2018-11-30 09:51:45 -05:00
|
|
|
# frozen_string_literal: true
|
2022-07-27 22:27:38 -04:00
|
|
|
RSpec.describe ContentSecurityPolicy do
|
2019-09-20 08:32:43 -04:00
|
|
|
after { DiscoursePluginRegistry.reset! }
|
|
|
|
|
2018-10-22 13:22:23 -04:00
|
|
|
describe "report-uri" do
|
|
|
|
it "is enabled by SiteSetting" do
|
|
|
|
SiteSetting.content_security_policy_collect_reports = true
|
2018-11-30 09:51:45 -05:00
|
|
|
report_uri = parse(policy)["report-uri"].first
|
|
|
|
expect(report_uri).to eq("http://test.localhost/csp_reports")
|
2018-10-22 13:22:23 -04:00
|
|
|
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
2018-11-30 09:51:45 -05:00
|
|
|
report_uri = parse(policy)["report-uri"]
|
2018-10-22 13:22:23 -04:00
|
|
|
expect(report_uri).to eq(nil)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-01-09 15:04:50 -05:00
|
|
|
describe "base-uri" do
|
2021-07-07 09:43:48 -04:00
|
|
|
it "is set to self" do
|
2019-01-09 15:04:50 -05:00
|
|
|
base_uri = parse(policy)["base-uri"]
|
2021-07-07 09:43:48 -04:00
|
|
|
expect(base_uri).to eq(["'self'"])
|
2019-01-09 15:04:50 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe "object-src" do
|
|
|
|
it "is set to none" do
|
|
|
|
object_srcs = parse(policy)["object-src"]
|
|
|
|
expect(object_srcs).to eq(["'none'"])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-06-09 20:53:10 -04:00
|
|
|
describe "upgrade-insecure-requests" do
|
|
|
|
it "is not included when force_https is off" do
|
|
|
|
SiteSetting.force_https = false
|
|
|
|
expect(parse(policy)["upgrade-insecure-requests"]).to eq(nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "is included when force_https is on" do
|
|
|
|
SiteSetting.force_https = true
|
|
|
|
expect(parse(policy)["upgrade-insecure-requests"]).to eq([])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
describe "legacy worker-src" do
|
|
|
|
before { SiteSetting.content_security_policy_strict_dynamic = false }
|
2020-08-14 09:11:28 -04:00
|
|
|
it "has expected values" do
|
2018-11-30 09:51:45 -05:00
|
|
|
worker_srcs = parse(policy)["worker-src"]
|
2018-11-16 16:25:21 -05:00
|
|
|
expect(worker_srcs).to eq(
|
|
|
|
%w[
|
2020-08-14 09:11:28 -04:00
|
|
|
'self'
|
2020-08-14 07:30:39 -04:00
|
|
|
http://test.localhost/assets/
|
|
|
|
http://test.localhost/javascripts/
|
|
|
|
http://test.localhost/plugins/
|
2018-11-16 16:25:21 -05:00
|
|
|
],
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
describe "legacy script-src" do
|
|
|
|
before { SiteSetting.content_security_policy_strict_dynamic = false }
|
2018-11-16 16:25:21 -05:00
|
|
|
it "always has self, logster, sidekiq, and assets" do
|
2018-11-30 09:51:45 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
2018-11-15 12:14:16 -05:00
|
|
|
http://test.localhost/logs/
|
|
|
|
http://test.localhost/sidekiq/
|
|
|
|
http://test.localhost/mini-profiler-resources/
|
|
|
|
http://test.localhost/assets/
|
|
|
|
http://test.localhost/extra-locales/
|
|
|
|
http://test.localhost/highlight-js/
|
|
|
|
http://test.localhost/javascripts/
|
2018-11-16 16:25:21 -05:00
|
|
|
http://test.localhost/plugins/
|
2018-11-15 12:14:16 -05:00
|
|
|
http://test.localhost/theme-javascripts/
|
2018-11-26 16:49:57 -05:00
|
|
|
http://test.localhost/svg-sprite/
|
2018-11-15 12:14:16 -05:00
|
|
|
],
|
|
|
|
)
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|
|
|
|
|
2020-04-02 11:16:38 -04:00
|
|
|
it 'includes "report-sample" when report collection is enabled' do
|
|
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include("'report-sample'")
|
|
|
|
end
|
|
|
|
|
2020-11-06 15:15:36 -05:00
|
|
|
context "for Google Analytics" do
|
|
|
|
before { SiteSetting.ga_universal_tracking_code = "UA-12345678-9" }
|
|
|
|
|
|
|
|
it "allowlists Google Analytics v3 when integrated" do
|
2023-04-04 08:14:20 -04:00
|
|
|
SiteSetting.ga_version = "v3_analytics"
|
|
|
|
|
2020-11-06 15:15:36 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include("https://www.google-analytics.com/analytics.js")
|
|
|
|
expect(script_srcs).not_to include("https://www.googletagmanager.com/gtag/js")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allowlists Google Analytics v4 when integrated" do
|
|
|
|
SiteSetting.ga_version = "v4_gtag"
|
|
|
|
|
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include("https://www.google-analytics.com/analytics.js")
|
|
|
|
expect(script_srcs).to include("https://www.googletagmanager.com/gtag/js")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "allowlists Google Tag Manager when integrated" do
|
2018-10-22 13:22:23 -04:00
|
|
|
SiteSetting.gtm_container_id = "GTM-ABCDEF"
|
|
|
|
|
2018-11-30 09:51:45 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
2018-12-14 08:17:31 -05:00
|
|
|
expect(script_srcs).to include("https://www.googletagmanager.com/gtm.js")
|
2023-07-28 07:53:44 -04:00
|
|
|
# nonce is added by the GtmScriptNonceInjector middleware to prevent the
|
|
|
|
# nonce from getting cached by AnonymousCache
|
|
|
|
expect(script_srcs.to_s).not_to include("nonce-")
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|
|
|
|
|
2020-07-26 20:23:54 -04:00
|
|
|
it "allowlists CDN assets when integrated" do
|
2018-11-15 12:14:16 -05:00
|
|
|
set_cdn_url("https://cdn.com")
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2018-11-30 09:51:45 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
2018-11-15 12:14:16 -05:00
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
|
|
|
https://cdn.com/assets/
|
|
|
|
https://cdn.com/highlight-js/
|
|
|
|
https://cdn.com/javascripts/
|
2018-11-16 16:25:21 -05:00
|
|
|
https://cdn.com/plugins/
|
2018-11-15 12:14:16 -05:00
|
|
|
https://cdn.com/theme-javascripts/
|
|
|
|
http://test.localhost/extra-locales/
|
|
|
|
],
|
|
|
|
)
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2018-11-15 12:14:16 -05:00
|
|
|
global_setting(:s3_cdn_url, "https://s3-cdn.com")
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2018-11-30 09:51:45 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
2018-11-15 12:14:16 -05:00
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
|
|
|
https://s3-cdn.com/assets/
|
|
|
|
https://cdn.com/highlight-js/
|
|
|
|
https://cdn.com/javascripts/
|
2018-11-16 16:25:21 -05:00
|
|
|
https://cdn.com/plugins/
|
2018-11-15 12:14:16 -05:00
|
|
|
https://cdn.com/theme-javascripts/
|
|
|
|
http://test.localhost/extra-locales/
|
|
|
|
],
|
|
|
|
)
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2022-12-08 05:36:20 -05:00
|
|
|
global_setting(:s3_asset_cdn_url, "https://s3-asset-cdn.com")
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2022-12-08 05:36:20 -05:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
|
|
|
https://s3-asset-cdn.com/assets/
|
|
|
|
https://cdn.com/highlight-js/
|
|
|
|
https://cdn.com/javascripts/
|
|
|
|
https://cdn.com/plugins/
|
|
|
|
https://cdn.com/theme-javascripts/
|
|
|
|
http://test.localhost/extra-locales/
|
|
|
|
],
|
|
|
|
)
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|
2020-03-17 18:23:46 -04:00
|
|
|
|
|
|
|
it "adds subfolder to CDN assets" do
|
|
|
|
set_cdn_url("https://cdn.com")
|
|
|
|
set_subfolder("/forum")
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2020-03-17 18:23:46 -04:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
|
|
|
https://cdn.com/forum/assets/
|
|
|
|
https://cdn.com/forum/highlight-js/
|
|
|
|
https://cdn.com/forum/javascripts/
|
|
|
|
https://cdn.com/forum/plugins/
|
|
|
|
https://cdn.com/forum/theme-javascripts/
|
|
|
|
http://test.localhost/forum/extra-locales/
|
|
|
|
],
|
|
|
|
)
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2020-03-17 18:23:46 -04:00
|
|
|
global_setting(:s3_cdn_url, "https://s3-cdn.com")
|
2023-01-09 06:18:21 -05:00
|
|
|
|
2020-03-17 18:23:46 -04:00
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include(
|
|
|
|
*%w[
|
|
|
|
https://s3-cdn.com/assets/
|
|
|
|
https://cdn.com/forum/highlight-js/
|
|
|
|
https://cdn.com/forum/javascripts/
|
|
|
|
https://cdn.com/forum/plugins/
|
|
|
|
https://cdn.com/forum/theme-javascripts/
|
|
|
|
http://test.localhost/forum/extra-locales/
|
|
|
|
],
|
|
|
|
)
|
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
2018-10-22 13:22:23 -04:00
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
describe "strict-dynamic script-src and worker-src" do
|
|
|
|
it "includes strict-dynamic keyword" do
|
|
|
|
script_srcs = parse(policy)["script-src"]
|
|
|
|
expect(script_srcs).to include("'strict-dynamic'")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "does not set worker-src" do
|
|
|
|
worker_src = parse(policy)["worker-src"]
|
|
|
|
expect(worker_src).to eq(nil)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-06-08 09:32:31 -04:00
|
|
|
describe "manifest-src" do
|
|
|
|
it "is set to self" do
|
|
|
|
expect(parse(policy)["manifest-src"]).to eq(["'self'"])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-03-22 15:00:25 -04:00
|
|
|
describe "frame-ancestors" do
|
|
|
|
context "with content_security_policy_frame_ancestors enabled" do
|
|
|
|
before do
|
|
|
|
SiteSetting.content_security_policy_frame_ancestors = true
|
|
|
|
Fabricate(:embeddable_host, host: "https://a.org")
|
|
|
|
Fabricate(:embeddable_host, host: "https://b.org")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "always has self" do
|
|
|
|
frame_ancestors = parse(policy)["frame-ancestors"]
|
|
|
|
expect(frame_ancestors).to include("'self'")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "includes all EmbeddableHost" do
|
|
|
|
frame_ancestors = parse(policy)["frame-ancestors"]
|
|
|
|
expect(frame_ancestors).to include("https://a.org")
|
|
|
|
expect(frame_ancestors).to include("https://b.org")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "with content_security_policy_frame_ancestors disabled" do
|
|
|
|
before { SiteSetting.content_security_policy_frame_ancestors = false }
|
|
|
|
|
|
|
|
it "does not set frame-ancestors" do
|
|
|
|
frame_ancestors = parse(policy)["frame-ancestors"]
|
|
|
|
expect(frame_ancestors).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
context "with a plugin" do
|
|
|
|
let(:plugin_class) do
|
|
|
|
Class.new(Plugin::Instance) do
|
|
|
|
attr_accessor :enabled
|
|
|
|
def enabled?
|
|
|
|
@enabled
|
|
|
|
end
|
2018-12-03 22:48:13 -05:00
|
|
|
end
|
2021-06-07 14:59:15 -04:00
|
|
|
end
|
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
it "can extend script-src, object-src, manifest-src - legacy" do
|
|
|
|
SiteSetting.content_security_policy_strict_dynamic = false
|
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
|
|
|
|
|
|
|
plugin.activate!
|
|
|
|
Discourse.plugins << plugin
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
plugin.enabled = true
|
|
|
|
expect(parse(policy)["script-src"]).to include("https://from-plugin.com")
|
2022-11-24 06:27:47 -05:00
|
|
|
expect(parse(policy)["script-src"]).to include("http://test.localhost/local/path")
|
2021-06-07 14:59:15 -04:00
|
|
|
expect(parse(policy)["object-src"]).to include("https://test-stripping.com")
|
|
|
|
expect(parse(policy)["object-src"]).to_not include("'none'")
|
2021-06-08 09:32:31 -04:00
|
|
|
expect(parse(policy)["manifest-src"]).to include("'self'")
|
|
|
|
expect(parse(policy)["manifest-src"]).to include("https://manifest-src.com")
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
plugin.enabled = false
|
|
|
|
expect(parse(policy)["script-src"]).to_not include("https://from-plugin.com")
|
2021-06-08 09:32:31 -04:00
|
|
|
expect(parse(policy)["manifest-src"]).to_not include("https://manifest-src.com")
|
2021-06-07 14:59:15 -04:00
|
|
|
|
|
|
|
Discourse.plugins.delete plugin
|
2021-10-25 04:24:21 -04:00
|
|
|
DiscoursePluginRegistry.reset!
|
2021-06-07 14:59:15 -04:00
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
it "can extend frame_ancestors" do
|
|
|
|
SiteSetting.content_security_policy_frame_ancestors = true
|
|
|
|
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2021-06-07 14:59:15 -04:00
|
|
|
plugin.activate!
|
|
|
|
Discourse.plugins << plugin
|
|
|
|
|
|
|
|
plugin.enabled = true
|
|
|
|
expect(parse(policy)["frame-ancestors"]).to include("'self'")
|
|
|
|
expect(parse(policy)["frame-ancestors"]).to include("https://frame-ancestors-plugin.ext")
|
|
|
|
|
|
|
|
plugin.enabled = false
|
|
|
|
expect(parse(policy)["frame-ancestors"]).to_not include("https://frame-ancestors-plugin.ext")
|
|
|
|
|
|
|
|
Discourse.plugins.delete plugin
|
2021-10-25 04:24:21 -04:00
|
|
|
DiscoursePluginRegistry.reset!
|
2021-06-07 14:59:15 -04:00
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
context "with a theme - legacy" do
|
|
|
|
before { SiteSetting.content_security_policy_strict_dynamic = false }
|
2019-12-30 07:17:12 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
let!(:theme) do
|
|
|
|
Fabricate(:theme).tap do |t|
|
|
|
|
settings = <<~YML
|
|
|
|
extend_content_security_policy:
|
|
|
|
type: list
|
|
|
|
default: 'script-src: from-theme.com'
|
|
|
|
YML
|
|
|
|
t.set_field(target: :settings, name: :yaml, value: settings)
|
|
|
|
t.save!
|
|
|
|
end
|
2023-01-09 06:18:21 -05:00
|
|
|
end
|
2019-02-11 07:32:04 -05:00
|
|
|
|
|
|
|
def theme_policy
|
2021-06-17 22:16:26 -04:00
|
|
|
policy(theme.id)
|
2019-02-11 07:32:04 -05:00
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
it "can be extended by themes" do
|
|
|
|
policy # call this first to make sure further actions clear the cache
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
expect(parse(policy)["script-src"]).not_to include("from-theme.com")
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
expect(parse(theme_policy)["script-src"]).to include("from-theme.com")
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
theme.update_setting(
|
|
|
|
:extend_content_security_policy,
|
|
|
|
"script-src: https://from-theme.net|worker-src: from-theme.com",
|
|
|
|
)
|
|
|
|
theme.save!
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
expect(parse(theme_policy)["script-src"]).to_not include("from-theme.com")
|
|
|
|
expect(parse(theme_policy)["script-src"]).to include("https://from-theme.net")
|
|
|
|
expect(parse(theme_policy)["worker-src"]).to include("from-theme.com")
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2019-02-11 07:32:04 -05:00
|
|
|
theme.destroy!
|
|
|
|
|
|
|
|
expect(parse(theme_policy)["script-src"]).to_not include("https://from-theme.net")
|
|
|
|
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme.com")
|
|
|
|
end
|
2020-03-11 09:30:45 -04:00
|
|
|
|
2020-03-13 12:45:55 -04:00
|
|
|
it "can be extended by theme modifiers" do
|
2020-03-11 09:30:45 -04:00
|
|
|
policy # call this first to make sure further actions clear the cache
|
|
|
|
|
|
|
|
theme.theme_modifier_set.csp_extensions = [
|
|
|
|
"script-src: https://from-theme-flag.script",
|
|
|
|
"worker-src: from-theme-flag.worker",
|
|
|
|
]
|
|
|
|
theme.save!
|
|
|
|
|
2021-06-17 22:16:26 -04:00
|
|
|
child_theme = Fabricate(:theme, component: true)
|
|
|
|
theme.add_relative_theme!(:child, child_theme)
|
|
|
|
child_theme.theme_modifier_set.csp_extensions = [
|
|
|
|
"script-src: https://child-theme-flag.script",
|
|
|
|
"worker-src: child-theme-flag.worker",
|
|
|
|
]
|
|
|
|
child_theme.save!
|
|
|
|
|
2020-03-11 09:30:45 -04:00
|
|
|
expect(parse(theme_policy)["script-src"]).to include("https://from-theme-flag.script")
|
2021-06-17 22:16:26 -04:00
|
|
|
expect(parse(theme_policy)["script-src"]).to include("https://child-theme-flag.script")
|
2020-03-11 09:30:45 -04:00
|
|
|
expect(parse(theme_policy)["worker-src"]).to include("from-theme-flag.worker")
|
2021-06-17 22:16:26 -04:00
|
|
|
expect(parse(theme_policy)["worker-src"]).to include("child-theme-flag.worker")
|
2020-03-11 09:30:45 -04:00
|
|
|
|
|
|
|
theme.destroy!
|
2021-06-17 22:16:26 -04:00
|
|
|
child_theme.destroy!
|
2020-03-11 09:30:45 -04:00
|
|
|
|
|
|
|
expect(parse(theme_policy)["script-src"]).to_not include("https://from-theme-flag.script")
|
|
|
|
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme-flag.worker")
|
2021-06-17 22:16:26 -04:00
|
|
|
expect(parse(theme_policy)["worker-src"]).to_not include("from-theme-flag.worker")
|
|
|
|
expect(parse(theme_policy)["worker-src"]).to_not include("child-theme-flag.worker")
|
2020-03-11 09:30:45 -04:00
|
|
|
end
|
2020-04-24 04:47:01 -04:00
|
|
|
|
|
|
|
it "is extended automatically when themes reference external scripts" do
|
|
|
|
policy # call this first to make sure further actions clear the cache
|
|
|
|
|
DEV: Correctly tag heredocs (#16061)
This allows text editors to use correct syntax coloring for the heredoc sections.
Heredoc tag names we use:
languages: SQL, JS, RUBY, LUA, HTML, CSS, SCSS, SH, HBS, XML, YAML/YML, MF, ICS
other: MD, TEXT/TXT, RAW, EMAIL
2022-02-28 14:50:55 -05:00
|
|
|
theme.set_field(target: :common, name: "header", value: <<~HTML)
|
2020-05-04 23:46:57 -04:00
|
|
|
<script src='https://example.com/myscript.js'></script>
|
2021-01-09 08:52:53 -05:00
|
|
|
<script src='https://example.com/myscript2.js?with=query'></script>
|
2020-05-04 23:46:57 -04:00
|
|
|
<script src='//example2.com/protocol-less-script.js'></script>
|
|
|
|
<script src='domain-only.com'></script>
|
2020-04-27 10:56:29 -04:00
|
|
|
<script>console.log('inline script')</script>
|
DEV: Correctly tag heredocs (#16061)
This allows text editors to use correct syntax coloring for the heredoc sections.
Heredoc tag names we use:
languages: SQL, JS, RUBY, LUA, HTML, CSS, SCSS, SH, HBS, XML, YAML/YML, MF, ICS
other: MD, TEXT/TXT, RAW, EMAIL
2022-02-28 14:50:55 -05:00
|
|
|
HTML
|
2020-04-27 10:56:29 -04:00
|
|
|
|
|
|
|
theme.set_field(target: :desktop, name: "header", value: "")
|
2020-04-24 04:47:01 -04:00
|
|
|
theme.save!
|
|
|
|
|
|
|
|
expect(parse(theme_policy)["script-src"]).to include("https://example.com/myscript.js")
|
2021-01-09 08:52:53 -05:00
|
|
|
expect(parse(theme_policy)["script-src"]).to include("https://example.com/myscript2.js")
|
|
|
|
expect(parse(theme_policy)["script-src"]).not_to include("?")
|
2020-04-27 10:56:29 -04:00
|
|
|
expect(parse(theme_policy)["script-src"]).to include("example2.com/protocol-less-script.js")
|
|
|
|
expect(parse(theme_policy)["script-src"]).not_to include("domain-only.com")
|
|
|
|
expect(parse(theme_policy)["script-src"]).not_to include(
|
|
|
|
a_string_matching %r{^/theme-javascripts}
|
|
|
|
)
|
2020-04-24 04:47:01 -04:00
|
|
|
|
|
|
|
theme.destroy!
|
|
|
|
|
|
|
|
expect(parse(theme_policy)["script-src"]).to_not include("https://example.com/myscript.js")
|
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
it "can be extended by site setting" do
|
2024-03-07 10:20:31 -05:00
|
|
|
SiteSetting.content_security_policy_script_src = "'unsafe-eval'"
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2024-03-07 10:20:31 -05:00
|
|
|
expect(parse(policy)["script-src"]).to include("'unsafe-eval'")
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|
|
|
|
|
2024-03-14 14:50:09 -04:00
|
|
|
it "strips unsupported values from setting" do
|
|
|
|
SiteSetting.content_security_policy_script_src =
|
|
|
|
"'unsafe-eval'|blob:|https://example.com/script.js"
|
|
|
|
|
|
|
|
script_src = parse(policy)["script-src"]
|
|
|
|
expect(script_src).to include("'unsafe-eval'")
|
|
|
|
expect(script_src).not_to include("blob:")
|
|
|
|
expect(script_src).not_to include("https://example.com/script.js")
|
|
|
|
end
|
|
|
|
|
2018-10-22 13:22:23 -04:00
|
|
|
def parse(csp_string)
|
|
|
|
csp_string
|
|
|
|
.split(";")
|
|
|
|
.map do |policy|
|
|
|
|
directive, *sources = policy.split
|
|
|
|
[directive, sources]
|
|
|
|
end
|
|
|
|
.to_h
|
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
|
2021-06-17 22:16:26 -04:00
|
|
|
def policy(theme_id = nil, path_info: "/")
|
|
|
|
ContentSecurityPolicy.policy(theme_id, path_info: path_info)
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|