github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 07:21:54 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
discourse/spec/system/content_security_policy_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

56 lines
1.5 KiB
Ruby
Raw Normal View History

FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
# frozen_string_literal: true
describe "Content security policy", type: :system do
FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (#31256) [Security patch](https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542) (for this [CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-54133)) from rails actionpack was backported from [Rails 8.0.0.1](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md#rails-8001-december-10-2024) to previous stable versions including `7-1-stable` / `7-2-stable`. Any previous version of Discourse upgrading to v3.4.0.beta3 and above would have observed their sites crashing if they had invalid sources in their CSP directive extensions. This fix removes such invalid sources during our build of the CSP, and logs these at a warning level so devs are able to find out why their CSP sources were filtered out of the extendable directives.
2025-02-10 20:38:36 +08:00
let(:plugin_class) do
Class.new(Plugin::Instance) do
attr_accessor :enabled
def enabled?
@enabled
end
end
end
it "can boot the application in strict_dynamic mode even with invalid directives from CSP extensions" do
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.activate!
Discourse.plugins << plugin
FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (#31256) [Security patch](https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542) (for this [CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-54133)) from rails actionpack was backported from [Rails 8.0.0.1](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md#rails-8001-december-10-2024) to previous stable versions including `7-1-stable` / `7-2-stable`. Any previous version of Discourse upgrading to v3.4.0.beta3 and above would have observed their sites crashing if they had invalid sources in their CSP directive extensions. This fix removes such invalid sources during our build of the CSP, and logs these at a warning level so devs are able to find out why their CSP sources were filtered out of the extendable directives.
2025-02-10 20:38:36 +08:00
plugin.enabled = true
expect(SiteSetting.content_security_policy).to eq(true)
FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
visit "/"
expect(page).to have_css("#site-logo")
FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (#31256) [Security patch](https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542) (for this [CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-54133)) from rails actionpack was backported from [Rails 8.0.0.1](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md#rails-8001-december-10-2024) to previous stable versions including `7-1-stable` / `7-2-stable`. Any previous version of Discourse upgrading to v3.4.0.beta3 and above would have observed their sites crashing if they had invalid sources in their CSP directive extensions. This fix removes such invalid sources during our build of the CSP, and logs these at a warning level so devs are able to find out why their CSP sources were filtered out of the extendable directives.
2025-02-10 20:38:36 +08:00
get "/"
expect(response.headers["Content-Security-Policy"]).to include("'strict-dynamic'")
expect(response.headers["Content-Security-Policy"]).not_to include(
"'unsafe-eval' https://invalid.example.com'",
)
Discourse.plugins.delete plugin
DiscoursePluginRegistry.reset!
FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
end
FIX: Improve handling of 'PublicExceptions' when bootstrap_error_pages enabled (#26700) - Run the CSP-nonce-related middlewares on the generated response - Fix the readonly mode checking to avoid empty strings being passed (the `check_readonly_mode` before_action will not execute in the case of these re-dispatched exceptions) - Move the BlockRequestsMiddleware cookie-setting to the middleware, so that it is included even for unusual HTML responses like these exceptions
2024-04-24 09:40:13 +01:00
it "works for 'public exceptions' like RoutingError" do
expect(SiteSetting.content_security_policy).to eq(true)
SiteSetting.bootstrap_error_pages = true
get "/nonexistent"
expect(response.headers["Content-Security-Policy"]).to include("'strict-dynamic'")
visit "/nonexistent"
expect(page).not_to have_css("body.no-ember")
expect(page).to have_css("#site-logo")
end
FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
it "can boot logster in strict_dynamic mode" do
expect(SiteSetting.content_security_policy).to eq(true)
sign_in Fabricate(:admin)
visit "/logs"
expect(page).to have_css("#log-table")
end
end
Reference in New Issue Copy Permalink