Skip to content

Commit

Permalink
no message (+1 squashed commit)
Browse files Browse the repository at this point in the history
Squashed commits:
[af2cb43ff8] chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives`
- Add additional system tests
- Update snapshots and unit test
  • Loading branch information
pgoforth committed Jun 5, 2023
1 parent bfd150d commit 1b5b4fb
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 5 deletions.
2 changes: 1 addition & 1 deletion cli/types/cypress.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2672,7 +2672,7 @@ declare namespace Cypress {
force: boolean
}

type experimentalCspAllowedDirectives = 'default-src' | 'child-src' | 'frame-src' | 'script-src' | 'script-src-elem' | 'sandbox' | 'form-action' | 'navigate-to'
type experimentalCspAllowedDirectives = 'default-src' | 'child-src' | 'frame-src' | 'script-src' | 'script-src-elem' | 'form-action'

type scrollBehaviorOptions = false | 'center' | 'top' | 'bottom' | 'nearest'

Expand Down
2 changes: 1 addition & 1 deletion packages/config/src/options.ts
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ const driverConfigOptions: Array<DriverConfigOption> = [
}, {
name: 'experimentalCspAllowList',
defaultValue: false,
validation: validate.validateAny(validate.isBoolean, validate.isArrayIncludingAny('script-src-elem', 'script-src', 'default-src', 'sandbox', 'form-action', 'navigate-to', 'child-src', 'frame-src')),
validation: validate.validateAny(validate.isBoolean, validate.isArrayIncludingAny('script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src')),
overrideLevel: 'never',
requireRestartOnChange: 'server',
}, {
Expand Down
10 changes: 9 additions & 1 deletion packages/proxy/lib/http/util/csp-header.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ export const nonceDirectives = ['script-src-elem', 'script-src', 'default-src']

export const problematicCspDirectives = [
...nonceDirectives,
'child-src', 'frame-src', 'sandbox', 'form-action', 'navigate-to',
'child-src', 'frame-src', 'form-action',
] as Cypress.experimentalCspAllowedDirectives[]

export const unsupportedCSPDirectives = [
Expand All @@ -19,6 +19,14 @@ export const unsupportedCSPDirectives = [
* top-level frame.
*/
'frame-ancestors',
/**
* The `navigate-to` directive is not yet fully supported, so we are erring on the side of caution
*/
'navigate-to',
/**
* The `sandbox` directive seems to affect all iframes on the page, even if the page is a direct child of Cypress
*/
'sandbox',
/**
* Since Cypress might modify the DOM of the application under test, `trusted-types` would prevent the
* DOM injection from occurring.
Expand Down
4 changes: 2 additions & 2 deletions packages/server/test/unit/config_spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ describe('lib/config', () => {
})

context('experimentalCspAllowList', () => {
const experimentalCspAllowedDirectives = JSON.stringify(['script-src-elem', 'script-src', 'default-src', 'sandbox', 'form-action', 'navigate-to', 'child-src', 'frame-src']).split(',').join(', ')
const experimentalCspAllowedDirectives = JSON.stringify(['script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src']).split(',').join(', ')

it('passes if false', function () {
this.setup({ experimentalCspAllowList: false })
Expand All @@ -600,7 +600,7 @@ describe('lib/config', () => {
})

it('passes if subset of Cypress.experimentalCspAllowedDirectives[]', function () {
this.setup({ experimentalCspAllowList: ['default-src', 'sandbox'] })
this.setup({ experimentalCspAllowList: ['default-src', 'form-action'] })

return this.expectValidationPasses()
})
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,25 @@ describe('experimentalCspAllowList is custom or true', () => {

cy.get('h1').contains('CSP Script Test Modified').should('be.visible')
})

it('sandbox is always stripped', () => {
// Since sandbox is inclusive, all other sandbox actions would be restricted except for `allow-downloads`
visitUrl.searchParams.append('csp', `sandbox 'allow-downloads'`)
cy.visit(visitUrl.toString())

// expect the form to post and navigate to a new page, meaning the sandbox directive was stripped
cy.get('#submit').click()
cy.contains('Cannot POST /').should('exist')
})

it('navigate-to is always stripped', () => {
visitUrl.searchParams.append('csp', `navigate-to 'none'`)
cy.visit(visitUrl.toString())

// expect the form to post and navigate to a new page, meaning the navigate-to directive was stripped
cy.get('#submit').click()
cy.contains('Cannot POST /').should('exist')
})
})

describe('allowed', () => {
Expand Down

0 comments on commit 1b5b4fb

Please sign in to comment.