Commit ef254727 authored by Nick Sellen's avatar Nick Sellen Committed by Matthias Larisch

Add wss: to connect-src CSP policy

parent bcb873a1
Pipeline #44059368 canceled with stages
......@@ -18,12 +18,13 @@ class ContentSecurityPolicy
'script-src' => [
$self,
$unsafeInline,
$unsafeEval, // lots of `$.globalEval` still ... 😢
'https://maps.googleapis.com'
$unsafeEval // lots of `$.globalEval` still ... 😢
],
'connect-src' => [
$self,
'https://sentry.io'
$this->websocketUrlFor(BASE_URL),
'https://sentry.io',
'https://photon.komoot.de'
],
'img-src' => [
$self,
......@@ -60,4 +61,9 @@ class ContentSecurityPolicy
return 'Content-Security-Policy: ' . $value;
}
public function websocketUrlFor(string $baseUrl): string
{
return preg_replace('/^http(s)?:/', 'ws\1:', $baseUrl);
}
}
<?php
class ContentSecurityPolicyTest extends \Codeception\Test\Unit
{
/**
* @var \UnitTester
*/
protected $tester;
/**
* @var \Foodsharing\Lib\ContentSecurityPolicy
*/
private $csp;
protected function _before()
{
$this->csp = $this->tester->get(\Foodsharing\Lib\ContentSecurityPolicy::class);
}
public function testWebsocketUrlFor(): void
{
$this->assertEquals('ws://localhost:1234', $this->csp->websocketUrlFor('http://localhost:1234'));
$this->assertEquals('ws://insecure.com', $this->csp->websocketUrlFor('http://insecure.com'));
$this->assertEquals('wss://secure.com', $this->csp->websocketUrlFor('https://secure.com'));
}
public function testPolicy(): void
{
$policy = $this->csp->generate('http://reporthere.com', true);
$this->assertContains('Content-Security-Policy', $policy);
$this->assertContains('report-uri http://reporthere.com;', $policy);
}
public function testReportOnlyPolicy(): void
{
$policy = $this->csp->generate('http://reporthere.com', true);
$this->assertContains('Content-Security-Policy-Report-Only', $policy);
$this->assertContains('report-uri http://reporthere.com;', $policy);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment