test_frame_src_csp_header_set fails on customized ALLOWED_IFRAME_SOURCES #4825

New Issue

OVERLORD · 2026-02-05T09:18:50+03:00

OVERLORD commented

2026-02-05 09:18:50 +03:00

Originally created by @mueller-contria on GitHub (Jun 13, 2024).

Describe the Bug

test_frame_src_csp_header_set() (in tests/SecurityHeaderTest.php) tests the CspHeader->frame-src against a fixed string, identical to the default-setting for ALLOWED_IFRAME_SOURCES.
If we customize ALLOWED_IFRAME_SOURCES in our .env, the test fails.

Comparable Environment Variables are defined in the phpunit.xml, but unfortunately not ALLOWED_IFRAME_SOURCES

I will provide a Pull-Request for phpunit.xml soon.

Steps to Reproduce

Add a line like ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com" to your .env-file
Execute vendor/bin/phpunit --filter test_frame_src_csp_header_set
The test fails

Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com'
+'frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com'

Expected Behaviour

The test should pass.

The tests should not rely on the ALLOWED_IFRAME_SOURCES-value set in .env. Instead, phpunit.xml should define the value of this env-var.

Screenshots or Additional Context

No response

Browser Details

CLI / PHPUnit

Exact BookStack Version

v24.03-dev

Originally created by @mueller-contria on GitHub (Jun 13, 2024). ### Describe the Bug `test_frame_src_csp_header_set()` (in `tests/SecurityHeaderTest.php`) tests the CspHeader->frame-src against a fixed string, identical to the default-setting for ALLOWED_IFRAME_SOURCES. If we customize ALLOWED_IFRAME_SOURCES in our .env, the test fails. Comparable Environment Variables are defined in the phpunit.xml, but unfortunately not ALLOWED_IFRAME_SOURCES I will provide a Pull-Request for phpunit.xml soon. ### Steps to Reproduce 1. Add a line like `ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com"` to your `.env`-file 2. Execute `vendor/bin/phpunit --filter test_frame_src_csp_header_set` 3. The test fails ``` Failed asserting that two strings are equal. --- Expected +++ Actual @@ @@ -'frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com' +'frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com' ``` ### Expected Behaviour The test should pass. The tests should not rely on the ALLOWED_IFRAME_SOURCES-value set in `.env`. Instead, `phpunit.xml` should define the value of this env-var. ### Screenshots or Additional Context _No response_ ### Browser Details CLI / PHPUnit ### Exact BookStack Version v24.03-dev

OVERLORD added the 🐛 Bug label 2026-02-05 09:18:50 +03:00

OVERLORD closed this issue

2026-02-05 09:18:52 +03:00

OVERLORD commented

2026-02-05 09:18:53 +03:00

@ssddanbrown commented on GitHub (Jul 14, 2024):

Closed with merge of #5069, thanks again @mueller-contria!

@ssddanbrown commented on GitHub (Jul 14, 2024): Closed with merge of #5069, thanks again @mueller-contria!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4825