discourse/spec/lib/content_security_policy_spe...

require 'rails_helper'

describe ContentSecurityPolicy do
  describe 'report-uri' do
    it 'is enabled by SiteSetting' do
      SiteSetting.content_security_policy_collect_reports = true
      report_uri = parse(ContentSecurityPolicy.new.build)['report-uri'].first
      expect(report_uri).to eq('/csp_reports')

      SiteSetting.content_security_policy_collect_reports = false
      report_uri = parse(ContentSecurityPolicy.new.build)['report-uri']
      expect(report_uri).to eq(nil)
    end
  end

  describe 'worker-src' do
    it 'always has self and blob' do
      worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
      expect(worker_srcs).to eq(%w[
        'self'
        blob:
      ])
    end
  end

  describe 'script-src' do
    it 'always has self, logster, sidekiq, and assets' do
      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to eq(%w[
        'unsafe-eval'
        http://test.localhost/logs/
        http://test.localhost/sidekiq/
        http://test.localhost/mini-profiler-resources/
        http://test.localhost/assets/
        http://test.localhost/brotli_asset/
        http://test.localhost/extra-locales/
        http://test.localhost/highlight-js/
        http://test.localhost/javascripts/
        http://test.localhost/plugins/
        http://test.localhost/theme-javascripts/
        http://test.localhost/svg-sprite/
      ])
    end

    it 'whitelists Google Analytics and Tag Manager when integrated' do
      SiteSetting.ga_universal_tracking_code = 'UA-12345678-9'
      SiteSetting.gtm_container_id = 'GTM-ABCDEF'

      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to include('https://www.google-analytics.com')
      expect(script_srcs).to include('https://www.googletagmanager.com')
    end

    it 'whitelists CDN assets when integrated' do
      set_cdn_url('https://cdn.com')

      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to include(*%w[
        https://cdn.com/assets/
        https://cdn.com/brotli_asset/
        https://cdn.com/highlight-js/
        https://cdn.com/javascripts/
        https://cdn.com/plugins/
        https://cdn.com/theme-javascripts/
        http://test.localhost/extra-locales/
      ])

      global_setting(:s3_cdn_url, 'https://s3-cdn.com')

      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to include(*%w[
        https://s3-cdn.com/assets/
        https://s3-cdn.com/brotli_asset/
        https://cdn.com/highlight-js/
        https://cdn.com/javascripts/
        https://cdn.com/plugins/
        https://cdn.com/theme-javascripts/
        http://test.localhost/extra-locales/
      ])
    end

    it 'can be extended with more sources' do
      SiteSetting.content_security_policy_script_src = 'example.com|another.com'
      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to include('example.com')
      expect(script_srcs).to include('another.com')
      expect(script_srcs).to include("'unsafe-eval'")
    end
  end

  def parse(csp_string)
    csp_string.split(';').map do |policy|
      directive, *sources = policy.split
      [directive, sources]
    end.to_h
  end
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`require 'rails_helper'`

			`describe ContentSecurityPolicy do`
			`describe 'report-uri' do`
			`it 'is enabled by SiteSetting' do`
			`SiteSetting.content_security_policy_collect_reports = true`
			`report_uri = parse(ContentSecurityPolicy.new.build)['report-uri'].first`
			`expect(report_uri).to eq('/csp_reports')`

			`SiteSetting.content_security_policy_collect_reports = false`
			`report_uri = parse(ContentSecurityPolicy.new.build)['report-uri']`
			`expect(report_uri).to eq(nil)`
			`end`
			`end`

include '/plugins/' directory for script-src and blob for worker-src - plugins may include additional static JS assets - ACE.js editor register a service worker with a blob for syntax checking 2018-11-16 16:25:21 -05:00			`describe 'worker-src' do`
			`it 'always has self and blob' do`
			`worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']`
			`expect(worker_srcs).to eq(%w[`
			`'self'`
			`blob:`
			`])`
			`end`
			`end`

			`describe 'script-src' do`
			`it 'always has self, logster, sidekiq, and assets' do`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`expect(script_srcs).to eq(%w[`
			`'unsafe-eval'`
			`http://test.localhost/logs/`
			`http://test.localhost/sidekiq/`
			`http://test.localhost/mini-profiler-resources/`
			`http://test.localhost/assets/`
			`http://test.localhost/brotli_asset/`
			`http://test.localhost/extra-locales/`
			`http://test.localhost/highlight-js/`
			`http://test.localhost/javascripts/`
include '/plugins/' directory for script-src and blob for worker-src - plugins may include additional static JS assets - ACE.js editor register a service worker with a blob for syntax checking 2018-11-16 16:25:21 -05:00			`http://test.localhost/plugins/`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`http://test.localhost/theme-javascripts/`
Upgrade to FontAwesome 5 (take two) (#6673) * Add missing icons to set * Revert FA5 revert This reverts commit 42572ff * use new SVG syntax in locales * Noscript page changes (remove login button, center "powered by" footer text) * Cast wider net for SVG icons in settings - include any _icon setting for SVG registry (offers better support for plugin settings) - let themes store multiple pipe-delimited icons in a setting - also replaces broken onebox image icon with SVG reference in cooked post processor * interpolate icons in locales * Fix composer whisper icon alignment * Add support for stacked icons * SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname * load SVG sprite with pre-initializers * FIX: enable caching on SVG sprites * PERF: use JSONP for SVG sprites so they are served from CDN This avoids needing to deal with CORS for loading of the SVG Note, added the svg- prefix to the filename so we can quickly tell in dev tools what the file is * Add missing SVG sprite JSONP script to CSP * Upgrade to FA 5.5.0 * Add support for all FA4.7 icons - adds complete frontend and backend for renamed FA4.7 icons - improves performance of SvgSprite.bundle and SvgSprite.all_icons * Fix group avatar flair preview - adds an endpoint at /svg-sprites/search/:keyword - adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset * Remove FA 4.7 font files 2018-11-26 16:49:57 -05:00			`http://test.localhost/svg-sprite/`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`])`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`end`

			`it 'whitelists Google Analytics and Tag Manager when integrated' do`
			`SiteSetting.ga_universal_tracking_code = 'UA-12345678-9'`
			`SiteSetting.gtm_container_id = 'GTM-ABCDEF'`

			`script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`expect(script_srcs).to include('https://www.google-analytics.com')`
			`expect(script_srcs).to include('https://www.googletagmanager.com')`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`end`

CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`it 'whitelists CDN assets when integrated' do`
			`set_cdn_url('https://cdn.com')`

			`script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']`
			`expect(script_srcs).to include(*%w[`
			`https://cdn.com/assets/`
			`https://cdn.com/brotli_asset/`
			`https://cdn.com/highlight-js/`
			`https://cdn.com/javascripts/`
include '/plugins/' directory for script-src and blob for worker-src - plugins may include additional static JS assets - ACE.js editor register a service worker with a blob for syntax checking 2018-11-16 16:25:21 -05:00			`https://cdn.com/plugins/`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`https://cdn.com/theme-javascripts/`
			`http://test.localhost/extra-locales/`
			`])`

			`global_setting(:s3_cdn_url, 'https://s3-cdn.com')`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00
			`script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`expect(script_srcs).to include(*%w[`
			`https://s3-cdn.com/assets/`
			`https://s3-cdn.com/brotli_asset/`
			`https://cdn.com/highlight-js/`
			`https://cdn.com/javascripts/`
include '/plugins/' directory for script-src and blob for worker-src - plugins may include additional static JS assets - ACE.js editor register a service worker with a blob for syntax checking 2018-11-16 16:25:21 -05:00			`https://cdn.com/plugins/`
CSP: drop 'self' in `script-src` (#6611) 2018-11-15 12:14:16 -05:00			`https://cdn.com/theme-javascripts/`
			`http://test.localhost/extra-locales/`
			`])`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`end`

			`it 'can be extended with more sources' do`
			`SiteSetting.content_security_policy_script_src = 'example.com\|another.com'`
			`script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']`
			`expect(script_srcs).to include('example.com')`
			`expect(script_srcs).to include('another.com')`
			`expect(script_srcs).to include("'unsafe-eval'")`
			`end`
			`end`

			`def parse(csp_string)`
			`csp_string.split(';').map do \|policy\|`
			`directive, *sources = policy.split`
			`[directive, sources]`
			`end.to_h`
			`end`
			`end`