jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

frameAncestors -> csp

Browse Source 
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
This commit is contained in:
Girish Ramakrishnan
2019-10-14 16:59:22 -07:00
parent 61b6bee946
commit 8878bc4bf9
7 changed files with 29 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/routes/test/apps-test.js
View File

@@ -1054,7 +1054,7 @@ describe('App API', function () {
it('can set robotsTxt', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: 'any string is good', frameAncestors: [], hideHeaders: [] })
.send({ robotsTxt: 'any string is good', csp: null })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();
@@ -1064,17 +1064,17 @@ describe('App API', function () {
it('can reset robotsTxt', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [], hideHeaders: [] })
.send({ robotsTxt: null, csp: null })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();
});
});
it('fails with bad frame-ancestors', function (done) {
it('fails with bad csp', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [ 34 ], hideHeaders: [] })
.send({ robotsTxt: null, csp: 34 })
.end(function (err, res) {
expect(res.statusCode).to.equal(400);
done();
@@ -1084,7 +1084,7 @@ describe('App API', function () {
it('can set frame-ancestors', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [ 'www.example.com' ], hideHeaders: [] })
.send({ robotsTxt: null, csp: 'frame-ancestors \'self\'' })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();
@@ -1094,37 +1094,7 @@ describe('App API', function () {
it('can reset frame-ancestors', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [], hideHeaders: [] })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();
});
});
it('fails with bad hideHeaders', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [], hideHeaders: 34 })
.end(function (err, res) {
expect(res.statusCode).to.equal(400);
done();
});
});
it('can set hideHeaders', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [], hideHeaders: [ 'Content-Security-Policy' ] })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();
});
});
it('can reset hideHeaders', function (done) {
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/reverse_proxy')
.query({ access_token: token })
.send({ robotsTxt: null, frameAncestors: [], hideHeaders: [] })
.send({ robotsTxt: null, csp: null })
.end(function (err, res) {
expect(res.statusCode).to.equal(200);
done();