Merge pull request #27 from EvanHahn/fallback-referrer-policies

0xTim · web-flow · commit 732edf8579a7 · 2022-05-31T11:06:12.000+01:00
Add support for fallback referrer policies
diff --git a/README.md b/README.md
@@ -456,3 +456,15 @@ let securityHeadersFactory = SecurityHeadersFactory().with(referrerPolicy: refer
 ```http
 referrer-policy: no-referrer
 ```
+
+You can also [set a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy).
+
+```swift
+let referrerPolicyConfig = ReferrerPolicyConfiguration([.noReferrer, .strictOriginWhenCrossOrigin])
+
+let securityHeadersFactory = SecurityHeadersFactory().with(referrerPolicy: referrerPolicyConfig)
+```
+
+```http
+referrer-policy: no-referrer, strict-origin-when-cross-origin
+```
diff --git a/Sources/VaporSecurityHeaders/Configurations/ReferrerPolicyConfiguration.swift b/Sources/VaporSecurityHeaders/Configurations/ReferrerPolicyConfiguration.swift
@@ -2,7 +2,7 @@ import Vapor
 
 public struct ReferrerPolicyConfiguration: SecurityHeaderConfiguration {
 
-    public enum Options: String {
+    public enum Directive: String {
         case empty = ""
         case noReferrer = "no-referrer"
         case noReferrerWhenDowngrade = "no-referrer-when-downgrade"
@@ -14,13 +14,17 @@ public struct ReferrerPolicyConfiguration: SecurityHeaderConfiguration {
         case unsafeUrl = "unsafe-url"
     }
 
-    private let option: Options
+    private let directives: [Directive]
 
-    public init(_ option: Options) {
-        self.option = option
+    public init(_ directive: Directive) {
+        self.directives = [directive]
+    }
+
+    public init(_ directives: [Directive]) {
+        self.directives = directives
     }
 
     func setHeader(on response: Response, from request: Request) {
-        response.headers.replaceOrAdd(name: .referrerPolicy, value: option.rawValue)
+        response.headers.replaceOrAdd(name: .referrerPolicy, value: directives.map({ $0.rawValue }).joined(separator: ", "))
     }
 }
diff --git a/Tests/VaporSecurityHeadersTests/HeaderTests.swift b/Tests/VaporSecurityHeadersTests/HeaderTests.swift
@@ -433,6 +433,14 @@ class HeaderTests: XCTestCase {
         XCTAssertEqual(expected, response.headers[.referrerPolicy].first)
     }
 
+    func testHeadersWithReferrerPolicyFallbacks() throws {
+        let expected = "no-referrer, strict-origin-when-cross-origin"
+        let referrerConfig = ReferrerPolicyConfiguration([.noReferrer, .strictOriginWhenCrossOrigin])
+        let factory = SecurityHeadersFactory().with(referrerPolicy: referrerConfig)
+        let response = try makeTestResponse(for: request, securityHeadersToAdd: factory)
+        XCTAssertEqual(expected, response.headers[.referrerPolicy].first)
+    }
+
     func testApiPolicyWithAddedReferrerPolicy() throws {
         let expected = "strict-origin"
         let referrerConfig = ReferrerPolicyConfiguration(.strictOrigin)
