github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 07:53:49 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Add hidden cross_origin_opener_policy_header site setting (#23346)

Browse Source 
Why this change?

As part of our ongoing efforts to security harden the Discourse
application, we are adding the `cross_origin_opener_policy_header` site setting
which allows the `Cross-Origin-Opener-Policy` response header to be set on requests
that preloads the Discourse application. In more technical terms, only
GET requests that are not json or xhr will have the response header set.

The `cross_origin_opener_policy_header` site setting is hidden for now
for testing purposes and will either be released as a public site
setting or be remove if we decide to be opinionated and ship a default
for the `Cross-Origin-Opener-Policy` response header.
This commit is contained in:
Alan Guo Xiang Tan
2023-08-31 20:50:06 +08:00
committed by GitHub
parent d4322a69db
commit 5724b7bccd
3 changed files with 46 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
spec/requests/application_controller_spec.rb
View File

@ -517,6 +517,37 @@ RSpec.describe ApplicationController do
end
end
describe "setting `Cross-Origin-Opener-Policy` header" do
describe "when `cross_origin_opener_policy_header` site setting is set to `same-origin`" do
before { SiteSetting.cross_origin_opener_policy_header = "same-origin" }
it "sets `Cross-Origin-Opener-Policy` header to `same-origin`" do
get "/latest"
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("same-origin")
end
it "does not set the `Cross-Origin-Opener-Policy` header for a JSON request" do
get "/latest.json"
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq(nil)
end
end
describe "when `cross_origin_opener_policy_header` site setting is set to `unsafe-none`" do
it "does not set the `Cross-Origin-Opener-Policy` header" do
SiteSetting.cross_origin_opener_policy_header = "unsafe-none"
get "/latest"
expect(response.status).to eq(200)
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq(nil)
end
end
end
describe "splash_screen" do
let(:admin) { Fabricate(:admin) }