discourse/spec/lib/content_security_policy_spec.rb

# frozen_string_literal: true
RSpec.describe ContentSecurityPolicy do
  after { DiscoursePluginRegistry.reset! }

  describe "report-uri" do
    it "is enabled by SiteSetting" do
      SiteSetting.content_security_policy_collect_reports = true
      report_uri = parse(policy)["report-uri"].first
      expect(report_uri).to eq("http://test.localhost/csp_reports")

      SiteSetting.content_security_policy_collect_reports = false
      report_uri = parse(policy)["report-uri"]
      expect(report_uri).to eq(nil)
    end
  end

  describe "base-uri" do
    it "is set to self" do
      base_uri = parse(policy)["base-uri"]
      expect(base_uri).to eq(["'self'"])
    end
  end

  describe "object-src" do
    it "is set to none" do
      object_srcs = parse(policy)["object-src"]
      expect(object_srcs).to eq(["'none'"])
    end
  end

  describe "upgrade-insecure-requests" do
    it "is not included when force_https is off" do
      SiteSetting.force_https = false
      expect(parse(policy)["upgrade-insecure-requests"]).to eq(nil)
    end

    it "is included when force_https is on" do
      SiteSetting.force_https = true
      expect(parse(policy)["upgrade-insecure-requests"]).to eq([])
    end
  end

  describe "strict-dynamic script-src and worker-src" do
    it "includes strict-dynamic keyword" do
      script_srcs = parse(policy)["script-src"]
      expect(script_srcs).to include("'strict-dynamic'")
    end

    it "does not set worker-src" do
      worker_src = parse(policy)["worker-src"]
      expect(worker_src).to eq(nil)
    end

    it 'includes "report-sample" when report collection is enabled' do
      SiteSetting.content_security_policy_collect_reports = true
      script_srcs = parse(policy)["script-src"]
      expect(script_srcs).to include("'report-sample'")
    end
  end

  describe "manifest-src" do
    it "is set to self" do
      expect(parse(policy)["manifest-src"]).to eq(["'self'"])
    end
  end

  describe "frame-ancestors" do
    context "with content_security_policy_frame_ancestors enabled" do
      before do
        SiteSetting.content_security_policy_frame_ancestors = true
        Fabricate(:embeddable_host, host: "https://a.org")
        Fabricate(:embeddable_host, host: "https://b.org")
      end

      it "always has self" do
        frame_ancestors = parse(policy)["frame-ancestors"]
        expect(frame_ancestors).to include("'self'")
      end

      it "includes all EmbeddableHost" do
        frame_ancestors = parse(policy)["frame-ancestors"]
        expect(frame_ancestors).to include("https://a.org")
        expect(frame_ancestors).to include("https://b.org")
      end
    end

    context "with content_security_policy_frame_ancestors disabled" do
      before { SiteSetting.content_security_policy_frame_ancestors = false }

      it "does not set frame-ancestors" do
        frame_ancestors = parse(policy)["frame-ancestors"]
        expect(frame_ancestors).to be_nil
      end
    end
  end

  context "with a plugin" do
    let(:plugin_class) do
      Class.new(Plugin::Instance) do
        attr_accessor :enabled
        def enabled?
          @enabled
        end
      end
    end

    it "can extend frame_ancestors" do
      SiteSetting.content_security_policy_frame_ancestors = true
      plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")

      plugin.activate!
      Discourse.plugins << plugin

      plugin.enabled = true
      expect(parse(policy)["frame-ancestors"]).to include("'self'")
      expect(parse(policy)["frame-ancestors"]).to include("https://frame-ancestors-plugin.ext")

      plugin.enabled = false
      expect(parse(policy)["frame-ancestors"]).to_not include("https://frame-ancestors-plugin.ext")

      Discourse.plugins.delete plugin
      DiscoursePluginRegistry.reset!
    end
  end

  it "can be extended by site setting" do
    SiteSetting.content_security_policy_script_src = "'unsafe-eval'"

    expect(parse(policy)["script-src"]).to include("'unsafe-eval'")
  end

  def parse(csp_string)
    csp_string
      .split(";")
      .map do |policy|
        directive, *sources = policy.split
        [directive, sources]
      end
      .to_h
  end

  def policy(theme_id = nil, path_info: "/")
    ContentSecurityPolicy.policy(theme_id, path_info: path_info)
  end
end
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00			`# frozen_string_literal: true`
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-27 21:27:38 -05:00			`RSpec.describe ContentSecurityPolicy do`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`after { DiscoursePluginRegistry.reset! }`
FIX: Cleanup DiscoursePluginRegistry state after tests that use it This was causing some heisentests 2019-09-20 07:32:43 -05:00
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "report-uri" do`
			`it "is enabled by SiteSetting" do`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`SiteSetting.content_security_policy_collect_reports = true`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`report_uri = parse(policy)["report-uri"].first`
			`expect(report_uri).to eq("http://test.localhost/csp_reports")`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00
			`SiteSetting.content_security_policy_collect_reports = false`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`report_uri = parse(policy)["report-uri"]`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`expect(report_uri).to eq(nil)`
			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "base-uri" do`
			`it "is set to self" do`
			`base_uri = parse(policy)["base-uri"]`
FIX: Set CSP base-uri to `self` (#13654) 2021-07-07 08:43:48 -05:00			`expect(base_uri).to eq(["'self'"])`
FEATURE: set CSP base-uri and object-src to none (#6863) 2019-01-09 14:04:50 -06:00			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "object-src" do`
			`it "is set to none" do`
			`object_srcs = parse(policy)["object-src"]`
FEATURE: set CSP base-uri and object-src to none (#6863) 2019-01-09 14:04:50 -06:00			`expect(object_srcs).to eq(["'none'"])`
			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "upgrade-insecure-requests" do`
			`it "is not included when force_https is off" do`
FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348) If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS If for any reason you attempt to link to non HTTPS reachable content content may appear broken 2021-06-09 19:53:10 -05:00			`SiteSetting.force_https = false`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`expect(parse(policy)["upgrade-insecure-requests"]).to eq(nil)`
FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348) If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS If for any reason you attempt to link to non HTTPS reachable content content may appear broken 2021-06-09 19:53:10 -05:00			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "is included when force_https is on" do`
FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348) If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS If for any reason you attempt to link to non HTTPS reachable content content may appear broken 2021-06-09 19:53:10 -05:00			`SiteSetting.force_https = true`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`expect(parse(policy)["upgrade-insecure-requests"]).to eq([])`
FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348) If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS If for any reason you attempt to link to non HTTPS reachable content content may appear broken 2021-06-09 19:53:10 -05:00			`end`
			`end`

FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 09:20:31 -06:00			`describe "strict-dynamic script-src and worker-src" do`
			`it "includes strict-dynamic keyword" do`
			`script_srcs = parse(policy)["script-src"]`
			`expect(script_srcs).to include("'strict-dynamic'")`
			`end`

			`it "does not set worker-src" do`
			`worker_src = parse(policy)["worker-src"]`
			`expect(worker_src).to eq(nil)`
			`end`
DEV: remove legacy CSP implementation to make strict-dynamic only accepted behaviour (#27486) * DEV: remove legacy CSP implementation that allowed for non-strict-dynamic behaviour 2024-06-18 03:40:53 -05:00
			`it 'includes "report-sample" when report collection is enabled' do`
			`SiteSetting.content_security_policy_collect_reports = true`
			`script_srcs = parse(policy)["script-src"]`
			`expect(script_srcs).to include("'report-sample'")`
			`end`
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 09:20:31 -06:00			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "manifest-src" do`
			`it "is set to self" do`
			`expect(parse(policy)["manifest-src"]).to eq(["'self'"])`
DEV: Add manifest-src to CSP (#13319) Defaults to `manifest-src: 'self'` and allows plugins/themes to extend it. 2021-06-08 08:32:31 -05:00			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`describe "frame-ancestors" do`
			`context "with content_security_policy_frame_ancestors enabled" do`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00			`before do`
			`SiteSetting.content_security_policy_frame_ancestors = true`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`Fabricate(:embeddable_host, host: "https://a.org")`
			`Fabricate(:embeddable_host, host: "https://b.org")`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "always has self" do`
			`frame_ancestors = parse(policy)["frame-ancestors"]`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00			`expect(frame_ancestors).to include("'self'")`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "includes all EmbeddableHost" do`
			`frame_ancestors = parse(policy)["frame-ancestors"]`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00			`expect(frame_ancestors).to include("https://a.org")`
			`expect(frame_ancestors).to include("https://b.org")`
			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`context "with content_security_policy_frame_ancestors disabled" do`
			`before { SiteSetting.content_security_policy_frame_ancestors = false }`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "does not set frame-ancestors" do`
			`frame_ancestors = parse(policy)["frame-ancestors"]`
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 14:00:25 -05:00			`expect(frame_ancestors).to be_nil`
			`end`
			`end`
			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`context "with a plugin" do`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00			`let(:plugin_class) do`
			`Class.new(Plugin::Instance) do`
			`attr_accessor :enabled`
			`def enabled?`
			`@enabled`
			`end`
DEV: Enable `Style/SingleLineMethods` and `Style/Semicolon` in Rubocop (#6717) 2018-12-03 21:48:13 -06:00			`end`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "can extend frame_ancestors" do`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00			`SiteSetting.content_security_policy_frame_ancestors = true`
			`plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00			`plugin.activate!`
			`Discourse.plugins << plugin`

			`plugin.enabled = true`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`expect(parse(policy)["frame-ancestors"]).to include("'self'")`
			`expect(parse(policy)["frame-ancestors"]).to include("https://frame-ancestors-plugin.ext")`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00
			`plugin.enabled = false`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`expect(parse(policy)["frame-ancestors"]).to_not include("https://frame-ancestors-plugin.ext")`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00
			`Discourse.plugins.delete plugin`
DEV: prevents flakky spec when deleting plugin (#14701) Not reseting the registry could lead to assets still being registered for example. This flakky spec was reprdocible with this call: `bundle exec rspec --seed 9472 spec/components/discourse_plugin_registry_spec.rb spec/components/svg_sprite/svg_sprite_spec.rb` Which would trigger the following error: ``` Failures: 1) DiscoursePluginRegistry#register_asset registers vendored_core_pretty_text properly Failure/Error: expect(registry.javascripts.count).to eq(0) expected: 0 got: 1 (compared using ==) # ./spec/components/discourse_plugin_registry_spec.rb:248:in `block (3 levels) in <top (required)>' # ./spec/rails_helper.rb:280:in `block (2 levels) in <top (required)>' # /Users/joffreyjaffeux/.gem/ruby/2.7.3/gems/webmock-3.14.0/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>' ``` 2021-10-25 03:24:21 -05:00			`DiscoursePluginRegistry.reset!`
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 13:59:15 -05:00			`end`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00			`end`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`it "can be extended by site setting" do`
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 09:20:31 -06:00			`SiteSetting.content_security_policy_script_src = "'unsafe-eval'"`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051) Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603 2024-03-07 09:20:31 -06:00			`expect(parse(policy)["script-src"]).to include("'unsafe-eval'")`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`end`

			`def parse(csp_string)`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`csp_string`
			`.split(";")`
			`.map do \|policy\|`
			`directive, *sources = policy.split`
			`[directive, sources]`
			`end`
			`.to_h`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`end`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00
Code review comments. 2021-06-17 21:16:26 -05:00			`def policy(theme_id = nil, path_info: "/")`
			`ContentSecurityPolicy.policy(theme_id, path_info: path_info)`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 08:51:45 -06:00			`end`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`end`