2018-07-26 13:48:28 +00:00
|
|
|
import { getPort, loadFixture, Nuxt, rp } from '../utils'
|
2018-03-16 19:52:17 +00:00
|
|
|
|
2018-03-18 23:41:14 +00:00
|
|
|
let port
|
2018-02-01 13:31:02 +00:00
|
|
|
const url = route => 'http://localhost:' + port + route
|
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
const startCspServer = async (csp, isProduction = true) => {
|
2018-08-17 20:25:23 +00:00
|
|
|
const options = await loadFixture('basic', {
|
2018-07-30 16:04:02 +00:00
|
|
|
debug: !isProduction,
|
|
|
|
render: { csp }
|
|
|
|
})
|
2018-03-18 23:41:14 +00:00
|
|
|
const nuxt = new Nuxt(options)
|
2019-03-08 20:43:23 +00:00
|
|
|
await nuxt.ready()
|
|
|
|
|
2018-03-18 23:41:14 +00:00
|
|
|
port = await getPort()
|
2018-10-30 20:42:53 +00:00
|
|
|
await nuxt.server.listen(port, '0.0.0.0')
|
2018-02-01 13:31:02 +00:00
|
|
|
return nuxt
|
|
|
|
}
|
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
const getHeader = debug => debug ? 'content-security-policy-report-only' : 'content-security-policy'
|
|
|
|
const cspHeader = getHeader(false)
|
|
|
|
const reportOnlyHeader = getHeader(true)
|
|
|
|
|
2018-08-10 07:41:23 +00:00
|
|
|
const startCspDevServer = csp => startCspServer(csp, false)
|
2018-07-30 16:04:02 +00:00
|
|
|
|
2018-03-18 19:31:32 +00:00
|
|
|
describe('basic ssr csp', () => {
|
2018-07-30 16:04:02 +00:00
|
|
|
let nuxt
|
|
|
|
|
|
|
|
afterEach(async () => {
|
|
|
|
await nuxt.close()
|
|
|
|
})
|
|
|
|
|
|
|
|
describe('production mode', () => {
|
|
|
|
test(
|
|
|
|
'Not contain Content-Security-Policy header, when csp is false',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspServer(false)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toBe(undefined)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when csp is set',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspServer(true)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy-Report-Only header, when explicitly asked for',
|
|
|
|
async () => {
|
2018-08-31 20:34:12 +00:00
|
|
|
nuxt = await startCspDevServer({ reportOnly: true })
|
2018-07-30 16:04:02 +00:00
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain only unique hashes in header when csp is set',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspServer(true)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
|
|
|
|
const uniqueHashes = [...new Set(hashes)]
|
|
|
|
|
|
|
|
expect(uniqueHashes.length).toBe(hashes.length)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when csp.allowedSources set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
allowedSources: ['https://example.com', 'https://example.io']
|
2018-03-18 19:31:32 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
|
|
|
|
nuxt = await startCspServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
|
2018-11-08 09:41:24 +00:00
|
|
|
expect(headers[cspHeader]).toContain('https://example.com')
|
|
|
|
expect(headers[cspHeader]).toContain('https://example.io')
|
2018-07-30 16:04:02 +00:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when csp.policies set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
enabled: true,
|
|
|
|
policies: {
|
|
|
|
'default-src': [`'none'`],
|
|
|
|
'script-src': ['https://example.com', 'https://example.io']
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/default-src 'none'/)
|
|
|
|
expect(headers[cspHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
|
2018-11-08 09:41:24 +00:00
|
|
|
expect(headers[cspHeader]).toContain('https://example.com')
|
|
|
|
expect(headers[cspHeader]).toContain('https://example.io')
|
2018-03-18 19:31:32 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
)
|
2018-02-01 13:31:02 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when csp.policies.script-src is not set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
enabled: true,
|
|
|
|
policies: {
|
|
|
|
'default-src': [`'none'`]
|
|
|
|
}
|
|
|
|
}
|
2018-02-01 13:31:02 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
nuxt = await startCspServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
2018-02-02 02:51:16 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
expect(headers[cspHeader]).toMatch(/default-src 'none'/)
|
|
|
|
expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain only unique hashes in header when csp.policies is set',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'default-src': [`'self'`],
|
|
|
|
'script-src': [`'self'`],
|
|
|
|
'style-src': [`'self'`]
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspServer({
|
|
|
|
policies
|
|
|
|
})
|
2018-03-18 19:31:32 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
2018-03-18 19:31:32 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
|
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
|
|
|
|
const uniqueHashes = [...new Set(hashes)]
|
|
|
|
|
|
|
|
expect(uniqueHashes.length).toBe(hashes.length)
|
|
|
|
}
|
|
|
|
)
|
2019-03-29 16:09:53 +00:00
|
|
|
|
|
|
|
test(
|
|
|
|
'Not contain hash when \'unsafe-inline\' option is present in script-src policy',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'script-src': [`'unsafe-inline'`]
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspServer({
|
|
|
|
policies
|
|
|
|
})
|
|
|
|
|
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)
|
|
|
|
}
|
|
|
|
)
|
2019-06-26 15:22:45 +00:00
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'script-src': [`'unsafe-inline'`]
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspServer({
|
|
|
|
unsafeInlineCompatiblity: true,
|
|
|
|
policies
|
|
|
|
})
|
|
|
|
|
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/)
|
|
|
|
}
|
|
|
|
)
|
2018-07-30 16:04:02 +00:00
|
|
|
})
|
2019-06-26 15:22:45 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
describe('debug mode', () => {
|
|
|
|
test(
|
|
|
|
'Not contain Content-Security-Policy-Report-Only header, when csp is false',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspDevServer(false)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[reportOnlyHeader]).toBe(undefined)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when explicitly asked for',
|
|
|
|
async () => {
|
2018-08-31 20:34:12 +00:00
|
|
|
nuxt = await startCspDevServer({ reportOnly: false })
|
2018-07-30 16:04:02 +00:00
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy header, when csp is set',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspDevServer(true)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain only unique hashes in header when csp is set',
|
|
|
|
async () => {
|
|
|
|
nuxt = await startCspDevServer(true)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
|
|
|
|
const uniqueHashes = [...new Set(hashes)]
|
|
|
|
|
|
|
|
expect(uniqueHashes.length).toBe(hashes.length)
|
2018-03-18 19:31:32 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
)
|
2018-02-02 02:51:16 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy-Report-Only header, when csp.allowedSources set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
allowedSources: ['https://example.com', 'https://example.io']
|
|
|
|
}
|
2018-02-02 02:51:16 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
nuxt = await startCspDevServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
|
2018-11-08 09:41:24 +00:00
|
|
|
expect(headers[reportOnlyHeader]).toContain('https://example.com')
|
|
|
|
expect(headers[reportOnlyHeader]).toContain('https://example.io')
|
2018-07-30 16:04:02 +00:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy-Report-Only header, when csp.policies set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
enabled: true,
|
|
|
|
policies: {
|
|
|
|
'default-src': [`'none'`],
|
|
|
|
'script-src': ['https://example.com', 'https://example.io']
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspDevServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
|
2018-11-08 09:41:24 +00:00
|
|
|
expect(headers[reportOnlyHeader]).toContain('https://example.com')
|
|
|
|
expect(headers[reportOnlyHeader]).toContain('https://example.io')
|
2018-07-26 13:48:28 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
)
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
test(
|
|
|
|
'Contain Content-Security-Policy-Report-Only header, when csp.policies.script-src is not set',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
enabled: true,
|
|
|
|
policies: {
|
|
|
|
'default-src': [`'none'`]
|
|
|
|
}
|
|
|
|
}
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
nuxt = await startCspDevServer(cspOption)
|
|
|
|
const { headers } = await rp(url('/stateless'), {
|
2018-07-26 13:48:28 +00:00
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
2018-07-30 16:04:02 +00:00
|
|
|
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
|
2018-07-26 13:48:28 +00:00
|
|
|
}
|
2018-07-30 16:04:02 +00:00
|
|
|
)
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
test(
|
|
|
|
'Contain only unique hashes in header when csp.policies is set',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'default-src': [`'self'`],
|
|
|
|
'script-src': [`'self'`],
|
|
|
|
'style-src': [`'self'`]
|
|
|
|
}
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
nuxt = await startCspDevServer({
|
|
|
|
policies
|
|
|
|
})
|
2018-07-26 13:48:28 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
}
|
2018-02-02 02:51:16 +00:00
|
|
|
|
2018-07-30 16:04:02 +00:00
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
|
|
|
|
const uniqueHashes = [...new Set(hashes)]
|
|
|
|
|
|
|
|
expect(uniqueHashes.length).toBe(hashes.length)
|
|
|
|
}
|
|
|
|
)
|
2019-03-29 16:09:53 +00:00
|
|
|
|
2018-12-12 06:29:28 +00:00
|
|
|
test(
|
|
|
|
'Not contain old hashes when loading new page',
|
|
|
|
async () => {
|
|
|
|
const cspOption = {
|
|
|
|
enabled: true,
|
|
|
|
policies: {
|
|
|
|
'default-src': [`'self'`],
|
|
|
|
'script-src': ['https://example.com', 'https://example.io']
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nuxt = await startCspDevServer(cspOption)
|
|
|
|
const { headers: user1Header } = await rp(url('/users/1'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
const user1Hashes = user1Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
|
|
|
|
|
|
|
|
const { headers: user2Header } = await rp(url('/users/2'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
const user2Hashes = new Set(user2Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-')))
|
|
|
|
|
|
|
|
const intersection = new Set(user1Hashes.filter(x => user2Hashes.has(x)))
|
|
|
|
expect(intersection.size).toBe(0)
|
|
|
|
}
|
|
|
|
)
|
2019-03-29 16:09:53 +00:00
|
|
|
|
|
|
|
test(
|
|
|
|
'Not contain hash when \'unsafe-inline\' option is present in script-src policy',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'script-src': [`'unsafe-inline'`]
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspDevServer({
|
|
|
|
policies
|
|
|
|
})
|
|
|
|
|
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[reportOnlyHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)
|
|
|
|
}
|
|
|
|
)
|
2019-06-26 15:22:45 +00:00
|
|
|
|
|
|
|
test(
|
|
|
|
'Contain hash and \'unsafe-inline\' when unsafeInlineCompatiblity is enabled',
|
|
|
|
async () => {
|
|
|
|
const policies = {
|
|
|
|
'script-src': [`'unsafe-inline'`]
|
|
|
|
}
|
|
|
|
|
|
|
|
nuxt = await startCspServer({
|
|
|
|
unsafeInlineCompatiblity: true,
|
|
|
|
policies
|
|
|
|
})
|
|
|
|
|
|
|
|
for (let i = 0; i < 5; i++) {
|
|
|
|
await rp(url('/stateless'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
const { headers } = await rp(url('/stateful'), {
|
|
|
|
resolveWithFullResponse: true
|
|
|
|
})
|
|
|
|
|
|
|
|
expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self' 'unsafe-inline'$/)
|
|
|
|
}
|
|
|
|
)
|
2018-07-30 16:04:02 +00:00
|
|
|
})
|
2018-02-02 02:51:16 +00:00
|
|
|
})
|