X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=test%2Fpleroma%2Fweb%2Fplugs%2Fhttp_security_plug_test.exs;h=d6d84107815896459bf6e78bebfe5c2b5e038f31;hb=0e4c201f8dd607f5f34a247e63ab968204946052;hp=2297e3dac3d1106a83aa02844b14adf2b5193e73;hpb=073ad7e6d91884f3c972f903d936f029c7a884e6;p=akkoma

diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
index 2297e3dac..d6d841078 100644
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -1,11 +1,10 @@
 # Pleroma: A lightweight social networking server
-# Copyright Â© 2017-2020 Pleroma Authors <https://pleroma.social/>
+# Copyright Â© 2017-2021 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   use Pleroma.Web.ConnCase
 
-  alias Pleroma.Config
   alias Plug.Conn
 
   describe "http security enabled" do
@@ -18,7 +17,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
       refute Conn.get_resp_header(conn, "x-frame-options") == []
       refute Conn.get_resp_header(conn, "x-content-type-options") == []
-      refute Conn.get_resp_header(conn, "x-download-options") == []
       refute Conn.get_resp_header(conn, "referrer-policy") == []
       refute Conn.get_resp_header(conn, "content-security-policy") == []
     end
@@ -29,7 +27,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       conn = get(conn, "/api/v1/instance")
 
       refute Conn.get_resp_header(conn, "strict-transport-security") == []
-      refute Conn.get_resp_header(conn, "expect-ct") == []
     end
 
     test "it does not send STS headers when disabled", %{conn: conn} do
@@ -38,7 +35,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       conn = get(conn, "/api/v1/instance")
 
       assert Conn.get_resp_header(conn, "strict-transport-security") == []
-      assert Conn.get_resp_header(conn, "expect-ct") == []
     end
 
     test "referrer-policy header reflects configured value", %{conn: conn} do
@@ -60,9 +56,9 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
 
       assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
 
-      [reply_to] = Conn.get_resp_header(conn, "reply-to")
+      [report_to] = Conn.get_resp_header(conn, "report-to")
 
-      assert reply_to ==
+      assert report_to ==
                "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
     end
 
@@ -73,6 +69,21 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       assert csp =~ "media-src 'self' https:;"
       assert csp =~ "img-src 'self' data: blob: https:;"
     end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
+
+      clear_config([:frontends, :available], %{
+        "fedi-fe" => %{
+          "name" => "fedi-fe",
+          "custom-http-headers" => [{"service-worker-allowed", "/"}]
+        }
+      })
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
   end
 
   describe "img-src and media-src" do
@@ -86,12 +97,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       url = "https://example.com"
       clear_config([:media_proxy, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "upload with base url", %{conn: conn} do
       url = "https://example2.com"
       clear_config([Pleroma.Upload, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "with S3 public endpoint", %{conn: conn} do
@@ -124,6 +137,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
     assert csp =~ "img-src 'self' data: blob: #{url};"
   end
 
+  defp assert_connect_src(conn, url) do
+    conn = get(conn, "/api/v1/instance")
+    [csp] = Conn.get_resp_header(conn, "content-security-policy")
+    assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+  end
+
   test "it does not send CSP headers when disabled", %{conn: conn} do
     clear_config([:http_security, :enabled], false)
 
@@ -133,7 +152,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
     assert Conn.get_resp_header(conn, "x-frame-options") == []
     assert Conn.get_resp_header(conn, "x-content-type-options") == []
-    assert Conn.get_resp_header(conn, "x-download-options") == []
     assert Conn.get_resp_header(conn, "referrer-policy") == []
     assert Conn.get_resp_header(conn, "content-security-policy") == []
   end