discourse/spec/integration/content_security_policy_spec.rb

# frozen_string_literal: true

RSpec.describe "content security policy integration" do
  it "adds the csp headers correctly" do
    Fabricate(:admin) # to avoid 'new installation' screen

    SiteSetting.content_security_policy = false
    get "/"
    expect(response.headers["Content-Security-Policy"]).to eq(nil)

    SiteSetting.content_security_policy = true
    get "/"
    expect(response.headers["Content-Security-Policy"]).to be_present

    expect(response.headers["Content-Security-Policy"]).to match(
      /script-src 'nonce-[^']+' 'strict-dynamic';/,
    )
  end
end
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 19:54:42 +00:00			`# frozen_string_literal: true`

Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-28 05:27:38 +03:00			`RSpec.describe "content security policy integration" do`
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 19:54:42 +00:00			`it "adds the csp headers correctly" do`
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 15:20:31 +00:00			`Fabricate(:admin) # to avoid 'new installation' screen`

FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 19:54:42 +00:00			`SiteSetting.content_security_policy = false`
			`get "/"`
			`expect(response.headers["Content-Security-Policy"]).to eq(nil)`

			`SiteSetting.content_security_policy = true`
			`get "/"`
			`expect(response.headers["Content-Security-Policy"]).to be_present`
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 15:20:31 +00:00
			`expect(response.headers["Content-Security-Policy"]).to match(`
			`/script-src 'nonce-[^']+' 'strict-dynamic';/,`
			`)`
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 19:54:42 +00:00			`end`
			`end`