FEATURE: [Experimental] Content Security Policy (#6514)

do not register new MIME type, parse raw body instead
2025-05-21 18:12:32 +08:00 · 2018-10-22 13:22:23 -04:00
parent ec2613699f
commit e9a971a2b6
10 changed files with 324 additions and 1 deletions
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@ -196,4 +196,69 @@ RSpec.describe ApplicationController do
      expect(controller.theme_ids).to eq([theme.id])
    end
  end
+
+  describe 'Content Security Policy' do
+    it 'is enabled by SiteSettings' do
+      SiteSetting.content_security_policy = false
+      SiteSetting.content_security_policy_report_only = false
+
+      get '/'
+
+      expect(response.headers).to_not include('Content-Security-Policy')
+      expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
+
+      SiteSetting.content_security_policy = true
+      SiteSetting.content_security_policy_report_only = true
+
+      get '/'
+
+      expect(response.headers).to include('Content-Security-Policy')
+      expect(response.headers).to include('Content-Security-Policy-Report-Only')
+    end
+
+    it 'can be customized with SiteSetting' do
+      SiteSetting.content_security_policy = true
+
+      get '/'
+      script_src = parse(response.headers['Content-Security-Policy'])['script-src']
+
+      expect(script_src).to_not include('example.com')
+
+      SiteSetting.content_security_policy_script_src = 'example.com'
+
+      get '/'
+      script_src = parse(response.headers['Content-Security-Policy'])['script-src']
+
+      expect(script_src).to include('example.com')
+      expect(script_src).to include("'self'")
+      expect(script_src).to include("'unsafe-eval'")
+    end
+
+    it 'does not set CSP when responding to non-HTML' do
+      SiteSetting.content_security_policy = true
+      SiteSetting.content_security_policy_report_only = true
+
+      get '/latest.json'
+
+      expect(response.headers).to_not include('Content-Security-Policy')
+      expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
+    end
+
+    it 'does not set CSP for /logs' do
+      sign_in(Fabricate(:admin))
+      SiteSetting.content_security_policy = true
+
+      get '/logs'
+
+      expect(response.status).to eq(200)
+      expect(response.headers).to_not include('Content-Security-Policy')
+    end
+
+    def parse(csp_string)
+      csp_string.split(';').map do |policy|
+        directive, *sources = policy.split
+        [directive, sources]
+      end.to_h
+    end
+  end
 end