Nuxt/test/unit/basic.ssr.csp.test.js

import { getPort, loadFixture, Nuxt, rp } from '../utils'

let port
const url = route => 'http://localhost:' + port + route

const startCspServer = async (csp, isProduction = true) => {
  const options = loadFixture('basic', {
    debug: !isProduction,
    render: { csp }
  })
  const nuxt = new Nuxt(options)
  port = await getPort()
  await nuxt.listen(port, '0.0.0.0')
  return nuxt
}

const getHeader = debug => debug ? 'content-security-policy-report-only' : 'content-security-policy'
const cspHeader = getHeader(false)
const reportOnlyHeader = getHeader(true)

const startCspDevServer = async csp => startCspServer(csp, false)

describe('basic ssr csp', () => {
  let nuxt

  afterEach(async () => {
    await nuxt.close()
  })

  describe('production mode', () => {
    test(
      'Not contain Content-Security-Policy header, when csp is false',
      async () => {
        nuxt = await startCspServer(false)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toBe(undefined)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp is set',
      async () => {
        nuxt = await startCspServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when explicitly asked for',
      async () => {
        nuxt = await startCspDevServer({reportOnly: true})
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp is set',
      async () => {
        nuxt = await startCspServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.allowedSources set',
      async () => {
        const cspOption = {
          allowedSources: ['https://example.com', 'https://example.io']
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
        expect(headers[cspHeader].includes('https://example.com')).toBe(true)
        expect(headers[cspHeader].includes('https://example.io')).toBe(true)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.policies set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`],
            'script-src': ['https://example.com', 'https://example.io']
          }
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/default-src 'none'/)
        expect(headers[cspHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
        expect(headers[cspHeader].includes('https://example.com')).toBe(true)
        expect(headers[cspHeader].includes('https://example.io')).toBe(true)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.policies.script-src is not set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`]
          }
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/default-src 'none'/)
        expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp.policies is set',
      async () => {
        const policies = {
          'default-src': [`'self'`],
          'script-src': [`'self'`],
          'style-src': [`'self'`]
        }

        nuxt = await startCspServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )
  })
  describe('debug mode', () => {
    test(
      'Not contain Content-Security-Policy-Report-Only header, when csp is false',
      async () => {
        nuxt = await startCspDevServer(false)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toBe(undefined)
      }
    )

    test(
      'Contain Content-Security-Policy header, when explicitly asked for',
      async () => {
        nuxt = await startCspDevServer({reportOnly: false})
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp is set',
      async () => {
        nuxt = await startCspDevServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp is set',
      async () => {
        nuxt = await startCspDevServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.allowedSources set',
      async () => {
        const cspOption = {
          allowedSources: ['https://example.com', 'https://example.io']
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
        expect(headers[reportOnlyHeader].includes('https://example.com')).toBe(true)
        expect(headers[reportOnlyHeader].includes('https://example.io')).toBe(true)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.policies set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`],
            'script-src': ['https://example.com', 'https://example.io']
          }
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
        expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
        expect(headers[reportOnlyHeader].includes('https://example.com')).toBe(true)
        expect(headers[reportOnlyHeader].includes('https://example.io')).toBe(true)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.policies.script-src is not set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`]
          }
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
        expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp.policies is set',
      async () => {
        const policies = {
          'default-src': [`'self'`],
          'script-src': [`'self'`],
          'style-src': [`'self'`]
        }

        nuxt = await startCspDevServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )
  })
})
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`import { getPort, loadFixture, Nuxt, rp } from '../utils'`
eslint: fix import/order 2018-03-16 19:52:17 +00:00
working tests 2018-03-18 23:41:14 +00:00			`let port`
add more test 2018-02-01 13:31:02 +00:00			`const url = route => 'http://localhost:' + port + route`

feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const startCspServer = async (csp, isProduction = true) => {`
			`const options = loadFixture('basic', {`
			`debug: !isProduction,`
			`render: { csp }`
			`})`
working tests 2018-03-18 23:41:14 +00:00			`const nuxt = new Nuxt(options)`
			`port = await getPort()`
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.listen(port, '0.0.0.0')`
add more test 2018-02-01 13:31:02 +00:00			`return nuxt`
			`}`

feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const getHeader = debug => debug ? 'content-security-policy-report-only' : 'content-security-policy'`
			`const cspHeader = getHeader(false)`
			`const reportOnlyHeader = getHeader(true)`

			`const startCspDevServer = async csp => startCspServer(csp, false)`

basic migration to jest 2018-03-18 19:31:32 +00:00			`describe('basic ssr csp', () => {`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`let nuxt`

			`afterEach(async () => {`
			`await nuxt.close()`
			`})`

			`describe('production mode', () => {`
			`test(`
			`'Not contain Content-Security-Policy header, when csp is false',`
			`async () => {`
			`nuxt = await startCspServer(false)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toBe(undefined)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp is set',`
			`async () => {`
			`nuxt = await startCspServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when explicitly asked for',`
			`async () => {`
			`nuxt = await startCspDevServer({reportOnly: true})`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp is set',`
			`async () => {`
			`nuxt = await startCspServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.allowedSources set',`
			`async () => {`
			`const cspOption = {`
			`allowedSources: ['https://example.com', 'https://example.io']`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)`
			`expect(headers[cspHeader].includes('https://example.com')).toBe(true)`
			`expect(headers[cspHeader].includes('https://example.io')).toBe(true)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.policies set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`

			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[cspHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)`
			`expect(headers[cspHeader].includes('https://example.com')).toBe(true)`
			`expect(headers[cspHeader].includes('https://example.io')).toBe(true)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
add more test 2018-02-01 13:31:02 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy header, when csp.policies.script-src is not set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`]
			`}`
			`}`
add more test 2018-02-01 13:31:02 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[cspHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp.policies is set',`
			`async () => {`
			`const policies = {`
			'default-src': [`'self'`],
			'script-src': [`'self'`],
			'style-src': [`'self'`]
			`}`

			`nuxt = await startCspServer({`
			`policies`
			`})`
basic migration to jest 2018-03-18 19:31:32 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`
			`})`
			`describe('debug mode', () => {`
			`test(`
			`'Not contain Content-Security-Policy-Report-Only header, when csp is false',`
			`async () => {`
			`nuxt = await startCspDevServer(false)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toBe(undefined)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when explicitly asked for',`
			`async () => {`
			`nuxt = await startCspDevServer({reportOnly: false})`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp is set',`
			`async () => {`
			`nuxt = await startCspDevServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp is set',`
			`async () => {`
			`nuxt = await startCspDevServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.allowedSources set',`
			`async () => {`
			`const cspOption = {`
			`allowedSources: ['https://example.com', 'https://example.io']`
			`}`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)`
			`expect(headers[reportOnlyHeader].includes('https://example.com')).toBe(true)`
			`expect(headers[reportOnlyHeader].includes('https://example.io')).toBe(true)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.policies set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`

			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)`
			`expect(headers[reportOnlyHeader].includes('https://example.com')).toBe(true)`
			`expect(headers[reportOnlyHeader].includes('https://example.io')).toBe(true)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.policies.script-src is not set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`]
			`}`
			`}`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`resolveWithFullResponse: true`
			`})`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain only unique hashes in header when csp.policies is set',`
			`async () => {`
			`const policies = {`
			'default-src': [`'self'`],
			'script-src': [`'self'`],
			'style-src': [`'self'`]
			`}`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer({`
			`policies`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
			`}`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`
			`})`
add test case 2018-02-02 02:51:16 +00:00			`})`