2e079154a8
In 90e710d7672b928ce6bb3ec05f8f2c05338be6c9 the FeaturePolicy middleware was renamed to PermissionsPolicy as this will be new name of the header as used by browsers. The Permissions-Policy header requires a different implementation and isn't yet supported by all browsers. To avoid having to rename the middleware in the future, we keep the new name for the Middleware, but use the old implementation and header name.
192 lines
4.7 KiB
Ruby
192 lines
4.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "isolation/abstract_unit"
|
|
require "rack/test"
|
|
|
|
module ApplicationTests
|
|
class PermissionsPolicyTest < ActiveSupport::TestCase
|
|
include ActiveSupport::Testing::Isolation
|
|
include Rack::Test::Methods
|
|
|
|
def setup
|
|
build_app
|
|
end
|
|
|
|
def teardown
|
|
teardown_app
|
|
end
|
|
|
|
test "permissions policy is not enabled by default" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_nil last_response.headers["Feature-Policy"]
|
|
end
|
|
|
|
test "global permissions policy in an initializer" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "geolocation 'none'"
|
|
end
|
|
|
|
test "override permissions policy using same directive in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation "https://example.com"
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "geolocation https://example.com"
|
|
end
|
|
|
|
test "override permissions policy by unsetting a directive in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation nil
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_equal 200, last_response.status
|
|
assert_nil last_response.headers["Feature-Policy"]
|
|
end
|
|
|
|
test "override permissions policy using different directives in a controller" do
|
|
controller :pages, <<-RUBY
|
|
class PagesController < ApplicationController
|
|
permissions_policy do |p|
|
|
p.geolocation nil
|
|
p.payment "https://secure.example.com"
|
|
p.autoplay :none
|
|
end
|
|
|
|
def index
|
|
render html: "<h1>Welcome to Rails!</h1>"
|
|
end
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.geolocation :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
root to: "pages#index"
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "payment https://secure.example.com; autoplay 'none'"
|
|
end
|
|
|
|
test "global permissions policy added to rack app" do
|
|
app_file "config/initializers/permissions_policy.rb", <<-RUBY
|
|
Rails.application.config.permissions_policy do |p|
|
|
p.payment :none
|
|
end
|
|
RUBY
|
|
|
|
app_file "config/routes.rb", <<-RUBY
|
|
Rails.application.routes.draw do
|
|
app = ->(env) {
|
|
[200, { "Content-Type" => "text/html" }, ["<p>Hello, World!</p>"]]
|
|
}
|
|
root to: app
|
|
end
|
|
RUBY
|
|
|
|
app("development")
|
|
|
|
get "/"
|
|
assert_policy "payment 'none'"
|
|
end
|
|
|
|
private
|
|
def assert_policy(expected)
|
|
assert_equal 200, last_response.status
|
|
assert_equal expected, last_response.headers["Feature-Policy"]
|
|
end
|
|
end
|
|
end
|