2023-07-21 13:34:15 +02:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'rails_helper'
|
|
|
|
|
2024-09-04 07:12:25 +02:00
|
|
|
RSpec.describe 'Content-Security-Policy' do
|
2024-03-13 09:22:32 +01:00
|
|
|
before { allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==') }
|
2023-07-21 13:34:15 +02:00
|
|
|
|
2024-03-13 09:22:32 +01:00
|
|
|
it 'sets the expected CSP headers' do
|
2023-07-21 13:34:15 +02:00
|
|
|
get '/'
|
2024-03-13 09:22:32 +01:00
|
|
|
|
|
|
|
expect(response_csp_headers)
|
|
|
|
.to match_array(expected_csp_headers)
|
|
|
|
end
|
|
|
|
|
|
|
|
def response_csp_headers
|
|
|
|
response
|
|
|
|
.headers['Content-Security-Policy']
|
|
|
|
.split(';')
|
|
|
|
.map(&:strip)
|
|
|
|
end
|
|
|
|
|
|
|
|
def expected_csp_headers
|
|
|
|
<<~CSP.split("\n").map(&:strip)
|
|
|
|
base-uri 'none'
|
|
|
|
child-src 'self' blob: https://cb6e6126.ngrok.io
|
2024-05-10 14:36:09 +02:00
|
|
|
connect-src 'self' data: blob: https://cb6e6126.ngrok.io #{Rails.configuration.x.streaming_api_base_url}
|
2024-03-13 09:22:32 +01:00
|
|
|
default-src 'none'
|
|
|
|
font-src 'self' https://cb6e6126.ngrok.io
|
2024-09-12 15:24:19 +02:00
|
|
|
form-action 'none'
|
2024-03-13 09:22:32 +01:00
|
|
|
frame-ancestors 'none'
|
|
|
|
frame-src 'self' https:
|
|
|
|
img-src 'self' data: blob: https://cb6e6126.ngrok.io
|
|
|
|
manifest-src 'self' https://cb6e6126.ngrok.io
|
|
|
|
media-src 'self' data: https://cb6e6126.ngrok.io
|
|
|
|
script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'
|
|
|
|
style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='
|
|
|
|
worker-src 'self' blob: https://cb6e6126.ngrok.io
|
|
|
|
CSP
|
2023-07-21 13:34:15 +02:00
|
|
|
end
|
|
|
|
end
|