DEV: Allow plugins to extend frame-ancestors (#13316)
This commit is contained in:
parent
7fcfebe772
commit
f90c4bd6a1
|
@ -5,6 +5,7 @@ class ContentSecurityPolicy
|
|||
class Builder
|
||||
EXTENDABLE_DIRECTIVES = %i[
|
||||
base_uri
|
||||
frame_ancestors
|
||||
object_src
|
||||
script_src
|
||||
worker_src
|
||||
|
@ -16,7 +17,6 @@ class ContentSecurityPolicy
|
|||
default_src
|
||||
font_src
|
||||
form_action
|
||||
frame_ancestors
|
||||
frame_src
|
||||
img_src
|
||||
manifest_src
|
||||
|
|
|
@ -7,5 +7,6 @@
|
|||
|
||||
extend_content_security_policy(
|
||||
script_src: ['https://from-plugin.com'],
|
||||
object_src: ['https://test-stripping.com']
|
||||
object_src: ['https://test-stripping.com'],
|
||||
frame_ancestors: ['https://frame-ancestors-plugin.ext']
|
||||
)
|
||||
|
|
|
@ -188,13 +188,18 @@ describe ContentSecurityPolicy do
|
|||
end
|
||||
end
|
||||
|
||||
it 'can be extended by plugins' do
|
||||
plugin = Class.new(Plugin::Instance) do
|
||||
context 'with a plugin' do
|
||||
let(:plugin_class) do
|
||||
Class.new(Plugin::Instance) do
|
||||
attr_accessor :enabled
|
||||
def enabled?
|
||||
@enabled
|
||||
end
|
||||
end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
||||
end
|
||||
end
|
||||
|
||||
it 'can extend script-src and object-src' do
|
||||
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
||||
|
||||
plugin.activate!
|
||||
Discourse.plugins << plugin
|
||||
|
@ -207,7 +212,25 @@ describe ContentSecurityPolicy do
|
|||
plugin.enabled = false
|
||||
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
|
||||
|
||||
Discourse.plugins.pop
|
||||
Discourse.plugins.delete plugin
|
||||
end
|
||||
|
||||
it 'can extend frame_ancestors' do
|
||||
SiteSetting.content_security_policy_frame_ancestors = true
|
||||
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
|
||||
|
||||
plugin.activate!
|
||||
Discourse.plugins << plugin
|
||||
|
||||
plugin.enabled = true
|
||||
expect(parse(policy)['frame-ancestors']).to include("'self'")
|
||||
expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
|
||||
|
||||
plugin.enabled = false
|
||||
expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
|
||||
|
||||
Discourse.plugins.delete plugin
|
||||
end
|
||||
end
|
||||
|
||||
it 'only includes unsafe-inline for qunit paths' do
|
||||
|
|
Loading…
Reference in New Issue