diff options
Diffstat (limited to 't')
| -rw-r--r-- | t/app/01app.t | 31 | ||||
| -rw-r--r-- | t/cobrand/councils.t | 24 |
2 files changed, 53 insertions, 2 deletions
diff --git a/t/app/01app.t b/t/app/01app.t index 7b933973b..50617d491 100644 --- a/t/app/01app.t +++ b/t/app/01app.t @@ -17,7 +17,6 @@ use charnames ':full'; ok( request('/')->is_success, 'Request should succeed' ); -SKIP: { FixMyStreet::override_config { ALLOWED_COBRANDS => [ 'tester' ], }, sub { @@ -25,6 +24,34 @@ FixMyStreet::override_config { my $num = "12( | )345"; like $page, qr/$num/; }; -} + +subtest 'CSP header' => sub { + my $res = request('/'); + is $res->header('Content-Security-Policy'), undef, 'None by default'; + + FixMyStreet::override_config { + CONTENT_SECURITY_POLICY => 1, + }, sub { + my $res = request('/'); + like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' ; object-src 'none'; base-uri 'none'/, + 'Default CSP header if requested'; + }; + + FixMyStreet::override_config { + CONTENT_SECURITY_POLICY => 'www.example.org', + }, sub { + my $res = request('/'); + like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' www.example.org; object-src 'none'; base-uri 'none'/, + 'With 3P domains if given'; + }; + + FixMyStreet::override_config { + CONTENT_SECURITY_POLICY => [ 'www.example.org' ], + }, sub { + my $res = request('/'); + like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' www.example.org; object-src 'none'; base-uri 'none'/, + 'With 3P domains if given'; + }; +}; done_testing(); diff --git a/t/cobrand/councils.t b/t/cobrand/councils.t index a194a9be1..aac682b19 100644 --- a/t/cobrand/councils.t +++ b/t/cobrand/councils.t @@ -90,5 +90,29 @@ subtest "Test update shown/not shown appropriately" => sub { } }; +subtest "CSP header from feature" => sub { + foreach my $cobrand ( + { moniker => 'oxfordshire', test => 'oxon.analytics.example.org' }, + { moniker =>'fixmystreet', test => '' }, + { moniker => 'nonsecure', test => undef }, + ) { + FixMyStreet::override_config { + ALLOWED_COBRANDS => $cobrand->{moniker}, + COBRAND_FEATURES => { + content_security_policy => { + oxfordshire => 'oxon.analytics.example.org', + fixmystreet => 1, + } + }, + }, sub { + $mech->get_ok("/"); + if (defined $cobrand->{test}) { + like $mech->res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' $cobrand->{test}/; + } else { + is $mech->res->header('Content-Security-Policy'), undef; + } + }; + } +}; done_testing(); |