DEV: Allow plugins to extend frame-ancestors (#13316)
This commit is contained in:
parent
7fcfebe772
commit
f90c4bd6a1
|
@ -5,6 +5,7 @@ class ContentSecurityPolicy
|
||||||
class Builder
|
class Builder
|
||||||
EXTENDABLE_DIRECTIVES = %i[
|
EXTENDABLE_DIRECTIVES = %i[
|
||||||
base_uri
|
base_uri
|
||||||
|
frame_ancestors
|
||||||
object_src
|
object_src
|
||||||
script_src
|
script_src
|
||||||
worker_src
|
worker_src
|
||||||
|
@ -16,7 +17,6 @@ class ContentSecurityPolicy
|
||||||
default_src
|
default_src
|
||||||
font_src
|
font_src
|
||||||
form_action
|
form_action
|
||||||
frame_ancestors
|
|
||||||
frame_src
|
frame_src
|
||||||
img_src
|
img_src
|
||||||
manifest_src
|
manifest_src
|
||||||
|
|
|
@ -7,5 +7,6 @@
|
||||||
|
|
||||||
extend_content_security_policy(
|
extend_content_security_policy(
|
||||||
script_src: ['https://from-plugin.com'],
|
script_src: ['https://from-plugin.com'],
|
||||||
object_src: ['https://test-stripping.com']
|
object_src: ['https://test-stripping.com'],
|
||||||
|
frame_ancestors: ['https://frame-ancestors-plugin.ext']
|
||||||
)
|
)
|
||||||
|
|
|
@ -188,13 +188,18 @@ describe ContentSecurityPolicy do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'can be extended by plugins' do
|
context 'with a plugin' do
|
||||||
plugin = Class.new(Plugin::Instance) do
|
let(:plugin_class) do
|
||||||
|
Class.new(Plugin::Instance) do
|
||||||
attr_accessor :enabled
|
attr_accessor :enabled
|
||||||
def enabled?
|
def enabled?
|
||||||
@enabled
|
@enabled
|
||||||
end
|
end
|
||||||
end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'can extend script-src and object-src' do
|
||||||
|
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
||||||
|
|
||||||
plugin.activate!
|
plugin.activate!
|
||||||
Discourse.plugins << plugin
|
Discourse.plugins << plugin
|
||||||
|
@ -207,7 +212,25 @@ describe ContentSecurityPolicy do
|
||||||
plugin.enabled = false
|
plugin.enabled = false
|
||||||
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
|
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
|
||||||
|
|
||||||
Discourse.plugins.pop
|
Discourse.plugins.delete plugin
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'can extend frame_ancestors' do
|
||||||
|
SiteSetting.content_security_policy_frame_ancestors = true
|
||||||
|
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
||||||
|
|
||||||
|
plugin.activate!
|
||||||
|
Discourse.plugins << plugin
|
||||||
|
|
||||||
|
plugin.enabled = true
|
||||||
|
expect(parse(policy)['frame-ancestors']).to include("'self'")
|
||||||
|
expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
|
||||||
|
|
||||||
|
plugin.enabled = false
|
||||||
|
expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
|
||||||
|
|
||||||
|
Discourse.plugins.delete plugin
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'only includes unsafe-inline for qunit paths' do
|
it 'only includes unsafe-inline for qunit paths' do
|
||||||
|
|
Loading…
Reference in New Issue