diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb index d4cc40bce..d4447dca4 100644 --- a/spec/requests/content_security_policy_spec.rb +++ b/spec/requests/content_security_policy_spec.rb @@ -3,25 +3,38 @@ require 'rails_helper' describe 'Content-Security-Policy' do - it 'sets the expected CSP headers' do - allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==') + before { allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==') } + it 'sets the expected CSP headers' do get '/' - expect(response.headers['Content-Security-Policy'].split(';').map(&:strip)).to contain_exactly( - "base-uri 'none'", - "default-src 'none'", - "frame-ancestors 'none'", - "font-src 'self' https://cb6e6126.ngrok.io", - "img-src 'self' data: blob: https://cb6e6126.ngrok.io", - "style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='", - "media-src 'self' data: https://cb6e6126.ngrok.io", - "frame-src 'self' https:", - "manifest-src 'self' https://cb6e6126.ngrok.io", - "form-action 'self'", - "child-src 'self' blob: https://cb6e6126.ngrok.io", - "worker-src 'self' blob: https://cb6e6126.ngrok.io", - "connect-src 'self' data: blob: https://cb6e6126.ngrok.io ws://cb6e6126.ngrok.io:4000", - "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'" - ) + + expect(response_csp_headers) + .to match_array(expected_csp_headers) + end + + def response_csp_headers + response + .headers['Content-Security-Policy'] + .split(';') + .map(&:strip) + end + + def expected_csp_headers + <<~CSP.split("\n").map(&:strip) + base-uri 'none' + child-src 'self' blob: https://cb6e6126.ngrok.io + connect-src 'self' data: blob: https://cb6e6126.ngrok.io ws://cb6e6126.ngrok.io:4000 + default-src 'none' + font-src 'self' https://cb6e6126.ngrok.io + form-action 'self' + frame-ancestors 'none' + frame-src 'self' https: + img-src 'self' data: blob: https://cb6e6126.ngrok.io + manifest-src 'self' https://cb6e6126.ngrok.io + media-src 'self' data: https://cb6e6126.ngrok.io + script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval' + style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ==' + worker-src 'self' blob: https://cb6e6126.ngrok.io + CSP end end