FEATURE: Calculate CSP based on active themes (#6976)

2025-06-03 02:48:28 +08:00 · 2019-02-11 12:32:04 +00:00
parent e0c16d3a8a
commit 705c898c21
4 changed files with 45 additions and 33 deletions
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@ -120,31 +120,42 @@ describe ContentSecurityPolicy do
    Discourse.plugins.pop
  end

-  it 'can be extended by themes' do
-    policy # call this first to make sure further actions clear the cache
+  context "with a theme" do
+    let!(:theme) {
+      Fabricate(:theme).tap do |t|
+        settings = <<~YML
+          extend_content_security_policy:
+            type: list
+            default: 'script-src: from-theme.com'
+        YML
+        t.set_field(target: :settings, name: :yaml, value: settings)
+        t.save!
+      end
+    }

-    theme = Fabricate(:theme)
-    settings = <<~YML
-      extend_content_security_policy:
-        type: list
-        default: 'script-src: from-theme.com'
-    YML
-    theme.set_field(target: :settings, name: :yaml, value: settings)
-    theme.save!
+    def theme_policy
+      policy([theme.id])
+    end

-    expect(parse(policy)['script-src']).to include('from-theme.com')
+    it 'can be extended by themes' do
+      policy # call this first to make sure further actions clear the cache

-    theme.update_setting(:extend_content_security_policy, "script-src: https://from-theme.net|worker-src: from-theme.com")
-    theme.save!
+      expect(parse(policy)['script-src']).not_to include('from-theme.com')

-    expect(parse(policy)['script-src']).to_not include('from-theme.com')
-    expect(parse(policy)['script-src']).to include('https://from-theme.net')
-    expect(parse(policy)['worker-src']).to include('from-theme.com')
+      expect(parse(theme_policy)['script-src']).to include('from-theme.com')

-    theme.destroy!
+      theme.update_setting(:extend_content_security_policy, "script-src: https://from-theme.net|worker-src: from-theme.com")
+      theme.save!

-    expect(parse(policy)['script-src']).to_not include('https://from-theme.net')
-    expect(parse(policy)['worker-src']).to_not include('from-theme.com')
+      expect(parse(theme_policy)['script-src']).to_not include('from-theme.com')
+      expect(parse(theme_policy)['script-src']).to include('https://from-theme.net')
+      expect(parse(theme_policy)['worker-src']).to include('from-theme.com')
+
+      theme.destroy!
+
+      expect(parse(theme_policy)['script-src']).to_not include('https://from-theme.net')
+      expect(parse(theme_policy)['worker-src']).to_not include('from-theme.com')
+    end
  end

  it 'can be extended by site setting' do
@ -160,7 +171,7 @@ describe ContentSecurityPolicy do
    end.to_h
  end

-  def policy
-    ContentSecurityPolicy.policy
+  def policy(theme_ids = [])
+    ContentSecurityPolicy.policy(theme_ids)
  end
 end