DEV: Allow plugins to extend frame-ancestors (#13316)

This commit is contained in:
Penar Musaraj 2021-06-07 14:59:15 -04:00 committed by GitHub
parent 7fcfebe772
commit f90c4bd6a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 17 deletions

View File

@ -5,6 +5,7 @@ class ContentSecurityPolicy
class Builder
EXTENDABLE_DIRECTIVES = %i[
base_uri
frame_ancestors
object_src
script_src
worker_src
@ -16,7 +17,6 @@ class ContentSecurityPolicy
default_src
font_src
form_action
frame_ancestors
frame_src
img_src
manifest_src

View File

@ -7,5 +7,6 @@
extend_content_security_policy(
script_src: ['https://from-plugin.com'],
object_src: ['https://test-stripping.com']
object_src: ['https://test-stripping.com'],
frame_ancestors: ['https://frame-ancestors-plugin.ext']
)

View File

@ -188,13 +188,18 @@ describe ContentSecurityPolicy do
end
end
it 'can be extended by plugins' do
plugin = Class.new(Plugin::Instance) do
context 'with a plugin' do
let(:plugin_class) do
Class.new(Plugin::Instance) do
attr_accessor :enabled
def enabled?
@enabled
end
end.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
end
end
it 'can extend script-src and object-src' do
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.activate!
Discourse.plugins << plugin
@ -207,7 +212,25 @@ describe ContentSecurityPolicy do
plugin.enabled = false
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')
Discourse.plugins.pop
Discourse.plugins.delete plugin
end
it 'can extend frame_ancestors' do
SiteSetting.content_security_policy_frame_ancestors = true
plugin = plugin_class.new(nil, "#{Rails.root}/spec/fixtures/plugins/csp_extension/plugin.rb")
plugin.activate!
Discourse.plugins << plugin
plugin.enabled = true
expect(parse(policy)['frame-ancestors']).to include("'self'")
expect(parse(policy)['frame-ancestors']).to include('https://frame-ancestors-plugin.ext')
plugin.enabled = false
expect(parse(policy)['frame-ancestors']).to_not include('https://frame-ancestors-plugin.ext')
Discourse.plugins.delete plugin
end
end
it 'only includes unsafe-inline for qunit paths' do