discourse/spec/integration/content_security_policy_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

67 lines
2.2 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
RSpec.describe "content security policy integration" do
it "adds the csp headers correctly" do
Fabricate(:admin) # to avoid 'new installation' screen
SiteSetting.content_security_policy = false
get "/"
expect(response.headers["Content-Security-Policy"]).to eq(nil)
SiteSetting.content_security_policy = true
get "/"
expect(response.headers["Content-Security-Policy"]).to be_present
expect(response.headers["Content-Security-Policy"]).to match(
/script-src 'nonce-[^']+' 'strict-dynamic';/,
)
end
context "with different hostnames - legacy" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
before do
SiteSetting.content_security_policy = true
RailsMultisite::ConnectionManagement.stubs(:current_db_hostnames).returns(
%w[primary.example.com secondary.example.com],
)
RailsMultisite::ConnectionManagement.stubs(:current_hostname).returns("primary.example.com")
end
it "works with the primary domain" do
host! "primary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
it "works with the secondary domain" do
host! "secondary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://secondary.example.com")
end
it "uses the primary domain for unknown hosts" do
host! "unknown.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
end
context "with different protocols - legacy" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
it "forces https when the site setting is enabled" do
SiteSetting.force_https = true
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
it "uses https when the site setting is disabled, but request is ssl" do
SiteSetting.force_https = false
https!
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
end
end