csp_spec.rb 922 B

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. RSpec.describe 'API namespace minimal Content-Security-Policy' do
  4. before { stub_tests_controller }
  5. after { Rails.application.reload_routes! }
  6. it 'returns the correct CSP headers' do
  7. get '/api/v1/tests'
  8. expect(response).to have_http_status(200)
  9. expect(response.headers['Content-Security-Policy']).to eq(minimal_csp_headers)
  10. end
  11. private
  12. def stub_tests_controller
  13. stub_const('Api::V1::TestsController', api_tests_controller)
  14. Rails.application.routes.draw do
  15. get '/api/v1/tests', to: 'api/v1/tests#index'
  16. end
  17. end
  18. def api_tests_controller
  19. Class.new(Api::BaseController) do
  20. def index
  21. head 200
  22. end
  23. private
  24. def user_signed_in? = false
  25. def current_user = nil
  26. end
  27. end
  28. def minimal_csp_headers
  29. "default-src 'none'; frame-ancestors 'none'; form-action 'none'"
  30. end
  31. end