blob: 9143d0f4720bcdc33b53bf3490fc357ad38285ee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
# frozen_string_literal: true
RSpec.shared_examples 'setting CSP' do |rule_name|
let_it_be(:default_csp_values) { "'self' https://some-cdn.test" }
shared_context 'csp config' do |csp_rule|
before do
csp = ActionDispatch::ContentSecurityPolicy.new do |p|
p.send(csp_rule, default_csp_values) if csp_rule
end
expect_next_instance_of(extended_controller_class) do |controller|
expect(controller).to receive(:current_content_security_policy).at_least(:once).and_return(csp)
end
end
end
context 'when no CSP config' do
include_context 'csp config', nil
it 'does not add CSP directives' do
is_expected.to be_blank
end
end
describe "when a CSP config exists for #{rule_name}" do
include_context 'csp config', rule_name.parameterize.underscore.to_sym
context 'when feature is enabled' do
it "appends to #{rule_name}" do
is_expected.to eql("#{rule_name} #{default_csp_values} #{allowlisted_url}")
end
end
context 'when feature is disabled' do
include_context 'disable feature'
it "keeps original #{rule_name}" do
is_expected.to eql("#{rule_name} #{default_csp_values}")
end
end
end
describe "when a CSP config exists for default-src but not #{rule_name}" do
include_context 'csp config', :default_src
context 'when feature is enabled' do
it "uses default-src values in #{rule_name}" do
is_expected.to eql("default-src #{default_csp_values}; #{rule_name} #{default_csp_values} #{allowlisted_url}")
end
end
context 'when feature is disabled' do
include_context 'disable feature'
it "does not add #{rule_name}" do
is_expected.to eql("default-src #{default_csp_values}")
end
end
end
describe "when a CSP config exists for font-src but not #{rule_name}" do
include_context 'csp config', :font_src
context 'when feature is enabled' do
it "uses default-src values in #{rule_name}" do
is_expected.to eql("font-src #{default_csp_values}; #{rule_name} #{allowlisted_url}")
end
end
context 'when feature is disabled' do
include_context 'disable feature'
it "does not add #{rule_name}" do
is_expected.to eql("font-src #{default_csp_values}")
end
end
end
end
|
