Add unit test for FrameAncestors concern

Shopify · Jul 31, 2024 · ee8941d · ee8941d
1 parent 75066d7
commit ee8941d
Showing 1 changed file with 45 additions and 17 deletions.
diff --git a/test/controllers/concerns/embedded_app_test.rb b/test/controllers/concerns/embedded_app_test.rb
@@ -3,7 +3,7 @@
 require "test_helper"
 require "action_view/testing/resolvers"
 
-class EmbeddedAppTest < ActionController::TestCase
+class EmbeddedAppTest < ActionDispatch::IntegrationTest
   class BaseTestController < ActionController::Base
     abstract!
 
@@ -28,9 +28,11 @@ def index; end
     def redirect_to_embed
       redirect_to_embed_app_in_admin
     end
-  end
 
-  tests EmbeddedAppTestController
+    def current_shopify_domain
+      nil
+    end
+  end
 
   setup do
     Rails.application.routes.draw do
@@ -42,47 +44,47 @@ def redirect_to_embed
   test "uses the embedded app layout when running in embedded mode" do
     ShopifyApp.configuration.embedded_app = true
 
-    get :index
+    get embedded_app_path
     assert_template layout: "embedded_app"
   end
 
   test "uses the default layout when running in non-embedded mode" do
     ShopifyApp.configuration.embedded_app = false
 
-    get :index
+    get embedded_app_path
     assert_template layout: "application"
   end
 
   test "sets the ESDK headers when running in embedded mode" do
     ShopifyApp.configuration.embedded_app = true
 
-    get :index
-    assert_equal @controller.response.headers["P3P"], 'CP="Not used"'
-    assert_not_includes @controller.response.headers, "X-Frame-Options"
+    get embedded_app_path
+    assert_equal response.headers["P3P"], 'CP="Not used"'
+    assert_not_includes response.headers, "X-Frame-Options"
   end
 
   test "does not touch the ESDK headers when running in non-embedded mode" do
     ShopifyApp.configuration.embedded_app = false
 
-    get :index
-    assert_not_includes @controller.response.headers, "P3P"
-    assert_includes @controller.response.headers, "X-Frame-Options"
+    get embedded_app_path
+    assert_not_includes response.headers, "P3P"
+    assert_includes response.headers, "X-Frame-Options"
   end
 
   test "#redirect_to_embed_app_in_admin redirects to the embed app in the admin when the host param is present" do
     ShopifyApp.configuration.embedded_app = true
 
     shop = "my-shop.myshopify.com"
     host = Base64.encode64("#{shop}/admin")
-    get :redirect_to_embed, params: { host: host }
+    get redirect_to_embed_path, params: { host: host }
     assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed"
   end
 
   test "#redirect_to_embed_app_in_admin redirects to the embed app in the admin when the shop param is present" do
     ShopifyApp.configuration.embedded_app = true
 
     shop = "my-shop.myshopify.com"
-    get :redirect_to_embed, params: { shop: shop }
+    get redirect_to_embed_path, params: { shop: shop }
     assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed"
   end
 
@@ -91,29 +93,55 @@ def redirect_to_embed
 
     shop = "my-shop.myshopify.com"
     host = Base64.encode64("#{shop}/admin")
-    get :redirect_to_embed, params: { shop: shop, foo: "bar", host: host, id_token: "id_token" }
+    get redirect_to_embed_path, params: { shop: shop, foo: "bar", host: host, id_token: "id_token" }
     assert_redirected_to "https://#{shop}/admin/apps/#{ShopifyApp.configuration.api_key}/redirect_to_embed?foo=bar"
   end
 
   test "Redirect to login URL when host nor shop param is present" do
     ShopifyApp.configuration.embedded_app = true
 
-    get :redirect_to_embed
+    get redirect_to_embed_path
     assert_redirected_to ShopifyApp.configuration.login_url
   end
 
   test "Redirect to root URL when decoded host is not a shopify domain" do
     shop = "my-shop.fakeshopify.com"
     host = Base64.encode64("#{shop}/admin")
 
-    get :redirect_to_embed, params: { host: host }
+    get redirect_to_embed_path, params: { host: host }
     assert_redirected_to ShopifyApp.configuration.root_url
   end
 
   test "Redirect to root URL when shop is not a shopify domain" do
     shop = "my-shop.fakeshopify.com"
 
-    get :redirect_to_embed, params: { shop: shop }
+    get redirect_to_embed_path, params: { shop: shop }
     assert_redirected_to ShopifyApp.configuration.root_url
   end
+
+  test "content security policy for frame ancestors contains current_shopify_domain" do
+    ShopifyApp.configuration.embedded_app = true
+    shop = "my-shop.myshopify.com"
+    EmbeddedAppTestController.any_instance.expects(:current_shopify_domain).returns(shop)
+
+    get redirect_to_embed_path
+    assert_includes response.headers["Content-Security-Policy"], shop
+  end
+
+  test "content security policy for frame ancestors contains myshopify_domain when current_shopify_domain is nil" do
+    ShopifyApp.configuration.embedded_app = true
+    ShopifyApp.configuration.myshopify_domain = "myshopify.io"
+    EmbeddedAppTestController.any_instance.expects(:current_shopify_domain).returns(nil)
+
+    get redirect_to_embed_path
+    assert_includes response.headers["Content-Security-Policy"], "*.#{ShopifyApp.configuration.myshopify_domain}"
+  end
+
+  test "content security policy for frame ancestors contains unified admin domain" do
+    ShopifyApp.configuration.embedded_app = true
+    ShopifyApp.configuration.unified_admin_domain = "shop.dev"
+
+    get redirect_to_embed_path
+    assert_includes response.headers["Content-Security-Policy"], ShopifyApp.configuration.unified_admin_domain
+  end
 end