Nuxt/test/unit/basic.ssr.csp.test.js

import { getPort, loadFixture, Nuxt, rp } from '../utils'

let port
const url = route => 'http://localhost:' + port + route

const startCspServer = async (csp, isProduction = true) => {
  const options = await loadFixture('basic', {
    debug: !isProduction,
    render: { csp }
  })
  const nuxt = new Nuxt(options)
  await nuxt.ready()

  port = await getPort()
  await nuxt.server.listen(port, '0.0.0.0')
  return nuxt
}

const getHeader = debug => debug ? 'content-security-policy-report-only' : 'content-security-policy'
const cspHeader = getHeader(false)
const reportOnlyHeader = getHeader(true)

const startCspDevServer = csp => startCspServer(csp, false)

describe('basic ssr csp', () => {
  let nuxt

  afterEach(async () => {
    await nuxt.close()
  })

  describe('production mode', () => {
    test(
      'Not contain Content-Security-Policy header, when csp is false',
      async () => {
        nuxt = await startCspServer(false)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toBe(undefined)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp is set',
      async () => {
        nuxt = await startCspServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when explicitly asked for',
      async () => {
        nuxt = await startCspDevServer({ reportOnly: true })
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp is set',
      async () => {
        nuxt = await startCspServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.allowedSources set',
      async () => {
        const cspOption = {
          allowedSources: ['https://example.com', 'https://example.io']
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
        expect(headers[cspHeader]).toContain('https://example.com')
        expect(headers[cspHeader]).toContain('https://example.io')
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.policies set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`],
            'script-src': ['https://example.com', 'https://example.io']
          }
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/default-src 'none'/)
        expect(headers[cspHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
        expect(headers[cspHeader]).toContain('https://example.com')
        expect(headers[cspHeader]).toContain('https://example.io')
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp.policies.script-src is not set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`]
          }
        }

        nuxt = await startCspServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/default-src 'none'/)
        expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp.policies is set',
      async () => {
        const policies = {
          'default-src': [`'self'`],
          'script-src': [`'self'`],
          'style-src': [`'self'`]
        }

        nuxt = await startCspServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Not contain hash when \'unsafe-inline\' option is present in script-src policy',
      async () => {
        const policies = {
          'script-src': [`'unsafe-inline'`]
        }

        nuxt = await startCspServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)
      }
    )
  })
  describe('debug mode', () => {
    test(
      'Not contain Content-Security-Policy-Report-Only header, when csp is false',
      async () => {
        nuxt = await startCspDevServer(false)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toBe(undefined)
      }
    )

    test(
      'Contain Content-Security-Policy header, when explicitly asked for',
      async () => {
        nuxt = await startCspDevServer({ reportOnly: false })
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain Content-Security-Policy header, when csp is set',
      async () => {
        nuxt = await startCspDevServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp is set',
      async () => {
        nuxt = await startCspDevServer(true)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.allowedSources set',
      async () => {
        const cspOption = {
          allowedSources: ['https://example.com', 'https://example.io']
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)
        expect(headers[reportOnlyHeader]).toContain('https://example.com')
        expect(headers[reportOnlyHeader]).toContain('https://example.io')
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.policies set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`],
            'script-src': ['https://example.com', 'https://example.io']
          }
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
        expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)
        expect(headers[reportOnlyHeader]).toContain('https://example.com')
        expect(headers[reportOnlyHeader]).toContain('https://example.io')
      }
    )

    test(
      'Contain Content-Security-Policy-Report-Only header, when csp.policies.script-src is not set',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'none'`]
          }
        }

        nuxt = await startCspDevServer(cspOption)
        const { headers } = await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)
        expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)
      }
    )

    test(
      'Contain only unique hashes in header when csp.policies is set',
      async () => {
        const policies = {
          'default-src': [`'self'`],
          'script-src': [`'self'`],
          'style-src': [`'self'`]
        }

        nuxt = await startCspDevServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))
        const uniqueHashes = [...new Set(hashes)]

        expect(uniqueHashes.length).toBe(hashes.length)
      }
    )

    test(
      'Not contain old hashes when loading new page',
      async () => {
        const cspOption = {
          enabled: true,
          policies: {
            'default-src': [`'self'`],
            'script-src': ['https://example.com', 'https://example.io']
          }
        }
        nuxt = await startCspDevServer(cspOption)
        const { headers: user1Header } = await rp(url('/users/1'), {
          resolveWithFullResponse: true
        })
        const user1Hashes = user1Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))

        const { headers: user2Header } = await rp(url('/users/2'), {
          resolveWithFullResponse: true
        })
        const user2Hashes = new Set(user2Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-')))

        const intersection = new Set(user1Hashes.filter(x => user2Hashes.has(x)))
        expect(intersection.size).toBe(0)
      }
    )

    test(
      'Not contain hash when \'unsafe-inline\' option is present in script-src policy',
      async () => {
        const policies = {
          'script-src': [`'unsafe-inline'`]
        }

        nuxt = await startCspDevServer({
          policies
        })

        for (let i = 0; i < 5; i++) {
          await rp(url('/stateless'), {
            resolveWithFullResponse: true
          })
        }

        const { headers } = await rp(url('/stateful'), {
          resolveWithFullResponse: true
        })

        expect(headers[reportOnlyHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)
      }
    )
  })
})
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`import { getPort, loadFixture, Nuxt, rp } from '../utils'`
eslint: fix import/order 2018-03-16 19:52:17 +00:00
working tests 2018-03-18 23:41:14 +00:00			`let port`
add more test 2018-02-01 13:31:02 +00:00			`const url = route => 'http://localhost:' + port + route`

feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const startCspServer = async (csp, isProduction = true) => {`
fix: appveyor test failure (#3754) * fix: appveyor test failure * ci: bring back yarn cache * ci: turn off matrix * refactor: use babel instead of esm in jest * refactor: use es modules in fixtures 2018-08-17 20:25:23 +00:00			`const options = await loadFixture('basic', {`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`debug: !isProduction,`
			`render: { csp }`
			`})`
working tests 2018-03-18 23:41:14 +00:00			`const nuxt = new Nuxt(options)`
refactor: remove builder coupling from server (#5157) 2019-03-08 20:43:23 +00:00			`await nuxt.ready()`

working tests 2018-03-18 23:41:14 +00:00			`port = await getPort()`
refactor core into sub-packages (#4202) 2018-10-30 20:42:53 +00:00			`await nuxt.server.listen(port, '0.0.0.0')`
add more test 2018-02-01 13:31:02 +00:00			`return nuxt`
			`}`

feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const getHeader = debug => debug ? 'content-security-policy-report-only' : 'content-security-policy'`
			`const cspHeader = getHeader(false)`
			`const reportOnlyHeader = getHeader(true)`

lint: require await in async function (#3676) * lint: require await in async function * lint: replace "error" with 2 in config 2018-08-10 07:41:23 +00:00			`const startCspDevServer = csp => startCspServer(csp, false)`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`describe('basic ssr csp', () => {`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`let nuxt`

			`afterEach(async () => {`
			`await nuxt.close()`
			`})`

			`describe('production mode', () => {`
			`test(`
			`'Not contain Content-Security-Policy header, when csp is false',`
			`async () => {`
			`nuxt = await startCspServer(false)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toBe(undefined)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp is set',`
			`async () => {`
			`nuxt = await startCspServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when explicitly asked for',`
			`async () => {`
feat: upgrade eslint to 5.x (#3494) - [ ] babel-eslint https://github.com/babel/babel-eslint/issues/664 - [x] eslint-config-standard-jsx https://github.com/standard/eslint-config-standard-jsx/issues/32 - [x] eslint-config-standard to be stable release https://github.com/standard/eslint-config-standard/issues/123 - [x] eslint-plugin-html - [x] eslint-plugin-import - [x] eslint-plugin-jest - [x] eslint-plugin-node - [x] eslint-plugin-promise - [x] eslint-plugin-standard https://github.com/standard/eslint-plugin-standard/issues/29 - [x] eslint-plugin-vue https://github.com/vuejs/eslint-plugin-vue/pull/504 - [x] eslint-plugin-react https://github.com/yannickcr/eslint-plugin-react/releases/tag/v7.10.0 2018-08-31 20:34:12 +00:00			`nuxt = await startCspDevServer({ reportOnly: true })`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp is set',`
			`async () => {`
			`nuxt = await startCspServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.allowedSources set',`
			`async () => {`
			`const cspOption = {`
			`allowedSources: ['https://example.com', 'https://example.io']`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)`
test: improve tests (#4237) 2018-11-08 09:41:24 +00:00			`expect(headers[cspHeader]).toContain('https://example.com')`
			`expect(headers[cspHeader]).toContain('https://example.io')`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.policies set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`

			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[cspHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)`
test: improve tests (#4237) 2018-11-08 09:41:24 +00:00			`expect(headers[cspHeader]).toContain('https://example.com')`
			`expect(headers[cspHeader]).toContain('https://example.io')`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
add more test 2018-02-01 13:31:02 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy header, when csp.policies.script-src is not set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`]
			`}`
			`}`
add more test 2018-02-01 13:31:02 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[cspHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[cspHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp.policies is set',`
			`async () => {`
			`const policies = {`
			'default-src': [`'self'`],
			'script-src': [`'self'`],
			'style-src': [`'self'`]
			`}`

			`nuxt = await startCspServer({`
			`policies`
			`})`
basic migration to jest 2018-03-18 19:31:32 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[cspHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`
fix(vue-renderer): add the csp hash if `unsafe-inline` hasn't been specified (#5387) 2019-03-29 16:09:53 +00:00
			`test(`
			`'Not contain hash when \'unsafe-inline\' option is present in script-src policy',`
			`async () => {`
			`const policies = {`
			'script-src': [`'unsafe-inline'`]
			`}`

			`nuxt = await startCspServer({`
			`policies`
			`})`

			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
			`}`

			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)`
			`}`
			`)`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`})`
			`describe('debug mode', () => {`
			`test(`
			`'Not contain Content-Security-Policy-Report-Only header, when csp is false',`
			`async () => {`
			`nuxt = await startCspDevServer(false)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toBe(undefined)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when explicitly asked for',`
			`async () => {`
feat: upgrade eslint to 5.x (#3494) - [ ] babel-eslint https://github.com/babel/babel-eslint/issues/664 - [x] eslint-config-standard-jsx https://github.com/standard/eslint-config-standard-jsx/issues/32 - [x] eslint-config-standard to be stable release https://github.com/standard/eslint-config-standard/issues/123 - [x] eslint-plugin-html - [x] eslint-plugin-import - [x] eslint-plugin-jest - [x] eslint-plugin-node - [x] eslint-plugin-promise - [x] eslint-plugin-standard https://github.com/standard/eslint-plugin-standard/issues/29 - [x] eslint-plugin-vue https://github.com/vuejs/eslint-plugin-vue/pull/504 - [x] eslint-plugin-react https://github.com/yannickcr/eslint-plugin-react/releases/tag/v7.10.0 2018-08-31 20:34:12 +00:00			`nuxt = await startCspDevServer({ reportOnly: false })`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[cspHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp is set',`
			`async () => {`
			`nuxt = await startCspDevServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'$/)`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp is set',`
			`async () => {`
			`nuxt = await startCspDevServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.allowedSources set',`
			`async () => {`
			`const cspOption = {`
			`allowedSources: ['https://example.com', 'https://example.io']`
			`}`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[reportOnlyHeader]).toMatch(/^script-src 'self' 'sha256-.*'/)`
test: improve tests (#4237) 2018-11-08 09:41:24 +00:00			`expect(headers[reportOnlyHeader]).toContain('https://example.com')`
			`expect(headers[reportOnlyHeader]).toContain('https://example.io')`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`}`
			`)`

			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.policies set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`

			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-(.*)?' 'self'/)`
test: improve tests (#4237) 2018-11-08 09:41:24 +00:00			`expect(headers[reportOnlyHeader]).toContain('https://example.com')`
			`expect(headers[reportOnlyHeader]).toContain('https://example.io')`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain Content-Security-Policy-Report-Only header, when csp.policies.script-src is not set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`]
			`}`
			`}`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`resolveWithFullResponse: true`
			`})`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00
			`expect(headers[reportOnlyHeader]).toMatch(/default-src 'none'/)`
			`expect(headers[reportOnlyHeader]).toMatch(/script-src 'sha256-.*' 'self'$/)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`}`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`test(`
			`'Contain only unique hashes in header when csp.policies is set',`
			`async () => {`
			`const policies = {`
			'default-src': [`'self'`],
			'script-src': [`'self'`],
			'style-src': [`'self'`]
			`}`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`nuxt = await startCspDevServer({`
			`policies`
			`})`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
			`}`
add test case 2018-02-02 02:51:16 +00:00
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
			`}`
			`)`
fix(vue-renderer): add the csp hash if `unsafe-inline` hasn't been specified (#5387) 2019-03-29 16:09:53 +00:00
fix: csp SHA hashes accumulate when using custom script-src rules (#4519) [skip ci] 2018-12-12 06:29:28 +00:00			`test(`
			`'Not contain old hashes when loading new page',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'self'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`
			`nuxt = await startCspDevServer(cspOption)`
			`const { headers: user1Header } = await rp(url('/users/1'), {`
			`resolveWithFullResponse: true`
			`})`
			`const user1Hashes = user1Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-'))`

			`const { headers: user2Header } = await rp(url('/users/2'), {`
			`resolveWithFullResponse: true`
			`})`
			`const user2Hashes = new Set(user2Header[reportOnlyHeader].split(' ').filter(s => s.startsWith('\'sha256-')))`

			`const intersection = new Set(user1Hashes.filter(x => user2Hashes.has(x)))`
			`expect(intersection.size).toBe(0)`
			`}`
			`)`
fix(vue-renderer): add the csp hash if `unsafe-inline` hasn't been specified (#5387) 2019-03-29 16:09:53 +00:00
			`test(`
			`'Not contain hash when \'unsafe-inline\' option is present in script-src policy',`
			`async () => {`
			`const policies = {`
			'script-src': [`'unsafe-inline'`]
			`}`

			`nuxt = await startCspDevServer({`
			`policies`
			`})`

			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
			`}`

			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`expect(headers[reportOnlyHeader]).toMatch(/script-src 'self' 'unsafe-inline'$/)`
			`}`
			`)`
feat(csp): add reportOnly option (#3559) 2018-07-30 16:04:02 +00:00			`})`
add test case 2018-02-02 02:51:16 +00:00			`})`