mirror of
https://github.com/discourse/discourse.git
synced 2025-05-27 06:41:41 +08:00

In some error paths, headers that were set earlier can get overwritten (e.g. `Cross-Origin-Opener-Policy`) by middleware such as ActionDispatch::ShowExceptions. This PR sets the `Cross-Origin-Opener-Policy` header to the value of the SiteSetting `cross_origin_opener_policy_header` if it's missing and if the response is for HTML. In future, this DefaultHeaders middleware can be used to set other default headers that relate to security or other purposes. ### Testing <img width="631" alt="test" src="https://github.com/user-attachments/assets/05106a40-2bc7-435d-91a2-4dd2a098f349" />
56 lines
1.9 KiB
Ruby
56 lines
1.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe "Middleware order" do
|
|
let(:expected_middlewares) do
|
|
[
|
|
BlockRequestsMiddleware,
|
|
TestMultisiteMiddleware,
|
|
ActionDispatch::RemoteIp,
|
|
Middleware::RequestTracker,
|
|
MessageBus::Rack::Middleware,
|
|
Middleware::ProcessingRequest,
|
|
Rack::Sendfile,
|
|
ActionDispatch::Static,
|
|
ActionDispatch::Executor,
|
|
Rack::MethodOverride,
|
|
Middleware::EnforceHostname,
|
|
ActionDispatch::RequestId,
|
|
SilenceLogger,
|
|
Middleware::DefaultHeaders,
|
|
ActionDispatch::ShowExceptions,
|
|
ActionDispatch::DebugExceptions,
|
|
ActionDispatch::Callbacks,
|
|
ActionDispatch::Cookies,
|
|
ActionDispatch::Session::DiscourseCookieStore,
|
|
Discourse::Cors,
|
|
ActionDispatch::Flash,
|
|
RspecErrorTracker,
|
|
Middleware::CspScriptNonceInjector,
|
|
Middleware::AnonymousCache,
|
|
ContentSecurityPolicy::Middleware,
|
|
ActionDispatch::PermissionsPolicy::Middleware,
|
|
Rack::Head,
|
|
Rack::ConditionalGet,
|
|
Rack::TempfileReaper,
|
|
Middleware::OmniauthBypassMiddleware,
|
|
]
|
|
end
|
|
let(:actual_middlewares) { Rails.configuration.middleware.middlewares }
|
|
let(:remote_ip_index) { actual_middlewares.index(ActionDispatch::RemoteIp) }
|
|
let(:request_tracker_index) { actual_middlewares.index(Middleware::RequestTracker) }
|
|
|
|
it "has the correct order of middlewares" do
|
|
expect(actual_middlewares).to eq(expected_middlewares)
|
|
end
|
|
|
|
it "ensures that ActionDispatch::RemoteIp comes before Middleware::RequestTracker" do
|
|
expect(remote_ip_index).to be < request_tracker_index
|
|
end
|
|
|
|
it "ensures that Middleware::DefaultHeaders comes before ActionDispatch::ShowExceptions" do
|
|
default_headers_index = actual_middlewares.index(Middleware::DefaultHeaders)
|
|
show_exceptions_index = actual_middlewares.index(ActionDispatch::ShowExceptions)
|
|
expect(default_headers_index).to be < show_exceptions_index
|
|
end
|
|
end
|