DEV: Allow plugins to extend frame-ancestors (#13316)

2025-02-25 18:55:32 -06:00 · 2021-06-07 14:59:15 -04:00
parent 7fcfebe772
commit f90c4bd6a1
3 changed files with 41 additions and 17 deletions
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -188,26 +188,49 @@ describe ContentSecurityPolicy do
    end
  end

-  it 'can be extended by plugins' do
-    plugin = Class.new(Plugin::Instance) do
-      attr_accessor :enabled
-      def enabled?
-        @enabled
+  context 'with a plugin' do
+    let(:plugin_class) do
+      Class.new(Plugin::Instance) do
+        attr_accessor :enabled
+        def enabled?
+          @enabled
+        end
      end
-    end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
+    end

-    plugin.activate!
-    Discourse.plugins << plugin
+    it 'can extend script-src and object-src' do
+      plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")

-    plugin.enabled = true
-    expect(parse(policy)['script-src']).to include('https://from-plugin.com')
-    expect(parse(policy)['object-src']).to include('https://test-stripping.com')
-    expect(parse(policy)['object-src']).to_not include("'none'")
+      plugin.activate!
+      Discourse.plugins << plugin

-    plugin.enabled = false
-    expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
+      plugin.enabled = true
+      expect(parse(policy)['script-src']).to include('https://from-plugin.com')
+      expect(parse(policy)['object-src']).to include('https://test-stripping.com')
+      expect(parse(policy)['object-src']).to_not include("'none'")

-    Discourse.plugins.pop
+      plugin.enabled = false
+      expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
+
+      Discourse.plugins.delete plugin
+    end
+
+    it 'can extend frame_ancestors' do
+      SiteSetting.content_security_policy_frame_ancestors = true
+      plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
+
+      plugin.activate!
+      Discourse.plugins << plugin
+
+      plugin.enabled = true
+      expect(parse(policy)['frame-ancestors']).to include("'self'")
+      expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
+
+      plugin.enabled = false
+      expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
+
+      Discourse.plugins.delete plugin
+    end
  end

  it 'only includes unsafe-inline for qunit paths' do