# Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
use Pleroma.Web.ConnCase
- alias Pleroma.Config
alias Plug.Conn
describe "http security enabled" do
refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
refute Conn.get_resp_header(conn, "x-frame-options") == []
refute Conn.get_resp_header(conn, "x-content-type-options") == []
- refute Conn.get_resp_header(conn, "x-download-options") == []
refute Conn.get_resp_header(conn, "referrer-policy") == []
refute Conn.get_resp_header(conn, "content-security-policy") == []
end
conn = get(conn, "/api/v1/instance")
refute Conn.get_resp_header(conn, "strict-transport-security") == []
- refute Conn.get_resp_header(conn, "expect-ct") == []
end
test "it does not send STS headers when disabled", %{conn: conn} do
conn = get(conn, "/api/v1/instance")
assert Conn.get_resp_header(conn, "strict-transport-security") == []
- assert Conn.get_resp_header(conn, "expect-ct") == []
end
test "referrer-policy header reflects configured value", %{conn: conn} do
assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
- [reply_to] = Conn.get_resp_header(conn, "reply-to")
+ [report_to] = Conn.get_resp_header(conn, "report-to")
- assert reply_to ==
+ assert report_to ==
"{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
end
assert csp =~ "media-src 'self' https:;"
assert csp =~ "img-src 'self' data: blob: https:;"
end
+
+ test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+ clear_config([:http_security, :enabled], true)
+ clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
+
+ clear_config([:frontends, :available], %{
+ "fedi-fe" => %{
+ "name" => "fedi-fe",
+ "custom-http-headers" => [{"service-worker-allowed", "/"}]
+ }
+ })
+
+ conn = get(conn, "/api/v1/instance")
+ assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+ end
end
describe "img-src and media-src" do
url = "https://example.com"
clear_config([:media_proxy, :base_url], url)
assert_media_img_src(conn, url)
+ assert_connect_src(conn, url)
end
test "upload with base url", %{conn: conn} do
url = "https://example2.com"
clear_config([Pleroma.Upload, :base_url], url)
assert_media_img_src(conn, url)
+ assert_connect_src(conn, url)
end
test "with S3 public endpoint", %{conn: conn} do
assert csp =~ "img-src 'self' data: blob: #{url};"
end
+ defp assert_connect_src(conn, url) do
+ conn = get(conn, "/api/v1/instance")
+ [csp] = Conn.get_resp_header(conn, "content-security-policy")
+ assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+ end
+
test "it does not send CSP headers when disabled", %{conn: conn} do
clear_config([:http_security, :enabled], false)
assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
assert Conn.get_resp_header(conn, "x-frame-options") == []
assert Conn.get_resp_header(conn, "x-content-type-options") == []
- assert Conn.get_resp_header(conn, "x-download-options") == []
assert Conn.get_resp_header(conn, "referrer-policy") == []
assert Conn.get_resp_header(conn, "content-security-policy") == []
end