1
0

content_security_policy_spec.rb 1.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe 'Content-Security-Policy' do
  4. before { allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==') }
  5. it 'sets the expected CSP headers' do
  6. get '/'
  7. expect(response_csp_headers)
  8. .to match_array(expected_csp_headers)
  9. end
  10. def response_csp_headers
  11. response
  12. .headers['Content-Security-Policy']
  13. .split(';')
  14. .map(&:strip)
  15. end
  16. def expected_csp_headers
  17. <<~CSP.split("\n").map(&:strip)
  18. base-uri 'none'
  19. child-src 'self' blob: https://cb6e6126.ngrok.io
  20. connect-src 'self' data: blob: https://cb6e6126.ngrok.io #{Rails.configuration.x.streaming_api_base_url}
  21. default-src 'none'
  22. font-src 'self' https://cb6e6126.ngrok.io
  23. form-action 'none'
  24. frame-ancestors 'none'
  25. frame-src 'self' https:
  26. img-src 'self' data: blob: https://cb6e6126.ngrok.io
  27. manifest-src 'self' https://cb6e6126.ngrok.io
  28. media-src 'self' data: https://cb6e6126.ngrok.io
  29. script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'
  30. style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='
  31. worker-src 'self' blob: https://cb6e6126.ngrok.io
  32. CSP
  33. end
  34. end