Files
discourse/spec/integrity/middleware_order_spec.rb
Kelv 0d90f6e3c3 FIX: cross origin opener policy should apply to public error responses (#31559)
In some error paths, headers that were set earlier can get overwritten
(e.g. `Cross-Origin-Opener-Policy`) by middleware such as
ActionDispatch::ShowExceptions.

This PR sets the `Cross-Origin-Opener-Policy` header to the value of the
SiteSetting `cross_origin_opener_policy_header` if it's missing and if
the response is for HTML.

In future, this DefaultHeaders middleware can be used to set other
default headers that relate to security or other purposes.

### Testing
<img width="631" alt="test"
src="https://github.com/user-attachments/assets/05106a40-2bc7-435d-91a2-4dd2a098f349"
/>
2025-03-03 17:04:24 +08:00

56 lines
1.9 KiB
Ruby

# frozen_string_literal: true
RSpec.describe "Middleware order" do
let(:expected_middlewares) do
[
BlockRequestsMiddleware,
TestMultisiteMiddleware,
ActionDispatch::RemoteIp,
Middleware::RequestTracker,
MessageBus::Rack::Middleware,
Middleware::ProcessingRequest,
Rack::Sendfile,
ActionDispatch::Static,
ActionDispatch::Executor,
Rack::MethodOverride,
Middleware::EnforceHostname,
ActionDispatch::RequestId,
SilenceLogger,
Middleware::DefaultHeaders,
ActionDispatch::ShowExceptions,
ActionDispatch::DebugExceptions,
ActionDispatch::Callbacks,
ActionDispatch::Cookies,
ActionDispatch::Session::DiscourseCookieStore,
Discourse::Cors,
ActionDispatch::Flash,
RspecErrorTracker,
Middleware::CspScriptNonceInjector,
Middleware::AnonymousCache,
ContentSecurityPolicy::Middleware,
ActionDispatch::PermissionsPolicy::Middleware,
Rack::Head,
Rack::ConditionalGet,
Rack::TempfileReaper,
Middleware::OmniauthBypassMiddleware,
]
end
let(:actual_middlewares) { Rails.configuration.middleware.middlewares }
let(:remote_ip_index) { actual_middlewares.index(ActionDispatch::RemoteIp) }
let(:request_tracker_index) { actual_middlewares.index(Middleware::RequestTracker) }
it "has the correct order of middlewares" do
expect(actual_middlewares).to eq(expected_middlewares)
end
it "ensures that ActionDispatch::RemoteIp comes before Middleware::RequestTracker" do
expect(remote_ip_index).to be < request_tracker_index
end
it "ensures that Middleware::DefaultHeaders comes before ActionDispatch::ShowExceptions" do
default_headers_index = actual_middlewares.index(Middleware::DefaultHeaders)
show_exceptions_index = actual_middlewares.index(ActionDispatch::ShowExceptions)
expect(default_headers_index).to be < show_exceptions_index
end
end