1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/railties/test/application/permissions_policy_test.rb
Petrik 2e079154a8 Use Feature-Policy header name for now
In 90e710d767 the FeaturePolicy middleware
was renamed to PermissionsPolicy as this will be new name of the header
as used by browsers.
The Permissions-Policy header requires a different implementation and
isn't yet supported by all browsers. To avoid having to rename the
middleware in the future, we keep the new name for the Middleware, but
use the old implementation and header name.
2020-11-19 16:08:09 +01:00

191 lines
4.7 KiB
Ruby

# frozen_string_literal: true
require "isolation/abstract_unit"
require "rack/test"
module ApplicationTests
class PermissionsPolicyTest < ActiveSupport::TestCase
include ActiveSupport::Testing::Isolation
include Rack::Test::Methods
def setup
build_app
end
def teardown
teardown_app
end
test "permissions policy is not enabled by default" do
controller :pages, <<-RUBY
class PagesController < ApplicationController
def index
render html: "<h1>Welcome to Rails!</h1>"
end
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
root to: "pages#index"
end
RUBY
app("development")
get "/"
assert_nil last_response.headers["Feature-Policy"]
end
test "global permissions policy in an initializer" do
controller :pages, <<-RUBY
class PagesController < ApplicationController
def index
render html: "<h1>Welcome to Rails!</h1>"
end
end
RUBY
app_file "config/initializers/permissions_policy.rb", <<-RUBY
Rails.application.config.permissions_policy do |p|
p.geolocation :none
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
root to: "pages#index"
end
RUBY
app("development")
get "/"
assert_policy "geolocation 'none'"
end
test "override permissions policy using same directive in a controller" do
controller :pages, <<-RUBY
class PagesController < ApplicationController
permissions_policy do |p|
p.geolocation "https://example.com"
end
def index
render html: "<h1>Welcome to Rails!</h1>"
end
end
RUBY
app_file "config/initializers/permissions_policy.rb", <<-RUBY
Rails.application.config.permissions_policy do |p|
p.geolocation :none
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
root to: "pages#index"
end
RUBY
app("development")
get "/"
assert_policy "geolocation https://example.com"
end
test "override permissions policy by unsetting a directive in a controller" do
controller :pages, <<-RUBY
class PagesController < ApplicationController
permissions_policy do |p|
p.geolocation nil
end
def index
render html: "<h1>Welcome to Rails!</h1>"
end
end
RUBY
app_file "config/initializers/permissions_policy.rb", <<-RUBY
Rails.application.config.permissions_policy do |p|
p.geolocation :none
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
root to: "pages#index"
end
RUBY
app("development")
get "/"
assert_equal 200, last_response.status
assert_nil last_response.headers["Feature-Policy"]
end
test "override permissions policy using different directives in a controller" do
controller :pages, <<-RUBY
class PagesController < ApplicationController
permissions_policy do |p|
p.geolocation nil
p.payment "https://secure.example.com"
p.autoplay :none
end
def index
render html: "<h1>Welcome to Rails!</h1>"
end
end
RUBY
app_file "config/initializers/permissions_policy.rb", <<-RUBY
Rails.application.config.permissions_policy do |p|
p.geolocation :none
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
root to: "pages#index"
end
RUBY
app("development")
get "/"
assert_policy "payment https://secure.example.com; autoplay 'none'"
end
test "global permissions policy added to rack app" do
app_file "config/initializers/permissions_policy.rb", <<-RUBY
Rails.application.config.permissions_policy do |p|
p.payment :none
end
RUBY
app_file "config/routes.rb", <<-RUBY
Rails.application.routes.draw do
app = ->(env) {
[200, { "Content-Type" => "text/html" }, ["<p>Hello, World!</p>"]]
}
root to: app
end
RUBY
app("development")
get "/"
assert_policy "payment 'none'"
end
private
def assert_policy(expected)
assert_equal 200, last_response.status
assert_equal expected, last_response.headers["Feature-Policy"]
end
end
end