ep_helmet 11.0.16 → 11.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/expressConfigure.js +7 -1
  2. package/package.json +1 -1
  3. package/static/tests/frontend-new/specs/smoke.spec.ts +13 -0
package/expressConfigure.js CHANGED
@@ -5,7 +5,13 @@ const crypto = require('crypto');
5
5
  const settings = require('ep_etherpad-lite/node/utils/Settings');
6
6
 
7
7
  exports.expressConfigure = (hookName, app, cb) => {
8
- app.app.use(helmet());
8
+ // Disable helmet's default Content-Security-Policy so the plugin
9
+ // doesn't accidentally lock down a working Etherpad install. The
10
+ // optional settings.ep_helmet.csp block below is the documented way
11
+ // for operators to opt in. With the default in place, strict
12
+ // 'script-src self' broke every page that relied on inline scripts
13
+ // or runtime eval (notably Playwright's waitForFunction in tests).
14
+ app.app.use(helmet({contentSecurityPolicy: false}));
9
15
 
10
16
  if (settings.ep_helmet) {
11
17
  console.debug('Using config from Helmet. ', settings.ep_helmet);
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "description": "Adds Security headers to Etherpad Express responses, including CSP(content security policy), and x-frame-origin, useful for if you embed Etherpad in an iFrame",
3
3
  "name": "ep_helmet",
4
- "version": "11.0.16",
4
+ "version": "11.0.17",
5
5
  "author": {
6
6
  "name": "John McLear",
7
7
  "email": "john@mclear.co.uk"
package/static/tests/frontend-new/specs/smoke.spec.ts ADDED
@@ -0,0 +1,13 @@
1
+ import {expect, test} from '@playwright/test';
2
+ import {getPadBody, goToNewPad} from 'ep_etherpad-lite/tests/frontend-new/helper/padHelper';
3
+
4
+ test.beforeEach(async ({page}) => {
5
+ await goToNewPad(page);
6
+ });
7
+
8
+ test.describe('ep_helmet', () => {
9
+ test('pad loads with plugin installed', async ({page}) => {
10
+ const padBody = await getPadBody(page);
11
+ await expect(padBody).toBeVisible();
12
+ });
13
+ });