X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fpleroma%2Fweb%2Fplugs%2Fhttp_security_plug_test.exs;h=d88d4624f201206f2e30e964e7ec34411dcb3e45;hb=9464d505628d9f9dc20e54055d8853bea1d6722b;hp=4e7befdd5345a89ad6b803ff1c3e1608c3ab3a5c;hpb=d7af0294e6a3a690524e0a08a35c9c6dafbb9f79;p=akkoma

diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
index 4e7befdd5..d88d4624f 100644
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -17,7 +17,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
       refute Conn.get_resp_header(conn, "x-frame-options") == []
       refute Conn.get_resp_header(conn, "x-content-type-options") == []
-      refute Conn.get_resp_header(conn, "x-download-options") == []
       refute Conn.get_resp_header(conn, "referrer-policy") == []
       refute Conn.get_resp_header(conn, "content-security-policy") == []
     end
@@ -28,7 +27,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       conn = get(conn, "/api/v1/instance")
 
       refute Conn.get_resp_header(conn, "strict-transport-security") == []
-      refute Conn.get_resp_header(conn, "expect-ct") == []
     end
 
     test "it does not send STS headers when disabled", %{conn: conn} do
@@ -37,7 +35,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       conn = get(conn, "/api/v1/instance")
 
       assert Conn.get_resp_header(conn, "strict-transport-security") == []
-      assert Conn.get_resp_header(conn, "expect-ct") == []
     end
 
     test "referrer-policy header reflects configured value", %{conn: conn} do
@@ -59,9 +56,9 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
 
       assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
 
-      [reply_to] = Conn.get_resp_header(conn, "reply-to")
+      [report_to] = Conn.get_resp_header(conn, "report-to")
 
-      assert reply_to ==
+      assert report_to ==
                "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
     end
 
@@ -100,12 +97,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       url = "https://example.com"
       clear_config([:media_proxy, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "upload with base url", %{conn: conn} do
       url = "https://example2.com"
       clear_config([Pleroma.Upload, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "with S3 public endpoint", %{conn: conn} do
@@ -138,6 +137,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
     assert csp =~ "img-src 'self' data: blob: #{url};"
   end
 
+  defp assert_connect_src(conn, url) do
+    conn = get(conn, "/api/v1/instance")
+    [csp] = Conn.get_resp_header(conn, "content-security-policy")
+    assert csp =~ ~r/connect-src 'self' [^;]+ #{url}/
+  end
+
   test "it does not send CSP headers when disabled", %{conn: conn} do
     clear_config([:http_security, :enabled], false)
 
@@ -147,7 +152,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
     assert Conn.get_resp_header(conn, "x-frame-options") == []
     assert Conn.get_resp_header(conn, "x-content-type-options") == []
-    assert Conn.get_resp_header(conn, "x-download-options") == []
     assert Conn.get_resp_header(conn, "referrer-policy") == []
     assert Conn.get_resp_header(conn, "content-security-policy") == []
   end