blob: 3f0665f1ce572dfdfc67084edb5d1b14db9325d9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# frozen_string_literal: true
require 'spec_helper'
# The AnonymousController doesn't support setting the CSP
# This is why an arbitrary test request was chosen instead
# of testing in application_controller_spec.
RSpec.describe 'Content Security Policy', feature_category: :application_instrumentation do
let(:snowplow_host) { 'snowplow.example.com' }
shared_examples 'snowplow is not in the CSP' do
it 'does not add the snowplow collector hostname to the CSP' do
get explore_root_url
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers['Content-Security-Policy']).not_to include(snowplow_host)
end
end
describe 'GET #explore' do
context 'snowplow is enabled' do
before do
stub_application_setting(snowplow_enabled: true, snowplow_collector_hostname: snowplow_host)
end
it 'adds the snowplow collector hostname to the CSP' do
get explore_root_url
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers['Content-Security-Policy']).to include(snowplow_host)
end
end
context 'snowplow is enabled but host is not configured' do
before do
stub_application_setting(snowplow_enabled: true)
end
it_behaves_like 'snowplow is not in the CSP'
end
context 'snowplow is disabled' do
before do
stub_application_setting(snowplow_enabled: false, snowplow_collector_hostname: snowplow_host)
end
it_behaves_like 'snowplow is not in the CSP'
end
end
end
|
