51 lines
1.5 KiB
Ruby
51 lines
1.5 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
|
||
|
require 'spec_helper'
|
||
|
|
||
|
# The AnonymousController doesn't support setting the CSP
|
||
|
# This is why an arbitrary test request was chosen instead
|
||
|
# of testing in application_controller_spec.
|
||
|
RSpec.describe 'Content Security Policy' do
|
||
|
let(:snowplow_host) { 'snowplow.example.com' }
|
||
|
|
||
|
shared_examples 'snowplow is not in the CSP' do
|
||
|
it 'does not add the snowplow collector hostname to the CSP' do
|
||
|
get explore_root_url
|
||
|
|
||
|
expect(response).to have_gitlab_http_status(:ok)
|
||
|
expect(response.headers['Content-Security-Policy']).not_to include(snowplow_host)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe 'GET #explore' do
|
||
|
context 'snowplow is enabled' do
|
||
|
before do
|
||
|
stub_application_setting(snowplow_enabled: true, snowplow_collector_hostname: snowplow_host)
|
||
|
end
|
||
|
|
||
|
it 'adds the snowplow collector hostname to the CSP' do
|
||
|
get explore_root_url
|
||
|
|
||
|
expect(response).to have_gitlab_http_status(:ok)
|
||
|
expect(response.headers['Content-Security-Policy']).to include(snowplow_host)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
context 'snowplow is enabled but host is not configured' do
|
||
|
before do
|
||
|
stub_application_setting(snowplow_enabled: true)
|
||
|
end
|
||
|
|
||
|
it_behaves_like 'snowplow is not in the CSP'
|
||
|
end
|
||
|
|
||
|
context 'snowplow is disabled' do
|
||
|
before do
|
||
|
stub_application_setting(snowplow_enabled: false, snowplow_collector_hostname: snowplow_host)
|
||
|
end
|
||
|
|
||
|
it_behaves_like 'snowplow is not in the CSP'
|
||
|
end
|
||
|
end
|
||
|
end
|