mirror of
https://github.com/discourse/discourse.git
synced 2024-12-01 21:19:41 -06:00
03deda2147
* Add missing icons to set
* Revert FA5 revert
This reverts commit 42572ff
* use new SVG syntax in locales
* Noscript page changes (remove login button, center "powered by" footer text)
* Cast wider net for SVG icons in settings
- include any _icon setting for SVG registry (offers better support for plugin settings)
- let themes store multiple pipe-delimited icons in a setting
- also replaces broken onebox image icon with SVG reference in cooked post processor
* interpolate icons in locales
* Fix composer whisper icon alignment
* Add support for stacked icons
* SECURITY: enforce hostname to match discourse hostname
This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname
* load SVG sprite with pre-initializers
* FIX: enable caching on SVG sprites
* PERF: use JSONP for SVG sprites so they are served from CDN
This avoids needing to deal with CORS for loading of the SVG
Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is
* Add missing SVG sprite JSONP script to CSP
* Upgrade to FA 5.5.0
* Add support for all FA4.7 icons
- adds complete frontend and backend for renamed FA4.7 icons
- improves performance of SvgSprite.bundle and SvgSprite.all_icons
* Fix group avatar flair preview
- adds an endpoint at /svg-sprites/search/:keyword
- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset
* Remove FA 4.7 font files
98 lines
3.2 KiB
Ruby
98 lines
3.2 KiB
Ruby
require 'rails_helper'
|
|
|
|
describe ContentSecurityPolicy do
|
|
describe 'report-uri' do
|
|
it 'is enabled by SiteSetting' do
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
report_uri = parse(ContentSecurityPolicy.new.build)['report-uri'].first
|
|
expect(report_uri).to eq('/csp_reports')
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
|
report_uri = parse(ContentSecurityPolicy.new.build)['report-uri']
|
|
expect(report_uri).to eq(nil)
|
|
end
|
|
end
|
|
|
|
describe 'worker-src' do
|
|
it 'always has self and blob' do
|
|
worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
|
|
expect(worker_srcs).to eq(%w[
|
|
'self'
|
|
blob:
|
|
])
|
|
end
|
|
end
|
|
|
|
describe 'script-src' do
|
|
it 'always has self, logster, sidekiq, and assets' do
|
|
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
|
|
expect(script_srcs).to eq(%w[
|
|
'unsafe-eval'
|
|
http://test.localhost/logs/
|
|
http://test.localhost/sidekiq/
|
|
http://test.localhost/mini-profiler-resources/
|
|
http://test.localhost/assets/
|
|
http://test.localhost/brotli_asset/
|
|
http://test.localhost/extra-locales/
|
|
http://test.localhost/highlight-js/
|
|
http://test.localhost/javascripts/
|
|
http://test.localhost/plugins/
|
|
http://test.localhost/theme-javascripts/
|
|
http://test.localhost/svg-sprite/
|
|
])
|
|
end
|
|
|
|
it 'whitelists Google Analytics and Tag Manager when integrated' do
|
|
SiteSetting.ga_universal_tracking_code = 'UA-12345678-9'
|
|
SiteSetting.gtm_container_id = 'GTM-ABCDEF'
|
|
|
|
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
|
|
expect(script_srcs).to include('https://www.google-analytics.com')
|
|
expect(script_srcs).to include('https://www.googletagmanager.com')
|
|
end
|
|
|
|
it 'whitelists CDN assets when integrated' do
|
|
set_cdn_url('https://cdn.com')
|
|
|
|
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
|
|
expect(script_srcs).to include(*%w[
|
|
https://cdn.com/assets/
|
|
https://cdn.com/brotli_asset/
|
|
https://cdn.com/highlight-js/
|
|
https://cdn.com/javascripts/
|
|
https://cdn.com/plugins/
|
|
https://cdn.com/theme-javascripts/
|
|
http://test.localhost/extra-locales/
|
|
])
|
|
|
|
global_setting(:s3_cdn_url, 'https://s3-cdn.com')
|
|
|
|
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
|
|
expect(script_srcs).to include(*%w[
|
|
https://s3-cdn.com/assets/
|
|
https://s3-cdn.com/brotli_asset/
|
|
https://cdn.com/highlight-js/
|
|
https://cdn.com/javascripts/
|
|
https://cdn.com/plugins/
|
|
https://cdn.com/theme-javascripts/
|
|
http://test.localhost/extra-locales/
|
|
])
|
|
end
|
|
|
|
it 'can be extended with more sources' do
|
|
SiteSetting.content_security_policy_script_src = 'example.com|another.com'
|
|
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
|
|
expect(script_srcs).to include('example.com')
|
|
expect(script_srcs).to include('another.com')
|
|
expect(script_srcs).to include("'unsafe-eval'")
|
|
end
|
|
end
|
|
|
|
def parse(csp_string)
|
|
csp_string.split(';').map do |policy|
|
|
directive, *sources = policy.split
|
|
[directive, sources]
|
|
end.to_h
|
|
end
|
|
end
|