webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Updated CSP with frame-src rules

Browse Source 
- Configurable via 'ALLOWED_IFRAME_SOURCES' .env option.
- Also updated how CSP rules are set, with a single header being used
  instead of many.
- Also applied CSP rules to HTML export outputs.
- Updated tests to cover.

For #3314
This commit is contained in:
Dan Brown
2022-03-07 14:27:41 +00:00
parent 48d0095aa2
commit 856fca8289
8 changed files with 162 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tests/Entity/ExportTest.php
View File

@ -268,7 +268,7 @@ class ExportTest extends TestCase
foreach ($entities as $entity) {
$resp = $this->asEditor()->get($entity->getUrl('/export/html'));
$resp->assertDontSee('window.donkey');
$resp->assertDontSee('script');
$resp->assertDontSee('<script', false);
$resp->assertSee('.my-test-class { color: red; }');
}
}
@ -448,4 +448,18 @@ class ExportTest extends TestCase
$resp = $this->get($page->getUrl('/export/pdf'));
$resp->assertStatus(500); // Bad response indicates wkhtml usage
}
public function test_html_exports_contain_csp_meta_tag()
{
$entities = [
Page::query()->first(),
Book::query()->first(),
Chapter::query()->first(),
];
foreach ($entities as $entity) {
$resp = $this->asEditor()->get($entity->getUrl('/export/html'));
$resp->assertElementExists('head meta[http-equiv="Content-Security-Policy"][content*="script-src "]');
}
}
}