overleaf/services/web/test/acceptance/src/HttpPermissionsPolicyTests.js

const { expect } = require('chai')
const fetch = require('node-fetch')
const Settings = require('@overleaf/settings')

const BASE_URL = `http://${process.env.HTTP_TEST_HOST || 'localhost'}:23000`

describe('HttpPermissionsPolicy', function () {
  it('should have permissions-policy header on user-facing pages', async function () {
    const response = await fetch(BASE_URL)

    expect(response.headers.get('permissions-policy')).to.equal(
      'accelerometer=(), attribution-reporting=(), browsing-topics=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), window-management=(), xr-spatial-tracking=(), autoplay=(self "https://videos.ctfassets.net")'
    )
  })

  it('should not have permissions-policy header on requests for non-rendered content', async function () {
    const response = await fetch(`${BASE_URL}/dev/csrf`)

    expect(response.headers.get('permissions-policy')).to.be.null
  })

  describe('when permissions policy is disabled', function () {
    it('it adds no additional headers', async function () {
      Settings.useHttpPermissionsPolicy = false
      const response = await fetch(BASE_URL)
      expect(response.headers.get('permissions-policy')).to.be.null
    })
  })
})
Merge pull request #17596 from overleaf/rh-permissions-policy [web] Add Permissions-Policy header GitOrigin-RevId: 8934bbbda411102580d9ef8af135dcdc147627f9 2024-04-05 07:46:41 -04:00			`const { expect } = require('chai')`
			`const fetch = require('node-fetch')`
			`const Settings = require('@overleaf/settings')`

			const BASE_URL = `http://${process.env.HTTP_TEST_HOST \|\| 'localhost'}:23000`

			`describe('HttpPermissionsPolicy', function () {`
			`it('should have permissions-policy header on user-facing pages', async function () {`
			`const response = await fetch(BASE_URL)`

			`expect(response.headers.get('permissions-policy')).to.equal(`
			`'accelerometer=(), attribution-reporting=(), browsing-topics=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), window-management=(), xr-spatial-tracking=(), autoplay=(self "https://videos.ctfassets.net")'`
			`)`
			`})`

			`it('should not have permissions-policy header on requests for non-rendered content', async function () {`
			const response = await fetch(`${BASE_URL}/dev/csrf`)

			`expect(response.headers.get('permissions-policy')).to.be.null`
			`})`

			`describe('when permissions policy is disabled', function () {`
			`it('it adds no additional headers', async function () {`
			`Settings.useHttpPermissionsPolicy = false`
			`const response = await fetch(BASE_URL)`
			`expect(response.headers.get('permissions-policy')).to.be.null`
			`})`
			`})`
			`})`