Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'spec/requests/api/api_spec.rb')
-rw-r--r--spec/requests/api/api_spec.rb50
1 files changed, 50 insertions, 0 deletions
diff --git a/spec/requests/api/api_spec.rb b/spec/requests/api/api_spec.rb
index b6cb790bb71..260f7cbc226 100644
--- a/spec/requests/api/api_spec.rb
+++ b/spec/requests/api/api_spec.rb
@@ -262,4 +262,54 @@ RSpec.describe API::API do
end
end
end
+
+ describe 'content security policy header' do
+ let_it_be(:user) { create(:user) }
+
+ let(:csp) { nil }
+ let(:report_only) { false }
+
+ subject { get api("/users/#{user.id}", user) }
+
+ before do
+ allow(Rails.application.config).to receive(:content_security_policy).and_return(csp)
+ allow(Rails.application.config).to receive(:content_security_policy_report_only).and_return(report_only)
+ end
+
+ context 'when CSP is not configured globally' do
+ it 'does not set the CSP header' do
+ subject
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response.headers['Content-Security-Policy']).to be_nil
+ end
+ end
+
+ context 'when CSP is configured globally' do
+ let(:csp) do
+ ActionDispatch::ContentSecurityPolicy.new do |p|
+ p.default_src :self
+ end
+ end
+
+ it 'sets a stricter CSP header' do
+ subject
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response.headers['Content-Security-Policy']).to eq("default-src 'none'")
+ end
+
+ context 'when report_only is true' do
+ let(:report_only) { true }
+
+ it 'does not set any CSP header' do
+ subject
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response.headers['Content-Security-Policy']).to be_nil
+ expect(response.headers['Content-Security-Policy-Report-Only']).to be_nil
+ end
+ end
+ end
+ end
end