From 52231f688dd086f6a8ccfe08b88deaae6d93bfd2 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Mon, 7 Jun 2021 20:06:44 +0200
Subject: [PATCH] Disable GA and Disqus in default CSP

Signed-off-by: David Mehren <git@herrmehren.de>
---
 lib/config/default.js |  4 ++--
 test/csp.js           | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lib/config/default.js b/lib/config/default.js
index ed812f454..c1f3f9733 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -22,8 +22,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
-    addDisqus: true,
-    addGoogleAnalytics: true,
+    addDisqus: false,
+    addGoogleAnalytics: false,
     upgradeInsecureRequests: 'auto',
     reportURI: undefined
   },
diff --git a/test/csp.js b/test/csp.js
index 705981566..154120221 100644
--- a/test/csp.js
+++ b/test/csp.js
@@ -68,6 +68,15 @@ describe('Content security policies', function () {
     assert(!csp.computeDirectives().scriptSrc.includes('https://www.google-analytics.com'))
   })
 
+  it('Enable Google Analytics', function () {
+    const testconfig = defaultConfig
+    testconfig.csp.addGoogleAnalytics = true
+    mock('../lib/config', testconfig)
+    csp = mock.reRequire('../lib/csp')
+
+    assert(csp.computeDirectives().scriptSrc.includes('https://www.google-analytics.com'))
+  })
+
   it('Disable Disqus', function () {
     const testconfig = defaultConfig
     testconfig.csp.addDisqus = false
@@ -81,6 +90,19 @@ describe('Content security policies', function () {
     assert(!csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com'))
   })
 
+  it('Enable Disqus', function () {
+    const testconfig = defaultConfig
+    testconfig.csp.addDisqus = true
+    mock('../lib/config', testconfig)
+    csp = mock.reRequire('../lib/csp')
+
+    assert(csp.computeDirectives().scriptSrc.includes('https://disqus.com'))
+    assert(csp.computeDirectives().scriptSrc.includes('https://*.disqus.com'))
+    assert(csp.computeDirectives().scriptSrc.includes('https://*.disquscdn.com'))
+    assert(csp.computeDirectives().styleSrc.includes('https://*.disquscdn.com'))
+    assert(csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com'))
+  })
+
   it('Include dropbox if configured', function () {
     const testconfig = defaultConfig
     testconfig.dropbox.appKey = 'hedgedoc'