2024-04-05 07:46:41 -04:00
|
|
|
const { expect } = require('chai')
|
|
|
|
|
const fetch = require('node-fetch')
|
|
|
|
|
const Settings = require('@overleaf/settings')
|
|
|
|
|
|
2024-04-25 08:56:00 -04:00
|
|
|
const BASE_URL = `http://${process.env.HTTP_TEST_HOST || '127.0.0.1'}:23000`
|
2024-04-05 07:46:41 -04:00
|
|
|
|
|
|
|
|
describe('HttpPermissionsPolicy', function () {
|
|
|
|
|
it('should have permissions-policy header on user-facing pages', async function () {
|
|
|
|
|
const response = await fetch(BASE_URL)
|
|
|
|
|
|
|
|
|
|
expect(response.headers.get('permissions-policy')).to.equal(
|
2024-06-14 08:14:23 -04:00
|
|
|
'accelerometer=(), attribution-reporting=(), browsing-topics=(), camera=(), display-capture=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), window-management=(), xr-spatial-tracking=(), autoplay=(self "https://videos.ctfassets.net"), fullscreen=(self)'
|
2024-04-05 07:46:41 -04:00
|
|
|
)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
it('should not have permissions-policy header on requests for non-rendered content', async function () {
|
|
|
|
|
const response = await fetch(`${BASE_URL}/dev/csrf`)
|
|
|
|
|
|
|
|
|
|
expect(response.headers.get('permissions-policy')).to.be.null
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
describe('when permissions policy is disabled', function () {
|
|
|
|
|
it('it adds no additional headers', async function () {
|
|
|
|
|
Settings.useHttpPermissionsPolicy = false
|
|
|
|
|
const response = await fetch(BASE_URL)
|
|
|
|
|
expect(response.headers.get('permissions-policy')).to.be.null
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
})
|
