roda 3.28.0 → 3.29.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +10 -0
- data/README.rdoc +10 -0
- data/doc/release_notes/3.29.0.txt +15 -0
- data/lib/roda.rb +1 -0
- data/lib/roda/plugins/caching.rb +2 -0
- data/lib/roda/plugins/common_logger.rb +1 -1
- data/lib/roda/plugins/exception_page.rb +7 -1
- data/lib/roda/plugins/indifferent_params.rb +2 -0
- data/lib/roda/version.rb +1 -1
- metadata +4 -214
- data/Rakefile +0 -108
- data/doc/release_notes/1.0.0.txt +0 -329
- data/doc/release_notes/1.1.0.txt +0 -226
- data/doc/release_notes/1.2.0.txt +0 -406
- data/doc/release_notes/1.3.0.txt +0 -109
- data/doc/release_notes/2.0.0.txt +0 -75
- data/doc/release_notes/2.1.0.txt +0 -124
- data/doc/release_notes/2.10.0.txt +0 -27
- data/doc/release_notes/2.11.0.txt +0 -70
- data/doc/release_notes/2.12.0.txt +0 -40
- data/doc/release_notes/2.13.0.txt +0 -10
- data/doc/release_notes/2.14.0.txt +0 -44
- data/doc/release_notes/2.15.0.txt +0 -53
- data/doc/release_notes/2.16.0.txt +0 -48
- data/doc/release_notes/2.17.0.txt +0 -62
- data/doc/release_notes/2.18.0.txt +0 -69
- data/doc/release_notes/2.19.0.txt +0 -30
- data/doc/release_notes/2.2.0.txt +0 -97
- data/doc/release_notes/2.20.0.txt +0 -5
- data/doc/release_notes/2.21.0.txt +0 -17
- data/doc/release_notes/2.22.0.txt +0 -41
- data/doc/release_notes/2.23.0.txt +0 -29
- data/doc/release_notes/2.24.0.txt +0 -65
- data/doc/release_notes/2.25.0.txt +0 -14
- data/doc/release_notes/2.26.0.txt +0 -13
- data/doc/release_notes/2.27.0.txt +0 -56
- data/doc/release_notes/2.28.0.txt +0 -17
- data/doc/release_notes/2.29.0.txt +0 -156
- data/doc/release_notes/2.3.0.txt +0 -109
- data/doc/release_notes/2.4.0.txt +0 -55
- data/doc/release_notes/2.5.0.txt +0 -23
- data/doc/release_notes/2.5.1.txt +0 -4
- data/doc/release_notes/2.6.0.txt +0 -21
- data/doc/release_notes/2.7.0.txt +0 -75
- data/doc/release_notes/2.8.0.txt +0 -44
- data/doc/release_notes/2.9.0.txt +0 -6
- data/spec/all.rb +0 -1
- data/spec/assets/css/app.scss +0 -1
- data/spec/assets/css/no_access.css +0 -1
- data/spec/assets/css/raw.css +0 -1
- data/spec/assets/js/head/app.js +0 -1
- data/spec/composition_spec.rb +0 -31
- data/spec/define_roda_method_spec.rb +0 -274
- data/spec/env_spec.rb +0 -11
- data/spec/freeze_spec.rb +0 -37
- data/spec/integration_spec.rb +0 -209
- data/spec/matchers_spec.rb +0 -832
- data/spec/opts_spec.rb +0 -42
- data/spec/plugin/_after_hook_spec.rb +0 -19
- data/spec/plugin/all_verbs_spec.rb +0 -29
- data/spec/plugin/assets_preloading_spec.rb +0 -98
- data/spec/plugin/assets_spec.rb +0 -745
- data/spec/plugin/backtracking_array_spec.rb +0 -42
- data/spec/plugin/branch_locals_spec.rb +0 -106
- data/spec/plugin/caching_spec.rb +0 -337
- data/spec/plugin/chunked_spec.rb +0 -201
- data/spec/plugin/class_level_routing_spec.rb +0 -164
- data/spec/plugin/class_matchers_spec.rb +0 -40
- data/spec/plugin/common_logger_spec.rb +0 -85
- data/spec/plugin/content_for_spec.rb +0 -162
- data/spec/plugin/content_security_policy_spec.rb +0 -175
- data/spec/plugin/cookies_spec.rb +0 -51
- data/spec/plugin/csrf_spec.rb +0 -111
- data/spec/plugin/default_headers_spec.rb +0 -82
- data/spec/plugin/default_status_spec.rb +0 -95
- data/spec/plugin/delay_build_spec.rb +0 -23
- data/spec/plugin/delegate_spec.rb +0 -23
- data/spec/plugin/delete_empty_headers_spec.rb +0 -27
- data/spec/plugin/direct_call_spec.rb +0 -28
- data/spec/plugin/disallow_file_uploads_spec.rb +0 -25
- data/spec/plugin/drop_body_spec.rb +0 -24
- data/spec/plugin/early_hints_spec.rb +0 -19
- data/spec/plugin/empty_root_spec.rb +0 -14
- data/spec/plugin/environments_spec.rb +0 -42
- data/spec/plugin/error_email_spec.rb +0 -97
- data/spec/plugin/error_handler_spec.rb +0 -216
- data/spec/plugin/error_mail_spec.rb +0 -93
- data/spec/plugin/exception_page_spec.rb +0 -168
- data/spec/plugin/flash_spec.rb +0 -121
- data/spec/plugin/h_spec.rb +0 -11
- data/spec/plugin/halt_spec.rb +0 -119
- data/spec/plugin/hash_matcher_spec.rb +0 -27
- data/spec/plugin/hash_routes_spec.rb +0 -535
- data/spec/plugin/head_spec.rb +0 -52
- data/spec/plugin/header_matchers_spec.rb +0 -98
- data/spec/plugin/heartbeat_spec.rb +0 -74
- data/spec/plugin/hooks_spec.rb +0 -152
- data/spec/plugin/indifferent_params_spec.rb +0 -14
- data/spec/plugin/json_parser_spec.rb +0 -141
- data/spec/plugin/json_spec.rb +0 -83
- data/spec/plugin/mail_processor_spec.rb +0 -451
- data/spec/plugin/mailer_spec.rb +0 -282
- data/spec/plugin/match_affix_spec.rb +0 -43
- data/spec/plugin/match_hook_spec.rb +0 -79
- data/spec/plugin/middleware_spec.rb +0 -237
- data/spec/plugin/middleware_stack_spec.rb +0 -81
- data/spec/plugin/module_include_spec.rb +0 -48
- data/spec/plugin/multi_route_spec.rb +0 -268
- data/spec/plugin/multi_run_spec.rb +0 -87
- data/spec/plugin/multi_view_spec.rb +0 -50
- data/spec/plugin/multibyte_string_matcher_spec.rb +0 -44
- data/spec/plugin/named_templates_spec.rb +0 -96
- data/spec/plugin/not_allowed_spec.rb +0 -69
- data/spec/plugin/not_found_spec.rb +0 -128
- data/spec/plugin/optimized_string_matchers_spec.rb +0 -43
- data/spec/plugin/padrino_render_spec.rb +0 -34
- data/spec/plugin/param_matchers_spec.rb +0 -69
- data/spec/plugin/params_capturing_spec.rb +0 -33
- data/spec/plugin/partials_spec.rb +0 -43
- data/spec/plugin/pass_spec.rb +0 -29
- data/spec/plugin/path_matchers_spec.rb +0 -42
- data/spec/plugin/path_rewriter_spec.rb +0 -45
- data/spec/plugin/path_spec.rb +0 -222
- data/spec/plugin/placeholder_string_matchers_spec.rb +0 -126
- data/spec/plugin/precompile_templates_spec.rb +0 -61
- data/spec/plugin/public_spec.rb +0 -85
- data/spec/plugin/render_each_spec.rb +0 -82
- data/spec/plugin/render_locals_spec.rb +0 -114
- data/spec/plugin/render_spec.rb +0 -912
- data/spec/plugin/request_aref_spec.rb +0 -51
- data/spec/plugin/request_headers_spec.rb +0 -39
- data/spec/plugin/response_request_spec.rb +0 -43
- data/spec/plugin/route_block_args_spec.rb +0 -86
- data/spec/plugin/route_csrf_spec.rb +0 -305
- data/spec/plugin/run_append_slash_spec.rb +0 -77
- data/spec/plugin/run_handler_spec.rb +0 -53
- data/spec/plugin/sessions_spec.rb +0 -452
- data/spec/plugin/shared_vars_spec.rb +0 -45
- data/spec/plugin/sinatra_helpers_spec.rb +0 -537
- data/spec/plugin/slash_path_empty_spec.rb +0 -22
- data/spec/plugin/static_routing_spec.rb +0 -192
- data/spec/plugin/static_spec.rb +0 -30
- data/spec/plugin/status_303_spec.rb +0 -28
- data/spec/plugin/status_handler_spec.rb +0 -158
- data/spec/plugin/streaming_spec.rb +0 -246
- data/spec/plugin/strip_path_prefix_spec.rb +0 -24
- data/spec/plugin/symbol_matchers_spec.rb +0 -51
- data/spec/plugin/symbol_status_spec.rb +0 -25
- data/spec/plugin/symbol_views_spec.rb +0 -32
- data/spec/plugin/timestamp_public_spec.rb +0 -85
- data/spec/plugin/type_routing_spec.rb +0 -348
- data/spec/plugin/typecast_params_spec.rb +0 -1370
- data/spec/plugin/unescape_path_spec.rb +0 -22
- data/spec/plugin/view_options_spec.rb +0 -170
- data/spec/plugin_spec.rb +0 -71
- data/spec/redirect_spec.rb +0 -41
- data/spec/request_spec.rb +0 -97
- data/spec/response_spec.rb +0 -199
- data/spec/route_spec.rb +0 -39
- data/spec/session_middleware_spec.rb +0 -129
- data/spec/session_spec.rb +0 -37
- data/spec/spec_helper.rb +0 -137
- data/spec/version_spec.rb +0 -14
- data/spec/views/_test.erb +0 -1
- data/spec/views/a.erb +0 -1
- data/spec/views/a.rdoc +0 -2
- data/spec/views/about.erb +0 -1
- data/spec/views/about.str +0 -1
- data/spec/views/about/_test.css.gz +0 -0
- data/spec/views/about/_test.erb +0 -1
- data/spec/views/about/_test.erb.gz +0 -0
- data/spec/views/about/comp_test.erb +0 -1
- data/spec/views/b.erb +0 -1
- data/spec/views/c.erb +0 -1
- data/spec/views/comp_layout.erb +0 -1
- data/spec/views/comp_test.erb +0 -1
- data/spec/views/content-yield.erb +0 -1
- data/spec/views/each.str +0 -1
- data/spec/views/home.erb +0 -2
- data/spec/views/home.str +0 -2
- data/spec/views/iv.erb +0 -1
- data/spec/views/layout-alternative.erb +0 -2
- data/spec/views/layout-yield.erb +0 -3
- data/spec/views/layout.erb +0 -2
- data/spec/views/layout.str +0 -2
- data/spec/views/multiple-layout.erb +0 -1
- data/spec/views/multiple.erb +0 -1
@@ -1,162 +0,0 @@
|
|
1
|
-
require_relative "../spec_helper"
|
2
|
-
|
3
|
-
begin
|
4
|
-
require 'tilt/erb'
|
5
|
-
rescue LoadError
|
6
|
-
warn "tilt not installed, skipping content_for plugin test"
|
7
|
-
else
|
8
|
-
describe "content_for plugin with erb" do
|
9
|
-
before do
|
10
|
-
app(:bare) do
|
11
|
-
plugin :render, :views => './spec/views'
|
12
|
-
plugin :content_for
|
13
|
-
|
14
|
-
route do |r|
|
15
|
-
r.root do
|
16
|
-
view(:inline => "<% content_for :foo do %>foo<% end %>bar", :layout => { :inline => '<%= yield %> <%= content_for(:foo) %>' })
|
17
|
-
end
|
18
|
-
r.get 'a' do
|
19
|
-
view(:inline => "bar", :layout => { :inline => '<%= content_for(:foo) %> <%= yield %>' })
|
20
|
-
end
|
21
|
-
r.get 'b' do
|
22
|
-
view(:inline => '<% content_for(:foo, "foo") %>bar', :layout => { :inline => '<%= yield %> <%= content_for(:foo) %>' })
|
23
|
-
end
|
24
|
-
r.get 'e' do
|
25
|
-
view(:inline => 'a<% content_for :foo do %><% end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
26
|
-
end
|
27
|
-
r.get 'f' do
|
28
|
-
view(:inline => 'a<% content_for :foo do "f" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
29
|
-
end
|
30
|
-
r.get 'g' do
|
31
|
-
view(:inline => 'a<% content_for :foo do "<" + "%= 1 %" + ">" end %>b', :layout => { :inline => 'c<%= yield %>d<%= content_for(:foo) %>e' })
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
it "should be able to set content in template and get that content in the layout" do
|
38
|
-
body.strip.must_equal "bar foo"
|
39
|
-
end
|
40
|
-
|
41
|
-
it "should work if content is not set by the template" do
|
42
|
-
body('/a').strip.must_equal "bar"
|
43
|
-
end
|
44
|
-
|
45
|
-
it "should work if a raw string is set" do
|
46
|
-
body('/b').strip.must_equal "bar foo"
|
47
|
-
end
|
48
|
-
|
49
|
-
it "should work for an empty content_for" do
|
50
|
-
body('/e').strip.must_equal "cabde"
|
51
|
-
end
|
52
|
-
|
53
|
-
it "should work when content_for uses a regular block" do
|
54
|
-
body('/f').strip.must_equal "cabdfe"
|
55
|
-
end
|
56
|
-
|
57
|
-
it "should use content_for output directly" do
|
58
|
-
body('/g').strip.must_equal "cabd<%= 1 %>e"
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
describe "content_for plugin with multiple calls to the same key" do
|
63
|
-
before do
|
64
|
-
app(:bare) do
|
65
|
-
plugin :render, :views => './spec/views'
|
66
|
-
plugin :content_for
|
67
|
-
|
68
|
-
route do |r|
|
69
|
-
r.root do
|
70
|
-
view(:inline => "<% content_for :foo do %>foo<% end %><% content_for :foo do %>baz<% end %>bar", :layout => { :inline => '<%= yield %> <%= content_for(:foo) %>' })
|
71
|
-
end
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
it "should replace with multiple calls to the same key if :append=>false plugin option is used" do
|
77
|
-
app.plugin :content_for, :append => false
|
78
|
-
body.strip.must_equal "bar baz"
|
79
|
-
end
|
80
|
-
|
81
|
-
it "should append with multiple calls to the same key if :append=>true plugin option is used" do
|
82
|
-
app.plugin :content_for
|
83
|
-
body.strip.must_equal "bar foobaz"
|
84
|
-
end
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
begin
|
89
|
-
require 'tilt/erb'
|
90
|
-
require 'tilt/haml'
|
91
|
-
rescue LoadError
|
92
|
-
warn "tilt or haml not installed, skipping content_for plugin haml tests"
|
93
|
-
else
|
94
|
-
describe "content_for plugin with haml" do
|
95
|
-
before do
|
96
|
-
app(:bare) do
|
97
|
-
plugin :render, :engine => 'haml'
|
98
|
-
plugin :content_for
|
99
|
-
|
100
|
-
route do |r|
|
101
|
-
r.root do
|
102
|
-
view(:inline => "- content_for :foo do\n - capture_haml do\n foo\nbar", :layout => { :inline => "= yield\n=content_for :foo" })
|
103
|
-
end
|
104
|
-
r.get 'a' do
|
105
|
-
view(:inline => "- content_for :foo, 'foo'\nbar", :layout => { :inline => "= yield\n=content_for :foo" })
|
106
|
-
end
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
110
|
-
|
111
|
-
it "should work with alternate rendering engines" do
|
112
|
-
body.strip.sub(/\n+/, "\n").must_equal "bar\nfoo"
|
113
|
-
body('/a').strip.sub(/\n+/, "\n").must_equal "bar\nfoo"
|
114
|
-
end
|
115
|
-
end
|
116
|
-
|
117
|
-
describe "content_for plugin with mixed template engines" do
|
118
|
-
before do
|
119
|
-
app(:bare) do
|
120
|
-
plugin :render, :layout_opts=>{:engine => 'haml', :inline => "= yield\n=content_for :foo" }
|
121
|
-
plugin :content_for
|
122
|
-
|
123
|
-
route do |r|
|
124
|
-
r.root do
|
125
|
-
view(:inline => "<% content_for :foo do %>foo<% end %>bar")
|
126
|
-
end
|
127
|
-
r.get 'a' do
|
128
|
-
view(:inline => "<% content_for :foo, 'foo' %>bar")
|
129
|
-
end
|
130
|
-
end
|
131
|
-
end
|
132
|
-
end
|
133
|
-
|
134
|
-
it "should work with alternate rendering engines" do
|
135
|
-
body.strip.must_equal "bar\nfoo"
|
136
|
-
body('/a').strip.must_equal "bar\nfoo"
|
137
|
-
end
|
138
|
-
end
|
139
|
-
|
140
|
-
describe "content_for plugin when overriding :engine" do
|
141
|
-
before do
|
142
|
-
app(:bare) do
|
143
|
-
plugin :render, :engine => 'haml', :layout_opts=>{:inline => "= yield\n=content_for :foo" }
|
144
|
-
plugin :content_for
|
145
|
-
|
146
|
-
route do |r|
|
147
|
-
r.root do
|
148
|
-
view(:inline => "<% content_for :foo do %>foo<% end %>bar", :engine=>:erb)
|
149
|
-
end
|
150
|
-
r.get 'a' do
|
151
|
-
view(:inline => "<% content_for :foo, 'foo' %>bar", :engine=>:erb)
|
152
|
-
end
|
153
|
-
end
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
it "should work with alternate rendering engines" do
|
158
|
-
body.strip.must_equal "bar\nfoo"
|
159
|
-
body('/a').strip.must_equal "bar\nfoo"
|
160
|
-
end
|
161
|
-
end
|
162
|
-
end
|
@@ -1,175 +0,0 @@
|
|
1
|
-
require_relative "../spec_helper"
|
2
|
-
|
3
|
-
describe "content_security_policy plugin" do
|
4
|
-
it "does not add header if no options are set" do
|
5
|
-
app(:content_security_policy){'a'}
|
6
|
-
header('Content-Security-Policy', "/a").must_be_nil
|
7
|
-
end
|
8
|
-
|
9
|
-
it "sets Content-Security-Policy header" do
|
10
|
-
app(:bare) do
|
11
|
-
plugin :content_security_policy do |csp|
|
12
|
-
csp.default_src :self
|
13
|
-
csp.img_src :self, 'example.com'
|
14
|
-
csp.style_src [:sha256, 'abc']
|
15
|
-
end
|
16
|
-
|
17
|
-
route do |r|
|
18
|
-
r.get 'ro' do
|
19
|
-
content_security_policy.report_only
|
20
|
-
''
|
21
|
-
end
|
22
|
-
|
23
|
-
r.get 'nro' do
|
24
|
-
content_security_policy.report_only
|
25
|
-
content_security_policy.report_only(false)
|
26
|
-
content_security_policy.report_only?.inspect
|
27
|
-
end
|
28
|
-
|
29
|
-
r.get 'get' do
|
30
|
-
content_security_policy.get_default_src.inspect
|
31
|
-
end
|
32
|
-
|
33
|
-
r.get 'add' do
|
34
|
-
content_security_policy.add_default_src('foo.com', 'bar.com')
|
35
|
-
''
|
36
|
-
end
|
37
|
-
|
38
|
-
r.get 'empty' do
|
39
|
-
content_security_policy.add_default_src
|
40
|
-
''
|
41
|
-
end
|
42
|
-
|
43
|
-
r.get 'set' do
|
44
|
-
content_security_policy.default_src('foo.com', 'bar.com')
|
45
|
-
''
|
46
|
-
end
|
47
|
-
|
48
|
-
r.get 'bool' do
|
49
|
-
content_security_policy.block_all_mixed_content
|
50
|
-
content_security_policy.upgrade_insecure_requests(false)
|
51
|
-
content_security_policy.block_all_mixed_content?.inspect
|
52
|
-
end
|
53
|
-
|
54
|
-
r.get 'block' do
|
55
|
-
content_security_policy do |csp|
|
56
|
-
csp.block_all_mixed_content
|
57
|
-
csp.add_default_src('foo.com', 'bar.com')
|
58
|
-
csp.img_src :none
|
59
|
-
csp.style_src
|
60
|
-
csp.report_only
|
61
|
-
end
|
62
|
-
''
|
63
|
-
end
|
64
|
-
|
65
|
-
r.get 'clear' do
|
66
|
-
content_security_policy do |csp|
|
67
|
-
csp.clear
|
68
|
-
csp.add_default_src('foo.com', 'bar.com')
|
69
|
-
end
|
70
|
-
''
|
71
|
-
end
|
72
|
-
|
73
|
-
'a'
|
74
|
-
end
|
75
|
-
end
|
76
|
-
|
77
|
-
v = "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
|
78
|
-
|
79
|
-
header('Content-Security-Policy', "/a").must_equal v
|
80
|
-
|
81
|
-
header('Content-Security-Policy', "/nro").must_equal v
|
82
|
-
header('Content-Security-Policy-Report-Only', "/nro").must_be_nil
|
83
|
-
body("/nro").must_equal 'false'
|
84
|
-
|
85
|
-
header('Content-Security-Policy-Report-Only', "/ro").must_equal v
|
86
|
-
header('Content-Security-Policy', "/ro").must_be_nil
|
87
|
-
|
88
|
-
body('/get').must_equal '[:self]'
|
89
|
-
|
90
|
-
header('Content-Security-Policy', "/add").must_equal "default-src 'self' foo.com bar.com; img-src 'self' example.com; style-src 'sha256-abc'; "
|
91
|
-
|
92
|
-
header('Content-Security-Policy', "/empty").must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
|
93
|
-
|
94
|
-
header('Content-Security-Policy', "/set").must_equal "default-src foo.com bar.com; img-src 'self' example.com; style-src 'sha256-abc'; "
|
95
|
-
|
96
|
-
body('/bool').must_equal 'true'
|
97
|
-
header('Content-Security-Policy', "/bool").must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; block-all-mixed-content; "
|
98
|
-
|
99
|
-
header('Content-Security-Policy-Report-Only', "/block").must_equal "default-src 'self' foo.com bar.com; img-src 'none'; block-all-mixed-content; "
|
100
|
-
|
101
|
-
header('Content-Security-Policy', "/clear").must_equal "default-src foo.com bar.com; "
|
102
|
-
end
|
103
|
-
|
104
|
-
it "raises error for unsupported CSP values" do
|
105
|
-
app{}
|
106
|
-
proc{app.plugin(:content_security_policy){|csp| csp.default_src Object.new}}.must_raise Roda::RodaError
|
107
|
-
proc{app.plugin(:content_security_policy){|csp| csp.default_src []}}.must_raise Roda::RodaError
|
108
|
-
proc{app.plugin(:content_security_policy){|csp| csp.default_src [:a]}}.must_raise Roda::RodaError
|
109
|
-
proc{app.plugin(:content_security_policy){|csp| csp.default_src [:a, :b, :c]}}.must_raise Roda::RodaError
|
110
|
-
end
|
111
|
-
|
112
|
-
it "supports all documented settings" do
|
113
|
-
app(:content_security_policy) do |r|
|
114
|
-
content_security_policy.send(r.path[1..-1], :self)
|
115
|
-
end
|
116
|
-
|
117
|
-
'
|
118
|
-
base_uri
|
119
|
-
child_src
|
120
|
-
connect_src
|
121
|
-
default_src
|
122
|
-
font_src
|
123
|
-
form_action
|
124
|
-
frame_ancestors
|
125
|
-
frame_src
|
126
|
-
img_src
|
127
|
-
manifest_src
|
128
|
-
media_src
|
129
|
-
object_src
|
130
|
-
plugin_types
|
131
|
-
report_uri
|
132
|
-
require_sri_for
|
133
|
-
sandbox
|
134
|
-
script_src
|
135
|
-
style_src
|
136
|
-
worker_src
|
137
|
-
'.split.each do |setting|
|
138
|
-
header('Content-Security-Policy', "/#{setting}").must_equal "#{setting.gsub('_', '-')} 'self'; "
|
139
|
-
end
|
140
|
-
end
|
141
|
-
|
142
|
-
it "does not override existing heading" do
|
143
|
-
app(:content_security_policy) do |r|
|
144
|
-
content_security_policy.default_src :self
|
145
|
-
response['Content-Security-Policy'] = "default_src 'none';"
|
146
|
-
''
|
147
|
-
end
|
148
|
-
header('Content-Security-Policy').must_equal "default_src 'none';"
|
149
|
-
end
|
150
|
-
|
151
|
-
it "works with error_handler" do
|
152
|
-
app(:bare) do
|
153
|
-
plugin(:error_handler){|_| ''}
|
154
|
-
plugin :content_security_policy do |csp|
|
155
|
-
csp.default_src :self
|
156
|
-
csp.img_src :self, 'example.com'
|
157
|
-
csp.style_src [:sha256, 'abc']
|
158
|
-
end
|
159
|
-
|
160
|
-
route do |r|
|
161
|
-
r.get 'a' do
|
162
|
-
content_security_policy.default_src 'foo.com'
|
163
|
-
raise
|
164
|
-
end
|
165
|
-
|
166
|
-
raise
|
167
|
-
end
|
168
|
-
end
|
169
|
-
|
170
|
-
header('Content-Security-Policy').must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
|
171
|
-
|
172
|
-
# Don't include updates before the error
|
173
|
-
header('Content-Security-Policy', '/a').must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
|
174
|
-
end
|
175
|
-
end
|
data/spec/plugin/cookies_spec.rb
DELETED
@@ -1,51 +0,0 @@
|
|
1
|
-
require_relative "../spec_helper"
|
2
|
-
|
3
|
-
describe "cookies plugin" do
|
4
|
-
it "should set cookies on response" do
|
5
|
-
app(:cookies) do |r|
|
6
|
-
response.set_cookie("foo", "bar")
|
7
|
-
response.set_cookie("bar", "baz")
|
8
|
-
"Hello"
|
9
|
-
end
|
10
|
-
|
11
|
-
header('Set-Cookie').must_equal "foo=bar\nbar=baz"
|
12
|
-
body.must_equal 'Hello'
|
13
|
-
end
|
14
|
-
|
15
|
-
it "should delete cookies on response" do
|
16
|
-
app(:cookies) do |r|
|
17
|
-
response.set_cookie("foo", "bar")
|
18
|
-
response.delete_cookie("foo")
|
19
|
-
"Hello"
|
20
|
-
end
|
21
|
-
|
22
|
-
header('Set-Cookie').must_match(/foo=; (max-age=0; )?expires=Thu, 01[ -]Jan[ -]1970 00:00:00 (-0000|GMT)/)
|
23
|
-
body.must_equal 'Hello'
|
24
|
-
end
|
25
|
-
|
26
|
-
it "should pass default cookie options when setting" do
|
27
|
-
app.plugin :cookies, :path => '/foo'
|
28
|
-
app.route { response.set_cookie("foo", "bar") }
|
29
|
-
header('Set-Cookie').must_equal "foo=bar; path=/foo"
|
30
|
-
|
31
|
-
app.route { response.set_cookie("foo", :value=>"bar", :path=>'/baz') }
|
32
|
-
header('Set-Cookie').must_equal "foo=bar; path=/baz"
|
33
|
-
end
|
34
|
-
|
35
|
-
it "should pass default cookie options when deleting" do
|
36
|
-
app.plugin :cookies, :domain => 'example.com'
|
37
|
-
app.route { response.delete_cookie("foo") }
|
38
|
-
header('Set-Cookie').must_match(/foo=; domain=example.com; (max-age=0; )?expires=Thu, 01[ -]Jan[ -]1970 00:00:00 (-0000|GMT)/)
|
39
|
-
|
40
|
-
app.route { response.delete_cookie("foo", :domain=>'bar.com') }
|
41
|
-
header('Set-Cookie').must_match(/foo=; domain=bar.com; (max-age=0; )?expires=Thu, 01[ -]Jan[ -]1970 00:00:00 (-0000|GMT)/)
|
42
|
-
end
|
43
|
-
|
44
|
-
it "should not override existing default cookie options" do
|
45
|
-
app.plugin :cookies, :path => '/foo'
|
46
|
-
app.plugin :cookies
|
47
|
-
app.route { response.set_cookie("foo", "bar") }
|
48
|
-
|
49
|
-
header('Set-Cookie').must_equal "foo=bar; path=/foo"
|
50
|
-
end
|
51
|
-
end
|
data/spec/plugin/csrf_spec.rb
DELETED
@@ -1,111 +0,0 @@
|
|
1
|
-
require_relative "../spec_helper"
|
2
|
-
|
3
|
-
begin
|
4
|
-
require 'rack/csrf'
|
5
|
-
rescue LoadError
|
6
|
-
warn "rack_csrf not installed, skipping csrf plugin test"
|
7
|
-
else
|
8
|
-
describe "csrf plugin" do
|
9
|
-
include CookieJar
|
10
|
-
|
11
|
-
it "adds csrf protection and csrf helper methods" do
|
12
|
-
app(:bare) do
|
13
|
-
use(*DEFAULT_SESSION_MIDDLEWARE_ARGS)
|
14
|
-
plugin :csrf, :skip=>['POST:/foo']
|
15
|
-
|
16
|
-
route do |r|
|
17
|
-
r.get do
|
18
|
-
response['TAG'] = csrf_tag
|
19
|
-
response['METATAG'] = csrf_metatag
|
20
|
-
response['TOKEN'] = csrf_token
|
21
|
-
response['FIELD'] = csrf_field
|
22
|
-
response['HEADER'] = csrf_header
|
23
|
-
'g'
|
24
|
-
end
|
25
|
-
r.post 'foo' do
|
26
|
-
'bar'
|
27
|
-
end
|
28
|
-
r.post do
|
29
|
-
'p'
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
io = StringIO.new
|
35
|
-
status('REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 403
|
36
|
-
body('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'bar'
|
37
|
-
|
38
|
-
s, h, b = req
|
39
|
-
s.must_equal 200
|
40
|
-
field = h['FIELD']
|
41
|
-
token = Regexp.escape(h['TOKEN'])
|
42
|
-
h['TAG'].must_match(/\A<input type="hidden" name="#{field}" value="#{token}" \/>\z/)
|
43
|
-
h['METATAG'].must_match(/\A<meta name="#{field}" content="#{token}" \/>\z/)
|
44
|
-
b.must_equal ['g']
|
45
|
-
s, _, b = req('REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN'])
|
46
|
-
s.must_equal 200
|
47
|
-
b.must_equal ['p']
|
48
|
-
|
49
|
-
app.plugin :csrf
|
50
|
-
body('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'bar'
|
51
|
-
end
|
52
|
-
|
53
|
-
it "can optionally skip setting up the middleware" do
|
54
|
-
sub_app = Class.new(Roda)
|
55
|
-
sub_app.class_eval do
|
56
|
-
plugin :csrf, :skip_middleware=>true
|
57
|
-
|
58
|
-
route do |r|
|
59
|
-
r.get do
|
60
|
-
response['TAG'] = csrf_tag
|
61
|
-
response['METATAG'] = csrf_metatag
|
62
|
-
response['TOKEN'] = csrf_token
|
63
|
-
response['FIELD'] = csrf_field
|
64
|
-
response['HEADER'] = csrf_header
|
65
|
-
'g'
|
66
|
-
end
|
67
|
-
r.post 'bar' do
|
68
|
-
'foobar'
|
69
|
-
end
|
70
|
-
r.post do
|
71
|
-
'p'
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
app(:bare) do
|
77
|
-
use(*DEFAULT_SESSION_MIDDLEWARE_ARGS)
|
78
|
-
plugin :csrf, :skip=>['POST:/foo/bar']
|
79
|
-
|
80
|
-
route do |r|
|
81
|
-
r.on 'foo' do
|
82
|
-
r.run sub_app
|
83
|
-
end
|
84
|
-
end
|
85
|
-
end
|
86
|
-
|
87
|
-
io = StringIO.new
|
88
|
-
status('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 403
|
89
|
-
body('/foo/bar', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'foobar'
|
90
|
-
|
91
|
-
s, h, b = req('/foo')
|
92
|
-
s.must_equal 200
|
93
|
-
field = h['FIELD']
|
94
|
-
token = Regexp.escape(h['TOKEN'])
|
95
|
-
h['TAG'].must_match(/\A<input type="hidden" name="#{field}" value="#{token}" \/>\z/)
|
96
|
-
h['METATAG'].must_match(/\A<meta name="#{field}" content="#{token}" \/>\z/)
|
97
|
-
b.must_equal ['g']
|
98
|
-
s, _, b = req('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN'])
|
99
|
-
s.must_equal 200
|
100
|
-
b.must_equal ['p']
|
101
|
-
|
102
|
-
sub_app.plugin :csrf, :skip_middleware=>true
|
103
|
-
body('/foo/bar', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'foobar'
|
104
|
-
|
105
|
-
@app = sub_app
|
106
|
-
s, _, b = req('/bar', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io)
|
107
|
-
s.must_equal 200
|
108
|
-
b.must_equal ['foobar']
|
109
|
-
end
|
110
|
-
end
|
111
|
-
end
|