Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Allow plugins to extend frame-ancestors (#13316)

This commit is contained in:
Penar Musaraj 2021-06-07 14:59:15 -04:00 committed by GitHub
parent 7fcfebe772
commit f90c4bd6a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/content_security_policy/builder.rb
View File

@ -5,6 +5,7 @@ class ContentSecurityPolicy
class Builder class Builder
EXTENDABLE_DIRECTIVES = %i[ EXTENDABLE_DIRECTIVES = %i[
base_uri base_uri
frame_ancestors
object_src object_src
script_src script_src
worker_src worker_src
@ -16,7 +17,6 @@ class ContentSecurityPolicy
default_src default_src
font_src font_src
form_action form_action
frame_ancestors
frame_src frame_src
img_src img_src
manifest_src manifest_src

3
spec/fixtures/plugins/csp_extension/plugin.rb vendored
View File

@ -7,5 +7,6 @@
extend_content_security_policy( extend_content_security_policy(
script_src: ['https://from-plugin.com'], script_src: ['https://from-plugin.com'],
object_src: ['https://test-stripping.com'] object_src: ['https://test-stripping.com'],
frame_ancestors: ['https://frame-ancestors-plugin.ext']
) )

53
spec/lib/content_security_policy_spec.rb
View File

@ -188,26 +188,49 @@ describe ContentSecurityPolicy do
end end
end end
it 'can be extended by plugins' do context 'with a plugin' do
plugin = Class.new(Plugin::Instance) do let(:plugin_class) do
attr_accessor :enabled Class.new(Plugin::Instance) do
def enabled? attr_accessor :enabled
@enabled def enabled?
@enabled
end
end end
end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb") end
plugin.activate! it 'can extend script-src and object-src' do
Discourse.plugins << plugin plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.enabled = true plugin.activate!
expect(parse(policy)['script-src']).to include('https://from-plugin.com') Discourse.plugins << plugin
expect(parse(policy)['object-src']).to include('https://test-stripping.com')
expect(parse(policy)['object-src']).to_not include("'none'")
plugin.enabled = false plugin.enabled = true
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com') expect(parse(policy)['script-src']).to include('https://from-plugin.com')
expect(parse(policy)['object-src']).to include('https://test-stripping.com')
expect(parse(policy)['object-src']).to_not include("'none'")
Discourse.plugins.pop plugin.enabled = false
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
Discourse.plugins.delete plugin
end
it 'can extend frame_ancestors' do
SiteSetting.content_security_policy_frame_ancestors = true
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.activate!
Discourse.plugins << plugin
plugin.enabled = true
expect(parse(policy)['frame-ancestors']).to include("'self'")
expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
plugin.enabled = false
expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
Discourse.plugins.delete plugin
end
end end
it 'only includes unsafe-inline for qunit paths' do it 'only includes unsafe-inline for qunit paths' do