DEV: Allow plugins to extend frame-ancestors (#13316)

2024-11-29 04:03:57 -06:00 · 2021-06-07 14:59:15 -04:00 · 2021-06-07 14:59:15 -04:00 · f90c4bd6a1
commit f90c4bd6a1
parent 7fcfebe772
3 changed files with 41 additions and 17 deletions
--- a/lib/content_security_policy/builder.rb
+++ b/lib/content_security_policy/builder.rb
@ -5,6 +5,7 @@ class ContentSecurityPolicy
  class Builder
    EXTENDABLE_DIRECTIVES = %i[
      base_uri
+      frame_ancestors
      object_src
      script_src
      worker_src
@ -16,7 +17,6 @@ class ContentSecurityPolicy
      default_src
      font_src
      form_action
-      frame_ancestors
      frame_src
      img_src
      manifest_src
--- a/spec/fixtures/plugins/csp_extension/plugin.rb
+++ b/spec/fixtures/plugins/csp_extension/plugin.rb
@ -7,5 +7,6 @@

 extend_content_security_policy(
  script_src: ['https://from-plugin.com'],
-  object_src: ['https://test-stripping.com']
+  object_src: ['https://test-stripping.com'],
+  frame_ancestors: ['https://frame-ancestors-plugin.ext']
 )
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@ -188,26 +188,49 @@ describe ContentSecurityPolicy do
    end
  end

-  it 'can be extended by plugins' do
-    plugin = Class.new(Plugin::Instance) do
-      attr_accessor :enabled
-      def enabled?
-        @enabled
+  context 'with a plugin' do
+    let(:plugin_class) do
+      Class.new(Plugin::Instance) do
+        attr_accessor :enabled
+        def enabled?
+          @enabled
+        end
      end
-    end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
+    end

-    plugin.activate!
-    Discourse.plugins << plugin
+    it 'can extend script-src and object-src' do
+      plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")

-    plugin.enabled = true
-    expect(parse(policy)['script-src']).to include('https://from-plugin.com')
-    expect(parse(policy)['object-src']).to include('https://test-stripping.com')
-    expect(parse(policy)['object-src']).to_not include("'none'")
+      plugin.activate!
+      Discourse.plugins << plugin

-    plugin.enabled = false
-    expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
+      plugin.enabled = true
+      expect(parse(policy)['script-src']).to include('https://from-plugin.com')
+      expect(parse(policy)['object-src']).to include('https://test-stripping.com')
+      expect(parse(policy)['object-src']).to_not include("'none'")

-    Discourse.plugins.pop
+      plugin.enabled = false
+      expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
+
+      Discourse.plugins.delete plugin
+    end
+
+    it 'can extend frame_ancestors' do
+      SiteSetting.content_security_policy_frame_ancestors = true
+      plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
+
+      plugin.activate!
+      Discourse.plugins << plugin
+
+      plugin.enabled = true
+      expect(parse(policy)['frame-ancestors']).to include("'self'")
+      expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
+
+      plugin.enabled = false
+      expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
+
+      Discourse.plugins.delete plugin
+    end
  end

  it 'only includes unsafe-inline for qunit paths' do