github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 17:53:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
52a4912475
discourse/spec/system/content_security_policy_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

21 lines
603 B
Ruby
Raw Normal View History

FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 19:16:54 +08:00
# frozen_string_literal: true
describe "Content security policy", type: :system do
it "can boot the application in strict_dynamic mode" do
expect(SiteSetting.content_security_policy).to eq(true)
SiteSetting.content_security_policy_strict_dynamic = true
visit "/"
expect(page).to have_css("#site-logo")
end
it "can boot logster in strict_dynamic mode" do
expect(SiteSetting.content_security_policy).to eq(true)
sign_in Fabricate(:admin)
SiteSetting.content_security_policy_strict_dynamic = true
visit "/logs"
expect(page).to have_css("#log-table")
end
end
Reference in New Issue Copy Permalink