discourse/spec/integration/content_security_policy_spec.rb
David Taylor 19814c5e81
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
2020-03-19 19:54:42 +00:00

59 lines
1.8 KiB
Ruby

# frozen_string_literal: true
require 'rails_helper'
describe 'content security policy integration' do
it "adds the csp headers correctly" do
SiteSetting.content_security_policy = false
get "/"
expect(response.headers["Content-Security-Policy"]).to eq(nil)
SiteSetting.content_security_policy = true
get "/"
expect(response.headers["Content-Security-Policy"]).to be_present
end
context "with different hostnames" do
before do
SiteSetting.content_security_policy = true
RailsMultisite::ConnectionManagement.stubs(:current_db_hostnames).returns(['primary.example.com', 'secondary.example.com'])
RailsMultisite::ConnectionManagement.stubs(:current_hostname).returns('primary.example.com')
end
it "works with the primary domain" do
host! "primary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
it "works with the secondary domain" do
host! "secondary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://secondary.example.com")
end
it "uses the primary domain for unknown hosts" do
host! "unknown.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
end
context "with different protocols" do
it "forces https when the site setting is enabled" do
SiteSetting.force_https = true
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
it "uses https when the site setting is disabled, but request is ssl" do
SiteSetting.force_https = false
https!
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
end
end