File tree 2 files changed +25
-0
lines changed
2 files changed +25
-0
lines changed Original file line number Diff line number Diff line change @@ -7,6 +7,21 @@ class WebApplication
77 CONTENT_LENGTH = "Content-Length"
88 CONTENT_TYPE = "Content-Type"
99 REDIS_KEYS = %w( redis_version uptime_in_days connected_clients used_memory_human used_memory_peak_human )
10+ CSP_HEADER = [
11+ "default-src 'self' https: http:" ,
12+ "child-src 'self'" ,
13+ "connect-src 'self' https: http: wss: ws:" ,
14+ "font-src 'self' https: http:" ,
15+ "frame-src 'self'" ,
16+ "img-src 'self' https: http: data:" ,
17+ "manifest-src 'self'" ,
18+ "media-src 'self'" ,
19+ "object-src 'none'" ,
20+ "script-src 'self' https: http:" ,
21+ "style-src 'self' https: http: 'unsafe-inline'" ,
22+ "worker-src 'self'" ,
23+ "base-uri 'self'"
24+ ] . join ( '; ' ) . freeze
1025
1126 def initialize ( klass )
1227 @klass = klass
@@ -279,6 +294,7 @@ def call(env)
279294 "Content-Type" => "text/html" ,
280295 "Cache-Control" => "no-cache" ,
281296 "Content-Language" => action . locale ,
297+ "Content-Security-Policy" => CSP_HEADER
282298 }
283299
284300 [ 200 , headers , [ resp ] ]
Original file line number Diff line number Diff line change @@ -54,6 +54,15 @@ def perform(a, b)
5454 assert_match ( /Oversikt/ , last_response . body )
5555 end
5656
57+ it 'can provide a default, appropriate CSP for its content' do
58+ get '/' , { }
59+ policies = last_response . headers [ "Content-Security-Policy" ] . split ( '; ' )
60+ assert_includes ( policies , "connect-src 'self' https: http: wss: ws:" )
61+ assert_includes ( policies , "style-src 'self' https: http: 'unsafe-inline'" )
62+ assert_includes ( policies , "script-src 'self' https: http:" )
63+ assert_includes ( policies , "object-src 'none'" )
64+ end
65+
5766 describe 'busy' do
5867
5968 it 'can display workers' do
You can’t perform that action at this time.
0 commit comments