FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)

- Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly
2025-06-04 23:36:11 +08:00 · 2020-03-19 19:54:42 +00:00
parent e9a3639b10
commit 19814c5e81
10 changed files with 122 additions and 21 deletions
--- a/spec/integration/content_security_policy_spec.rb
+++ b/spec/integration/content_security_policy_spec.rb
@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'content security policy integration' do
+
+  it "adds the csp headers correctly" do
+    SiteSetting.content_security_policy = false
+    get "/"
+    expect(response.headers["Content-Security-Policy"]).to eq(nil)
+
+    SiteSetting.content_security_policy = true
+    get "/"
+    expect(response.headers["Content-Security-Policy"]).to be_present
+  end
+
+  context "with different hostnames" do
+    before do
+      SiteSetting.content_security_policy = true
+      RailsMultisite::ConnectionManagement.stubs(:current_db_hostnames).returns(['primary.example.com', 'secondary.example.com'])
+      RailsMultisite::ConnectionManagement.stubs(:current_hostname).returns('primary.example.com')
+    end
+
+    it "works with the primary domain" do
+      host! "primary.example.com"
+      get "/"
+      expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
+    end
+
+    it "works with the secondary domain" do
+      host! "secondary.example.com"
+      get "/"
+      expect(response.headers["Content-Security-Policy"]).to include("http://secondary.example.com")
+    end
+
+    it "uses the primary domain for unknown hosts" do
+      host! "unknown.example.com"
+      get "/"
+      expect(response.headers["Content-Security-Policy"]).to include("http://primary.example.com")
+    end
+  end
+
+  context "with different protocols" do
+    it "forces https when the site setting is enabled" do
+      SiteSetting.force_https = true
+      get "/"
+      expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
+    end
+
+    it "uses https when the site setting is disabled, but request is ssl" do
+      SiteSetting.force_https = false
+      https!
+      get "/"
+      expect(response.headers["Content-Security-Policy"]).to include("https://test.localhost")
+    end
+  end
+
+end