include '/plugins/' directory for script-src and blob for worker-src

- plugins may include additional static JS assets - ACE.js editor register a service worker with a blob for syntax checking
2025-02-25 18:55:32 -06:00 · 2018-11-16 16:25:21 -05:00
parent e37c4a4525
commit 962fbd1ec7
2 changed files with 17 additions and 3 deletions
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -13,8 +13,18 @@ describe ContentSecurityPolicy do
    end
  end

-  describe 'script-src defaults' do
-    it 'always have self, logster, sidekiq, and assets' do
+  describe 'worker-src' do
+    it 'always has self and blob' do
+      worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
+      expect(worker_srcs).to eq(%w[
+        'self'
+        blob:
+      ])
+    end
+  end
+
+  describe 'script-src' do
+    it 'always has self, logster, sidekiq, and assets' do
      script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
      expect(script_srcs).to eq(%w[
        'unsafe-eval'
@@ -26,6 +36,7 @@ describe ContentSecurityPolicy do
        http://test.localhost/extra-locales/
        http://test.localhost/highlight-js/
        http://test.localhost/javascripts/
+        http://test.localhost/plugins/
        http://test.localhost/theme-javascripts/
      ])
    end
@@ -48,6 +59,7 @@ describe ContentSecurityPolicy do
        https://cdn.com/brotli_asset/
        https://cdn.com/highlight-js/
        https://cdn.com/javascripts/
+        https://cdn.com/plugins/
        https://cdn.com/theme-javascripts/
        http://test.localhost/extra-locales/
      ])
@@ -60,6 +72,7 @@ describe ContentSecurityPolicy do
        https://s3-cdn.com/brotli_asset/
        https://cdn.com/highlight-js/
        https://cdn.com/javascripts/
+        https://cdn.com/plugins/
        https://cdn.com/theme-javascripts/
        http://test.localhost/extra-locales/
      ])