 | 
13 |   (testing "content-type header without charset present"
14 |     (let [handler (wrap-default-charset
15 |                    (constantly (content-type {} "text/html"))
16 |                    "utf-16")
17 |           resp    (handler request)]
18 |       (is (= (:headers resp)
19 |              {"Content-Type" "text/html; charset=utf-16"}))))
20 | 
21 |   (testing "content-type header with charset present"
22 |     (let [handler (wrap-default-charset
23 |                    (constantly (-> {} (content-type "text/html") (charset "utf-8")))
24 |                    "utf-16")
25 |           resp    (handler request)]
26 |       (is (= (:headers resp)
27 |              {"Content-Type" "text/html; charset=utf-8"}))))
28 | 
29 |   (testing "non-text-based content-type"
30 |     (let [handler (wrap-default-charset
31 |                    (constantly (content-type {} "application/gzip"))
32 |                    "utf-8")
33 |           resp    (handler request)]
34 |       (is (= (:headers resp)
35 |              {"Content-Type" "application/gzip"})))))
36 | 
37 | (deftest test-wrap-charset-cps
38 |   (testing "content-type header without charset present"
39 |     (let [handler (wrap-default-charset
40 |                    (fn [_ respond _] (respond (content-type {} "text/html")))
41 |                    "utf-16")
42 |           resp    (promise)
43 |           ex      (promise)]
44 |       (handler request resp ex)
45 |       (is (not (realized? ex)))
46 |       (is (= (:headers @resp) {"Content-Type" "text/html; charset=utf-16"}))))
47 | 
48 |   (testing "content-type header with charset present"
49 |     (let [handler (wrap-default-charset
50 |                    (fn [_ respond _]
51 |                      (respond (-> {} (content-type "text/html") (charset "utf-8"))))
52 |                    "utf-16")
53 |           resp    (promise)
54 |           ex      (promise)]
55 |       (handler request resp ex)
56 |       (is (not (realized? ex)))
57 |       (is (= (:headers @resp) {"Content-Type" "text/html; charset=utf-8"})))))
58 | 


--------------------------------------------------------------------------------
/test/ring/middleware/proxy_headers_test.clj:
--------------------------------------------------------------------------------
 1 | (ns ring.middleware.proxy-headers-test
 2 |   (:use clojure.test
 3 |         ring.middleware.proxy-headers
 4 |         [ring.mock.request :only [request header]]
 5 |         [ring.util.response :only [response]]))
 6 | 
 7 | (deftest test-wrap-forwarded-remote-addr
 8 |   (let [handler (wrap-forwarded-remote-addr (comp response :remote-addr))]
 9 |     (testing "without x-forwarded-for"
10 |       (let [req  (assoc (request :get "/") :remote-addr "1.2.3.4")
11 |             resp (handler req)]
12 |         (is (= (:body resp) "1.2.3.4"))))
13 | 
14 |     (testing "with x-forwarded-for"
15 |       (let [req  (-> (request :get "/")
16 |                      (assoc :remote-addr "127.0.0.1")
17 |                      (header "x-forwarded-for" "1.2.3.4"))
18 |             resp (handler req)]
19 |         (is (= (:body resp) "1.2.3.4"))))
20 | 
21 |     (testing "with multiple proxies"
22 |       (let [req  (-> (request :get "/")
23 |                      (assoc :remote-addr "127.0.0.1")
24 |                      (header "x-forwarded-for" "10.0.1.9, 192.168.4.98, 1.2.3.4"))
25 |             resp (handler req)]
26 |         (is (= (:body resp) "1.2.3.4"))))))
27 | 
28 | (deftest test-wrap-forwarded-remote-addr-cps
29 |   (let [handler (wrap-forwarded-remote-addr
30 |                  (fn [request respond _] (respond (response (:remote-addr request)))))]
31 |     (testing "without x-forwarded-for"
32 |       (let [req  (assoc (request :get "/") :remote-addr "1.2.3.4")
33 |             resp (promise)
34 |             ex   (promise)]
35 |         (handler req resp ex)
36 |         (is (not (realized? ex)))
37 |         (is (= (:body @resp) "1.2.3.4"))))
38 | 
39 |     (testing "with x-forwarded-for"
40 |       (let [req  (-> (request :get "/")
41 |                      (assoc :remote-addr "127.0.0.1")
42 |                      (header "x-forwarded-for" "1.2.3.4"))
43 |             resp (promise)
44 |             ex   (promise)]
45 |         (handler req resp ex)
46 |         (is (not (realized? ex)))
47 |         (is (= (:body @resp) "1.2.3.4"))))))
48 | 


--------------------------------------------------------------------------------
/test/ring/middleware/x_headers_test.clj:
--------------------------------------------------------------------------------
  1 | (ns ring.middleware.x-headers-test
  2 |   (:use clojure.test
  3 |         ring.middleware.x-headers
  4 |         [ring.mock.request :only [request]]
  5 |         [ring.util.response :only [redirect response content-type]]))
  6 | 
  7 | (deftest test-wrap-frame-options
  8 |   (let [handle-hello (constantly (response "hello"))]
  9 |     (testing "deny"
 10 |       (let [handler (wrap-frame-options handle-hello :deny)
 11 |             resp    (handler (request :get "/"))]
 12 |         (is (= (:headers resp) {"X-Frame-Options" "DENY"}))))
 13 | 
 14 |     (testing "sameorigin"
 15 |       (let [handler (wrap-frame-options handle-hello :sameorigin)
 16 |             resp    (handler (request :get "/"))]
 17 |         (is (= (:headers resp) {"X-Frame-Options" "SAMEORIGIN"}))))
 18 | 
 19 |     (testing "allow-from"
 20 |       (let [handler (wrap-frame-options handle-hello {:allow-from "http://example.com/"})
 21 |             resp    (handler (request :get "/"))]
 22 |         (is (= (:headers resp) {"X-Frame-Options" "ALLOW-FROM http://example.com/"}))))
 23 | 
 24 |     (testing "bad arguments"
 25 |       (is (thrown? AssertionError (wrap-frame-options handle-hello :foobar)))
 26 |       (is (thrown? AssertionError (wrap-frame-options handle-hello {:allowfrom "foo"})))
 27 |       (is (thrown? AssertionError (wrap-frame-options handle-hello {:allow-from nil}))))
 28 | 
 29 |     (testing "response fields"
 30 |       (let [handler (constantly
 31 |                      (-> (response "hello")
 32 |                          (content-type "text/plain")))
 33 |             resp    ((wrap-frame-options handler :deny)
 34 |                      (request :get "/"))]
 35 |         (is (= resp {:status  200
 36 |                      :headers {"X-Frame-Options" "DENY"
 37 |                                "Content-Type" "text/plain"}
 38 |                      :body    "hello"}))))
 39 | 
 40 |     (testing "nil response"
 41 |       (let [handler (wrap-frame-options (constantly nil) :deny)]
 42 |         (is (nil? (handler (request :get "/"))))))))
 43 | 
 44 | (deftest test-frame-options-response
 45 |   (testing "deny"
 46 |     (is (= (frame-options-response (response "hello") :deny)
 47 |            {:status 200, :headers {"X-Frame-Options" "DENY"}, :body "hello"})))
 48 | 
 49 |   (testing "nil response"
 50 |     (is (nil? (frame-options-response nil :deny)))))
 51 | 
 52 | (deftest test-wrap-frame-options-cps
 53 |   (testing "deny"
 54 |     (let [handler (-> (fn [_ respond _] (respond (response "hello")))
 55 |                       (wrap-frame-options :deny))
 56 |           resp    (promise)
 57 |           ex      (promise)]
 58 |       (handler (request :get "/") resp ex)
 59 |       (is (not (realized? ex)))
 60 |       (is (= (:headers @resp) {"X-Frame-Options" "DENY"}))))
 61 | 
 62 |   (testing "nil response"
 63 |     (let [handler (-> (fn [_ respond _] (respond nil))
 64 |                       (wrap-frame-options :deny))
 65 |           resp    (promise)
 66 |           ex      (promise)]
 67 |       (handler (request :get "/") resp ex)
 68 |       (is (not (realized? ex)))
 69 |       (is (nil? @resp)))))
 70 | 
 71 | (deftest test-wrap-content-type-options
 72 |   (let [handle-hello (constantly (-> (response "hello") (content-type "text/plain")))]
 73 |     (testing "nosniff"
 74 |       (let [handler (wrap-content-type-options handle-hello :nosniff)
 75 |             resp    (handler (request :get "/"))]
 76 |         (is (= resp {:status  200
 77 |                      :headers {"X-Content-Type-Options" "nosniff"
 78 |                                "Content-Type" "text/plain"}
 79 |                      :body    "hello"}))))
 80 | 
 81 |     (testing "bad arguments"
 82 |       (is (thrown? AssertionError (wrap-content-type-options handle-hello :foo))))
 83 | 
 84 |     (testing "nil response"
 85 |       (let [handler (wrap-content-type-options (constantly nil) :nosniff)]
 86 |         (is (nil? (handler (request :get "/"))))))))
 87 | 
 88 | (deftest test-content-type-options-response
 89 |   (testing "nosniff"
 90 |     (is (= (content-type-options-response
 91 |             (-> (response "hello") (content-type "text/plain"))
 92 |             :nosniff)
 93 |            {:status  200
 94 |             :headers {"X-Content-Type-Options" "nosniff"
 95 |                       "Content-Type" "text/plain"}
 96 |             :body    "hello"})))
 97 | 
 98 |   (testing "nil response"
 99 |     (is (nil? (content-type-options-response nil :nosniff)))))
100 | 
101 | (deftest test-wrap-content-type-options-cps
102 |   (testing "nosniff"
103 |     (let [handler (-> (fn [_ respond _]
104 |                         (respond (-> (response "hello") (content-type "text/plain"))))
105 |                       (wrap-content-type-options :nosniff))
106 |           resp    (promise)
107 |           ex      (promise)]
108 |       (handler (request :get "/") resp ex)
109 |       (is (not (realized? ex)))
110 |       (is (= @resp {:status  200
111 |                     :headers {"X-Content-Type-Options" "nosniff"
112 |                               "Content-Type" "text/plain"}
113 |                     :body    "hello"}))))
114 | 
115 |   (testing "nil response"
116 |     (let [handler (-> (fn [_ respond _] (respond nil))
117 |                       (wrap-content-type-options :nosniff))
118 |           resp    (promise)
119 |           ex      (promise)]
120 |       (handler (request :get "/") resp ex)
121 |       (is (not (realized? ex)))
122 |       (is (nil? @resp)))))
123 | 
124 | (deftest test-wrap-xss-protection
125 |   (let [handle-hello (constantly (response "hello"))]
126 |     (testing "enable"
127 |       (let [handler (wrap-xss-protection handle-hello true)
128 |             resp    (handler (request :get "/"))]
129 |         (is (= (:headers resp) {"X-XSS-Protection" "1"}))))
130 | 
131 |     (testing "disable"
132 |       (let [handler (wrap-xss-protection handle-hello false)
133 |             resp    (handler (request :get "/"))]
134 |         (is (= (:headers resp) {"X-XSS-Protection" "0"}))))
135 | 
136 |     (testing "enable with block"
137 |       (let [handler (constantly
138 |                      (-> (response "hello")
139 |                          (content-type "text/plain")))
140 |             resp    ((wrap-xss-protection handler true {:mode :block})
141 |                      (request :get "/"))]
142 |         (is (= resp {:status  200
143 |                      :headers {"X-XSS-Protection" "1; mode=block"
144 |                                "Content-Type" "text/plain"}
145 |                      :body    "hello"}))))
146 | 
147 |     (testing "bad arguments"
148 |       (is (thrown? AssertionError
149 |                    (wrap-xss-protection handle-hello true {:mode :blob}))))
150 | 
151 |     (testing "nil response"
152 |       (let [handler (wrap-xss-protection (constantly nil) true)]
153 |         (is (nil? (handler (request :get "/"))))))))
154 | 
155 | (deftest test-xss-protection-response
156 |   (testing "enable"
157 |     (is (= (xss-protection-response (response "hello") :deny)
158 |            {:status 200, :headers {"X-XSS-Protection" "1"}, :body "hello"})))
159 | 
160 |   (testing "nil response"
161 |     (is (nil? (frame-options-response nil :deny)))))
162 | 
163 | (deftest test-wrap-xss-protection-cps
164 |   (testing "nosniff"
165 |     (let [handler (-> (fn [_ respond _] (respond (response "hello")))
166 |                       (wrap-xss-protection true))
167 |           resp    (promise)
168 |           ex      (promise)]
169 |       (handler (request :get "/") resp ex)
170 |       (is (not (realized? ex)))
171 |       (is (= (:headers @resp) {"X-XSS-Protection" "1"}))))
172 | 
173 |   (testing "nil response"
174 |     (let [handler (-> (fn [_ respond _] (respond nil))
175 |                       (wrap-xss-protection true))
176 |           resp    (promise)
177 |           ex      (promise)]
178 |       (handler (request :get "/") resp ex)
179 |       (is (not (realized? ex)))
180 |       (is (nil? @resp)))))
181 | 


--------------------------------------------------------------------------------