summary refs log tree commit diff
path: root/tests/rest/media/v1
diff options
context:
space:
mode:
authorRobert Long <robert@robertlong.me>2022-06-27 06:44:05 -0700
committerGitHub <noreply@github.com>2022-06-27 14:44:05 +0100
commit9b683ea80f94de4249264cbf375523b987900c89 (patch)
treeb96da6baec0589be6fabda401ad2fdf7219adc81 /tests/rest/media/v1
parentRefactor the Dockerfile-workers configuration script to use Jinja2 templates ... (diff)
downloadsynapse-9b683ea80f94de4249264cbf375523b987900c89.tar.xz
Add Cross-Origin-Resource-Policy header to thumbnail and download media endpoints (#12944)
Diffstat (limited to 'tests/rest/media/v1')
-rw-r--r--tests/rest/media/v1/test_media_storage.py20
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/rest/media/v1/test_media_storage.py b/tests/rest/media/v1/test_media_storage.py
index 7204b2dfe0..1c67e1ca91 100644
--- a/tests/rest/media/v1/test_media_storage.py
+++ b/tests/rest/media/v1/test_media_storage.py
@@ -481,6 +481,12 @@ class MediaRepoTests(unittest.HomeserverTestCase):
 
         if expected_found:
             self.assertEqual(channel.code, 200)
+
+            self.assertEqual(
+                channel.headers.getRawHeaders(b"Cross-Origin-Resource-Policy"),
+                [b"cross-origin"],
+            )
+
             if expected_body is not None:
                 self.assertEqual(
                     channel.result["body"], expected_body, channel.result["body"]
@@ -549,6 +555,20 @@ class MediaRepoTests(unittest.HomeserverTestCase):
             [b"noindex, nofollow, noarchive, noimageindex"],
         )
 
+    def test_cross_origin_resource_policy_header(self) -> None:
+        """
+        Test that the Cross-Origin-Resource-Policy header is set to "cross-origin"
+        allowing web clients to embed media from the downloads API.
+        """
+        channel = self._req(b"inline; filename=out" + self.test_image.extension)
+
+        headers = channel.headers
+
+        self.assertEqual(
+            headers.getRawHeaders(b"Cross-Origin-Resource-Policy"),
+            [b"cross-origin"],
+        )
+
 
 class TestSpamChecker:
     """A spam checker module that rejects all media that includes the bytes