-
Notifications
You must be signed in to change notification settings - Fork 2
/
index.js
94 lines (81 loc) · 3.43 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/* jshint esversion: 6 */
/* jslint node: true */
'use strict';
const test = require('ava');
const CSP = require('../');
function getRes (result) {
return {
setHeader: (name, value) => {
result.name = name;
result.value = value;
},
removeHeader: name => {}
};
}
function next () {}
test('Starter options', t => {
const cspFunction = CSP.getCSP(CSP.STARTER_OPTIONS);
const result = {};
cspFunction(null, getRes(result), next);
t.is(result.name, 'Content-Security-Policy');
t.true(result.value.indexOf('default-src \'none\'') > -1, 'default-src');
t.true(result.value.indexOf('script-src \'self\'') > -1, 'script-src');
t.true(result.value.indexOf('connect-src \'self\'') > -1, 'connect-src');
t.true(result.value.indexOf('img-src \'self\'') > -1, 'img-src');
t.true(result.value.indexOf('style-src \'self\'') > -1, 'style-src');
t.true(result.value.indexOf('child-src \'self\'') > -1, 'child-src');
t.true(result.value.indexOf('form-action \'self\'') > -1, 'form-action');
t.true(result.value.indexOf('frame-ancestors \'self\'') > -1, 'frame-ancestors');
t.true(result.value.indexOf('plugin-types \'none\'') > -1, 'plugin-types');
});
test('Report only', t => {
const policy = {
'default-src': CSP.SRC_NONE,
'report-only': true
};
const cspFunction = CSP.getCSP(policy);
const result = {};
cspFunction(null, getRes(result), next);
t.is(result.name, 'Content-Security-Policy-Report-Only');
t.true(result.value.indexOf('default-src \'none\'') > -1, 'default-src');
});
test('All policies', t => {
const policy = {
'report-uri': '/reporting',
'sandbox': [ CSP.SANDBOX_ALLOW_FORMS ],
'default-src': CSP.SRC_NONE,
'script-src': [ CSP.SRC_SELF, CSP.SRC_USAFE_INLINE ],
'object-src': 'https://google.com',
'style-src': 'http://tmp.com',
'img-src': 'https://flikr.com',
'media-src': '123',
'frame-src': '456',
'font-src': '789',
'connect-src': 'abc',
'child-src': 'def',
'form-action': 'ghi',
'worker-src': CSP.SRC_BLOB,
'frame-ancestors': [CSP.SRC_SELF, CSP.SRC_DATA],
'plugin-types': CSP.SRC_NONE
};
const result = {};
const cspFunction = CSP.getCSP(policy);
cspFunction(null, getRes(result), next);
t.is(result.name, 'Content-Security-Policy');
t.true(result.value.indexOf('report-uri /reporting') > -1, 'report-uri');
t.true(result.value.indexOf('sandbox allow-forms') > -1, 'style-src');
t.true(result.value.indexOf('default-src \'none\'') > -1, 'default-src');
t.true(result.value.indexOf('script-src \'self\' \'unsafe-inline\'') > -1, 'script-src');
t.true(result.value.indexOf('object-src https://google.com') > -1, 'object-src');
t.true(result.value.indexOf('style-src http://tmp.com') > -1, 'style-src');
t.true(result.value.indexOf('img-src https://flikr.com') > -1, 'img-src');
t.true(result.value.indexOf('media-src 123') > -1, 'media-src');
t.true(result.value.indexOf('frame-src 456') > -1, 'frame-src');
t.true(result.value.indexOf('font-src 789') > -1, 'font-src');
t.true(result.value.indexOf('connect-src abc') > -1, 'connect-src');
t.true(result.value.indexOf('child-src def') > -1, 'child-src');
t.true(result.value.indexOf('form-action ghi') > -1, 'form-action');
t.true(result.value.indexOf('worker-src blob:') > -1, 'worker-src');
t.true(result.value.indexOf('frame-ancestors \'self\' data:') > -1, 'frame-ancestors');
t.true(result.value.indexOf('plugin-types \'none\'') > -1, 'plugin-types');
});