discourse/spec/lib/content_security_policy_spec.rb
Kyle Zhao 962fbd1ec7 include '/plugins/' directory for script-src and blob for worker-src
- plugins may include additional static JS assets
- ACE.js editor register a service worker with a blob for syntax
checking
2018-11-16 16:31:01 -05:00

97 lines
3.2 KiB
Ruby

require 'rails_helper'
describe ContentSecurityPolicy do
describe 'report-uri' do
it 'is enabled by SiteSetting' do
SiteSetting.content_security_policy_collect_reports = true
report_uri = parse(ContentSecurityPolicy.new.build)['report-uri'].first
expect(report_uri).to eq('/csp_reports')
SiteSetting.content_security_policy_collect_reports = false
report_uri = parse(ContentSecurityPolicy.new.build)['report-uri']
expect(report_uri).to eq(nil)
end
end
describe 'worker-src' do
it 'always has self and blob' do
worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
expect(worker_srcs).to eq(%w[
'self'
blob:
])
end
end
describe 'script-src' do
it 'always has self, logster, sidekiq, and assets' do
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to eq(%w[
'unsafe-eval'
http://test.localhost/logs/
http://test.localhost/sidekiq/
http://test.localhost/mini-profiler-resources/
http://test.localhost/assets/
http://test.localhost/brotli_asset/
http://test.localhost/extra-locales/
http://test.localhost/highlight-js/
http://test.localhost/javascripts/
http://test.localhost/plugins/
http://test.localhost/theme-javascripts/
])
end
it 'whitelists Google Analytics and Tag Manager when integrated' do
SiteSetting.ga_universal_tracking_code = 'UA-12345678-9'
SiteSetting.gtm_container_id = 'GTM-ABCDEF'
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to include('https://www.google-analytics.com')
expect(script_srcs).to include('https://www.googletagmanager.com')
end
it 'whitelists CDN assets when integrated' do
set_cdn_url('https://cdn.com')
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to include(*%w[
https://cdn.com/assets/
https://cdn.com/brotli_asset/
https://cdn.com/highlight-js/
https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/
])
global_setting(:s3_cdn_url, 'https://s3-cdn.com')
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to include(*%w[
https://s3-cdn.com/assets/
https://s3-cdn.com/brotli_asset/
https://cdn.com/highlight-js/
https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/
])
end
it 'can be extended with more sources' do
SiteSetting.content_security_policy_script_src = 'example.com|another.com'
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to include('example.com')
expect(script_srcs).to include('another.com')
expect(script_srcs).to include("'unsafe-eval'")
end
end
def parse(csp_string)
csp_string.split(';').map do |policy|
directive, *sources = policy.split
[directive, sources]
end.to_h
end
end