Add 'X-DNS-Prefetch-Control' header to helmet.

lionelg3 · SergioBenitez · SergioBenitez · commit b38753eaf806 · 2020-06-04T17:54:28.000-07:00
Co-authored-by: Sergio Benitez &lt;sb@sergio.bz&gt;
diff --git a/contrib/lib/src/helmet/mod.rs b/contrib/lib/src/helmet/mod.rs
@@ -23,14 +23,15 @@
 //!
 //! # Supported Headers
 //!
-//! | HTTP Header                 | Description                            | Policy       | Default? |
-//! | --------------------------- | -------------------------------------- | ------------ | -------- |
-//! | [X-XSS-Protection]          | Prevents some reflected XSS attacks.   | [`XssFilter`]      | ✔        |
-//! | [X-Content-Type-Options]    | Prevents client sniffing of MIME type. | [`NoSniff`]  | ✔        |
-//! | [X-Frame-Options]           | Prevents [clickjacking].               | [`Frame`]    | ✔        |
-//! | [Strict-Transport-Security] | Enforces strict use of HTTPS.          | [`Hsts`]     | ?        |
-//! | [Expect-CT]                 | Enables certificate transparency.      | [`ExpectCt`] | ✗        |
-//! | [Referrer-Policy]           | Enables referrer policy.               | [`Referrer`] | ✗        |
+//! | HTTP Header                 | Description                            | Policy        | Default? |
+//! | --------------------------- | -------------------------------------- | ------------- | -------- |
+//! | [X-XSS-Protection]          | Prevents some reflected XSS attacks.   | [`XssFilter`] | ✔        |
+//! | [X-Content-Type-Options]    | Prevents client sniffing of MIME type. | [`NoSniff`]   | ✔        |
+//! | [X-Frame-Options]           | Prevents [clickjacking].               | [`Frame`]     | ✔        |
+//! | [Strict-Transport-Security] | Enforces strict use of HTTPS.          | [`Hsts`]      | ?        |
+//! | [Expect-CT]                 | Enables certificate transparency.      | [`ExpectCt`]  | ✗        |
+//! | [Referrer-Policy]           | Enables referrer policy.               | [`Referrer`]  | ✗        |
+//! | [X-DNS-Prefetch-Control]    | Controls browser DNS prefetching.      | [`Prefetch`]  | ✗        |
 //!
 //! <small>? If TLS is enabled when the application is launched, in a
 //! non-development environment (e.g., staging or production), HSTS is
@@ -43,6 +44,7 @@
 //! [Strict-Transport-Security]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 //! [Expect-CT]:  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
 //! [Referrer-Policy]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+//! [X-DNS-Prefetch-Control]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
 //! [clickjacking]: https://en.wikipedia.org/wiki/Clickjacking
 //!
 //! [`XssFilter`]: helmet::XssFilter
@@ -51,6 +53,7 @@
 //! [`Hsts`]: helmet::Hsts
 //! [`ExpectCt`]: helmet::ExpectCt
 //! [`Referrer`]: helmet::Referrer
+//! [`Prefetch`]: helmet::Prefetch
 //!
 //! # Usage
 //!
diff --git a/contrib/lib/src/helmet/policy.rs b/contrib/lib/src/helmet/policy.rs
@@ -90,12 +90,14 @@ macro_rules! impl_policy {
     )
 }
 
+// Keep this in-sync with the top-level module docs.
 impl_policy!(XssFilter, "X-XSS-Protection");
 impl_policy!(NoSniff, "X-Content-Type-Options");
 impl_policy!(Frame, "X-Frame-Options");
 impl_policy!(Hsts, "Strict-Transport-Security");
 impl_policy!(ExpectCt, "Expect-CT");
 impl_policy!(Referrer, "Referrer-Policy");
+impl_policy!(Prefetch, "X-DNS-Prefetch-Control");
 
 /// The [Referrer-Policy] header: controls the value set by the browser for the
 /// [Referer] header.
@@ -399,3 +401,36 @@ impl Into<Header<'static>> for &XssFilter {
         Header::new(XssFilter::NAME, policy_string)
     }
 }
+
+/// The [X-DNS-Prefetch-Control] header: controls browser DNS prefetching.
+///
+/// Tells the browser if it should perform domain name resolution on both links
+/// that the user may choose to follow as well as URLs for items referenced by
+/// the document including images, CSS, JavaScript, and so forth. Disabling
+/// prefetching is useful if you don't control the link on the pages, or know
+/// that you don't want to leak information to these domains.
+///
+/// [X-DNS-Prefetch-Control]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
+pub enum Prefetch {
+    /// Enables DNS prefetching. This is the browser default.
+    On,
+    /// Disables DNS prefetching. This is the helmet policy default.
+    Off,
+}
+
+impl Default for Prefetch {
+    fn default() -> Prefetch {
+        Prefetch::Off
+    }
+}
+
+impl Into<Header<'static>> for &Prefetch {
+    fn into(self) -> Header<'static> {
+        let policy_string = match self {
+            Prefetch::On => "on",
+            Prefetch::Off => "off",
+        };
+
+        Header::new(Prefetch::NAME, policy_string)
+    }
+}
diff --git a/contrib/lib/tests/helmet.rs b/contrib/lib/tests/helmet.rs
@@ -130,4 +130,22 @@ mod helmet_tests {
                 "max-age=30, enforce, report-uri=\"https://www.google.com\"");
         });
     }
+
+    #[test]
+    fn prefetch_test() {
+        let helmet = SpaceHelmet::default().enable(Prefetch::default());
+        dispatch!(helmet, |response: LocalResponse<'_>| {
+            assert_header!(response, "X-DNS-Prefetch-Control", "off");
+        });
+
+        let helmet = SpaceHelmet::default().enable(Prefetch::Off);
+        dispatch!(helmet, |response: LocalResponse<'_>| {
+            assert_header!(response, "X-DNS-Prefetch-Control", "off");
+        });
+
+        let helmet = SpaceHelmet::default().enable(Prefetch::On);
+        dispatch!(helmet, |response: LocalResponse<'_>| {
+            assert_header!(response, "X-DNS-Prefetch-Control", "on");
+        });
+    }
 }
