1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#!/usr/bin/env perl
use strict;
use warnings;
use utf8;
package FixMyStreet::Cobrand::Tester;
use parent 'FixMyStreet::Cobrand::FixaMinGata';
sub front_stats_data { { new => 0, fixed => 0, updates => 12345 } }
package main;
use Encode;
use Test::More;
use Catalyst::Test 'FixMyStreet::App';
use charnames ':full';
ok( request('/')->is_success, 'Request should succeed' );
FixMyStreet::override_config {
ALLOWED_COBRANDS => [ 'tester' ],
}, sub {
my $page = decode_utf8(get('/'));
my $num = "12( | )345";
like $page, qr/$num/;
};
subtest 'CSP header' => sub {
my $res = request('/');
is $res->header('Content-Security-Policy'), undef, 'None by default';
FixMyStreet::override_config {
CONTENT_SECURITY_POLICY => 1,
}, sub {
my $res = request('/');
like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' ; object-src 'none'; base-uri 'none'/,
'Default CSP header if requested';
};
FixMyStreet::override_config {
CONTENT_SECURITY_POLICY => 'www.example.org',
}, sub {
my $res = request('/');
like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' www.example.org; object-src 'none'; base-uri 'none'/,
'With 3P domains if given';
};
FixMyStreet::override_config {
CONTENT_SECURITY_POLICY => [ 'www.example.org' ],
}, sub {
my $res = request('/');
like $res->header('Content-Security-Policy'), qr/script-src 'self' 'unsafe-inline' 'nonce-[^']*' www.example.org; object-src 'none'; base-uri 'none'/,
'With 3P domains if given';
};
};
done_testing();
|
