mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
2e079154a8
In 90e710d767 the FeaturePolicy middleware
was renamed to PermissionsPolicy as this will be new name of the header
as used by browsers.
The Permissions-Policy header requires a different implementation and
isn't yet supported by all browsers. To avoid having to rename the
middleware in the future, we keep the new name for the Middleware, but
use the old implementation and header name.
191 lines
4.7 KiB
Ruby
191 lines
4.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "isolation/abstract_unit"
|
|
require "rack/test"
|
|
|
|
module ApplicationTests
|
|
class PermissionsPolicyTest < ActiveSupport::TestCase
|
|
include ActiveSupport::Testing::Isolation
|
|
include Rack::Test::Methods
|
|
|
|
def setup
|
|
build_app
|
|
end
|
|
|
|
def teardown
|
|
teardown_app
|
|
end
|
|
|
|
test "permissions policy is not enabled by default" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_nil last_response.headers["Feature-Policy"]
|
|
end
|
|
|
|
test "global permissions policy in an initializer" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "geolocation 'none'"
|
|
end
|
|
|
|
test "override permissions policy using same directive in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation "https://example.com"
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "geolocation https://example.com"
|
|
end
|
|
|
|
test "override permissions policy by unsetting a directive in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation nil
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_equal 200, last_response.status
|
|
assert_nil last_response.headers["Feature-Policy"]
|
|
end
|
|
|
|
test "override permissions policy using different directives in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation nil
|
|
p.payment "https://secure.example.com"
|
|
p.autoplay :none
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "payment https://secure.example.com; autoplay 'none'"
|
|
end
|
|
|
|
test "global permissions policy added to rack app" do
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.payment :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
app = ->(env) {
|
|
[200, { "Content-Type" => "text/html" }, ["<p>Hello, World!</p>"]]
|
|
}
|
|
root to: app
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "payment 'none'"
|
|
end
|
|
|
|
private
|
|
def assert_policy(expected)
|
|
assert_equal 200, last_response.status
|
|
assert_equal expected, last_response.headers["Feature-Policy"]
|
|
end
|
|
end
|
|
end
|