kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity
sinatra/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb

45 lines
2.5 KiB
Ruby
Raw Normal View History

added content security policies
2014-02-21 11:50:44 +00:00
describe Rack::Protection::ContentSecurityPolicy do
it_behaves_like "any rack application"
it 'should set the Content Security Policy' do
Update rspec syntax from #75
2016-07-26 15:41:56 +09:00
expect(
get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
Enclose CSP self in quotes per https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, the quotes are required (see mpheram/sidekiq#3070)
2016-07-28 16:05:53 -04:00
).to eq("default-src none; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'")
added content security policies
2014-02-21 11:50:44 +00:00
end
it 'should not set the Content Security Policy for other content types' do
headers = get('/', {}, 'wants' => 'text/foo').headers
Update rspec syntax from #75
2016-07-26 15:41:56 +09:00
expect(headers["Content-Security-Policy"]).to be_nil
expect(headers["Content-Security-Policy-Report-Only"]).to be_nil
added content security policies
2014-02-21 11:50:44 +00:00
end
it 'should allow changing the protection settings' do
mock_app do
use Rack::Protection::ContentSecurityPolicy, :default_src => 'none', :script_src => 'https://cdn.mybank.net', :style_src => 'https://cdn.mybank.net', :img_src => 'https://cdn.mybank.net', :connect_src => 'https://api.mybank.com', :frame_src => 'self', :font_src => 'https://cdn.mybank.net', :object_src => 'https://cdn.mybank.net', :media_src => 'https://cdn.mybank.net', :report_uri => '/my_amazing_csp_report_parser', :sandbox => 'allow-scripts'
run DummyApp
end
headers = get('/', {}, 'wants' => 'text/html').headers
Include img-src in expected test output Again, I'm assuming this is the intent, as `should allow changing ...` does try to change img-src
2016-07-26 17:35:57 -04:00
expect(headers["Content-Security-Policy"]).to eq("default-src none; script-src https://cdn.mybank.net; connect-src https://api.mybank.com; font-src https://cdn.mybank.net; frame-src self; img-src https://cdn.mybank.net; media-src https://cdn.mybank.net; style-src https://cdn.mybank.net; object-src https://cdn.mybank.net; report-uri /my_amazing_csp_report_parser; sandbox allow-scripts")
Update rspec syntax from #75
2016-07-26 15:41:56 +09:00
expect(headers["Content-Security-Policy-Report-Only"]).to be_nil
added content security policies
2014-02-21 11:50:44 +00:00
end
it 'should allow changing report only' do
# I have no clue what other modes are available
mock_app do
use Rack::Protection::ContentSecurityPolicy, :report_uri => '/my_amazing_csp_report_parser', :report_only => true
run DummyApp
end
headers = get('/', {}, 'wants' => 'text/html').headers
Update rspec syntax from #75
2016-07-26 15:41:56 +09:00
expect(headers["Content-Security-Policy"]).to be_nil
Enclose CSP self in quotes per https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, the quotes are required (see mpheram/sidekiq#3070)
2016-07-28 16:05:53 -04:00
expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src none; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri /my_amazing_csp_report_parser")
added content security policies
2014-02-21 11:50:44 +00:00
end
it 'should not override the header if already set' do
mock_app with_headers("Content-Security-Policy" => "default-src: none")
Update rspec syntax from #75
2016-07-26 15:41:56 +09:00
expect(get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]).to eq("default-src: none")
added content security policies
2014-02-21 11:50:44 +00:00
end
end
Copy permalink