IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

DEV: remove legacy CSP implementation to make strict-dynamic only accepted behaviour (#27486)

Browse Source 
* DEV: remove legacy CSP implementation that allowed for non-strict-dynamic behaviour
This commit is contained in:
Kelv
2024-06-18 16:40:53 +08:00
committed by GitHub
parent b9eb746eea
commit 2393234be5
8 changed files with 9 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
spec/integration/content_security_policy_spec.rb
View File

@@ -16,51 +16,4 @@ RSpec.describe "content security policy integration" do
/script-src 'nonce-[^']+' 'strict-dynamic';/,
)
end
context "with different hostnames - legacy" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
before do
SiteSetting.content_security_policy = true
RailsMultisite::ConnectionManagement.stubs(:current_db_hostnames).returns(
%w[primary.example.com secondary.example.com],
)
RailsMultisite::ConnectionManagement.stubs(:current_hostname).returns("primary.example.com")
end
it "works with the primary domain" do
host! "primary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
it "works with the secondary domain" do
host! "secondary.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://secondary.example.com")
end
it "uses the primary domain for unknown hosts" do
host! "unknown.example.com"
get "/"
expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
end
end
context "with different protocols - legacy" do
before { SiteSetting.content_security_policy_strict_dynamic = false }
it "forces https when the site setting is enabled" do
SiteSetting.force_https = true
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
it "uses https when the site setting is disabled, but request is ssl" do
SiteSetting.force_https = false
https!
get "/"
expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
end
end
end