diff --git a/spec/features/consumer/shopping/embedded_shopfronts_spec.rb b/spec/features/consumer/shopping/embedded_shopfronts_spec.rb index 4c88cd492d..4a4900e8c3 100644 --- a/spec/features/consumer/shopping/embedded_shopfronts_spec.rb +++ b/spec/features/consumer/shopping/embedded_shopfronts_spec.rb @@ -9,37 +9,6 @@ feature "Using embedded shopfront functionality", js: true do Capybara.server_port = 9999 - describe "enabling embedded shopfronts" do - before do - Spree::Config[:enable_embedded_shopfronts] = false - end - - it "disables iframes by default" do - visit shops_path - expect(page.response_headers['X-Frame-Options']).to eq 'DENY' - expect(page.response_headers['Content-Security-Policy']).to eq "frame-ancestors 'none'" - end - - it "allows iframes on certain pages when enabled in configuration" do - quick_login_as_admin - - visit spree.edit_admin_general_settings_path - - check 'enable_embedded_shopfronts' - fill_in 'embedded_shopfronts_whitelist', with: "test.com" - - click_button 'Update' - - visit shops_path - expect(page.response_headers['X-Frame-Options']).to be_nil - expect(page.response_headers['Content-Security-Policy']).to eq "frame-ancestors test.com" - - visit spree.admin_path - expect(page.response_headers['X-Frame-Options']).to eq 'DENY' - expect(page.response_headers['Content-Security-Policy']).to eq "frame-ancestors 'none'" - end - end - describe "using iframes" do let(:distributor) { create(:distributor_enterprise, name: 'My Embedded Hub', permalink: 'test_enterprise', with_payment_and_shipping: true) } let(:supplier) { create(:supplier_enterprise) } diff --git a/spec/requests/embedded_shopfronts_headers_spec.rb b/spec/requests/embedded_shopfronts_headers_spec.rb new file mode 100644 index 0000000000..a991d7362c --- /dev/null +++ b/spec/requests/embedded_shopfronts_headers_spec.rb @@ -0,0 +1,62 @@ +require 'spec_helper' + +describe "setting response headers for embedded shopfronts", type: :request do + include AuthenticationWorkflow + + let(:enterprise) { create(:distributor_enterprise) } + let(:user) { enterprise.owner } + + before do + quick_login_as(user) + end + + context "with embedded shopfront disabled" do + before do + Spree::Config[:enable_embedded_shopfronts] = false + end + + it "disables iframes by default" do + get shops_path + expect(response.status).to be 200 + expect(response.headers['X-Frame-Options']).to eq 'DENY' + expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'" + end + end + + context "with embedded shopfronts enabled" do + before do + Spree::Config[:enable_embedded_shopfronts] = true + end + + context "but no whitelist" do + before do + Spree::Config[:embedded_shopfronts_whitelist] = "" + end + + it "disables iframes" do + get shops_path + expect(response.status).to be 200 + expect(response.headers['X-Frame-Options']).to eq 'DENY' + expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'" + end + end + + context "with a valid whitelist" do + before do + Spree::Config[:embedded_shopfronts_whitelist] = "test.com" + end + + it "allows iframes on certain pages when enabled in configuration" do + get shops_path + expect(response.status).to be 200 + expect(response.headers['X-Frame-Options']).to be_nil + expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors test.com" + + get spree.admin_path + expect(response.status).to be 200 + expect(response.headers['X-Frame-Options']).to eq 'DENY' + expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'" + end + end + end +end