# frozen_string_literal: true RSpec.describe "content security policy integration" do it "adds the csp headers correctly" do Fabricate(:admin) # to avoid 'new installation' screen SiteSetting.content_security_policy = false get "/" expect(response.headers["Content-Security-Policy"]).to eq(nil) SiteSetting.content_security_policy = true get "/" expect(response.headers["Content-Security-Policy"]).to be_present expect(response.headers["Content-Security-Policy"]).to match( /script-src 'nonce-[^']+' 'strict-dynamic';/, ) end context "with different hostnames - legacy" do before { SiteSetting.content_security_policy_strict_dynamic = false } before do SiteSetting.content_security_policy = true RailsMultisite::ConnectionManagement.stubs(:current_db_hostnames).returns( %w[primary.example.com secondary.example.com], ) RailsMultisite::ConnectionManagement.stubs(:current_hostname).returns("primary.example.com") end it "works with the primary domain" do host! "primary.example.com" get "/" expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com") end it "works with the secondary domain" do host! "secondary.example.com" get "/" expect(response.headers["Content-Security-Policy"]).to include("http://secondary.example.com") end it "uses the primary domain for unknown hosts" do host! "unknown.example.com" get "/" expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com") end end context "with different protocols - legacy" do before { SiteSetting.content_security_policy_strict_dynamic = false } it "forces https when the site setting is enabled" do SiteSetting.force_https = true get "/" expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost") end it "uses https when the site setting is disabled, but request is ssl" do SiteSetting.force_https = false https! get "/" expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost") end end end