diff options
Diffstat (limited to 'spec/features/static_site_editor_spec.rb')
-rw-r--r-- | spec/features/static_site_editor_spec.rb | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/spec/features/static_site_editor_spec.rb b/spec/features/static_site_editor_spec.rb index 03085917d67..a47579582e2 100644 --- a/spec/features/static_site_editor_spec.rb +++ b/spec/features/static_site_editor_spec.rb @@ -73,4 +73,44 @@ RSpec.describe 'Static Site Editor' do expect(node['data-static-site-generator']).to eq('middleman') end end + + describe 'Static Site Editor Content Security Policy' do + subject { response_headers['Content-Security-Policy'] } + + context 'when no global CSP config exists' do + before do + expect_next_instance_of(Projects::StaticSiteEditorController) do |controller| + expect(controller).to receive(:current_content_security_policy) + .and_return(ActionDispatch::ContentSecurityPolicy.new) + end + end + + it 'does not add CSP directives' do + visit sse_path + + is_expected.to be_blank + end + end + + context 'when a global CSP config exists' do + let_it_be(:cdn_url) { 'https://some-cdn.test' } + let_it_be(:youtube_url) { 'https://www.youtube.com' } + + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.frame_src :self, cdn_url + end + + expect_next_instance_of(Projects::StaticSiteEditorController) do |controller| + expect(controller).to receive(:current_content_security_policy).and_return(csp) + end + end + + it 'appends youtube to the CSP frame-src policy' do + visit sse_path + + is_expected.to eql("frame-src 'self' #{cdn_url} #{youtube_url}") + end + end + end end |