mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 22:33:45 +08:00
bca855f239
- Run the CSP-nonce-related middlewares on the generated response - Fix the readonly mode checking to avoid empty strings being passed (the `check_readonly_mode` before_action will not execute in the case of these re-dispatched exceptions) - Move the BlockRequestsMiddleware cookie-setting to the middleware, so that it is included even for unusual HTML responses like these exceptions
34 lines
1.0 KiB
Ruby
34 lines
1.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
describe "Content security policy", type: :system do
|
|
it "can boot the application in strict_dynamic mode" do
|
|
expect(SiteSetting.content_security_policy).to eq(true)
|
|
SiteSetting.content_security_policy_strict_dynamic = true
|
|
|
|
visit "/"
|
|
expect(page).to have_css("#site-logo")
|
|
end
|
|
|
|
it "works for 'public exceptions' like RoutingError" do
|
|
expect(SiteSetting.content_security_policy).to eq(true)
|
|
SiteSetting.content_security_policy_strict_dynamic = true
|
|
SiteSetting.bootstrap_error_pages = true
|
|
|
|
get "/nonexistent"
|
|
expect(response.headers["Content-Security-Policy"]).to include("'strict-dynamic'")
|
|
|
|
visit "/nonexistent"
|
|
expect(page).not_to have_css("body.no-ember")
|
|
expect(page).to have_css("#site-logo")
|
|
end
|
|
|
|
it "can boot logster in strict_dynamic mode" do
|
|
expect(SiteSetting.content_security_policy).to eq(true)
|
|
sign_in Fabricate(:admin)
|
|
SiteSetting.content_security_policy_strict_dynamic = true
|
|
|
|
visit "/logs"
|
|
expect(page).to have_css("#log-table")
|
|
end
|
|
end
|