7debdb1676
SecurityHeaders middleware widened its CSP to allow Next.js inline scripts + data:/blob: images (platform/internal/middleware/securityheaders.go:44, canvas is reverse-proxied through the gin stack so it needs the permissive policy). The two CSP asserts in securityheaders_test.go still hard-compared against the old tight `default-src 'self'`, so they fail on main as of this afternoon. Fix: assert each expected CSP fragment is PRESENT in the header (substring match) instead of byte-for-byte equality. Test intent is "CSP is set, starts with tight default-src, contains the expected directives" — not "CSP matches this exact string". Future subsource tuning (add a new CDN, bump blob:/data: scope) won't re-break this test. Caught because every PR touching anything in the monorepo currently fails the Platform (Go) CI job on these two asserts. Fixing on a dedicated branch so it can land ahead of every blocked PR in the queue. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ratelimit_test.go | ||
| ratelimit.go | ||
| securityheaders_test.go | ||
| securityheaders.go | ||
| tenant_guard_test.go | ||
| tenant_guard.go | ||
| wsauth_middleware_test.go | ||
| wsauth_middleware.go | ||