Nuxt/test/unit/basic.ssr.csp.test.js

import { getPort, loadFixture, Nuxt, rp } from '../utils'

let port
const url = route => 'http://localhost:' + port + route

const startCSPTestServer = async (csp) => {
  const options = loadFixture('basic', { render: { csp } })
  const nuxt = new Nuxt(options)
  port = await getPort()
  await nuxt.listen(port, '0.0.0.0')
  return nuxt
}

describe('basic ssr csp', () => {
  test(
    'Not contain Content-Security-Policy header, when csp is false',
    async () => {
      const nuxt = await startCSPTestServer(false)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      expect(headers['content-security-policy']).toBe(undefined)

      await nuxt.close()
    }
  )

  test(
    'Contain Content-Security-Policy header, when csp is set',
    async () => {
      const nuxt = await startCSPTestServer(true)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'$/)

      await nuxt.close()
    }
  )

  test(
    'Contain only unique hashes in header when csp is set',
    async () => {
      const nuxt = await startCSPTestServer(true)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      const hashes = headers['content-security-policy'].split(' ').filter(s => s.startsWith('\'sha256-'))
      const uniqueHashes = [...new Set(hashes)]

      expect(uniqueHashes.length).toBe(hashes.length)

      await nuxt.close()
    }
  )

  test(
    'Contain Content-Security-Policy header, when csp.allowedSources set',
    async () => {
      const cspOption = {
        allowedSources: ['https://example.com', 'https://example.io']
      }

      const nuxt = await startCSPTestServer(cspOption)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'/)
      expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)
      expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)

      await nuxt.close()
    }
  )

  test(
    'Contain Content-Security-Policy header, when csp.policies set',
    async () => {
      const cspOption = {
        enabled: true,
        policies: {
          'default-src': [`'none'`],
          'script-src': ['https://example.com', 'https://example.io']
        }
      }

      const nuxt = await startCSPTestServer(cspOption)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      expect(headers['content-security-policy']).toMatch(/default-src 'none'/)
      expect(headers['content-security-policy']).toMatch(/script-src 'sha256-(.*)?' 'self'/)
      expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)
      expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)

      await nuxt.close()
    }
  )

  test(
    'Contain Content-Security-Policy header, when csp.policies.script-src is not set',
    async () => {
      const cspOption = {
        enabled: true,
        policies: {
          'default-src': [`'none'`]
        }
      }

      const nuxt = await startCSPTestServer(cspOption)
      const { headers } = await rp(url('/stateless'), {
        resolveWithFullResponse: true
      })

      expect(headers['content-security-policy']).toMatch(/default-src 'none'/)
      expect(headers['content-security-policy']).toMatch(/script-src 'sha256-.*' 'self'$/)

      await nuxt.close()
    }
  )

  test(
    'Contain only unique hashes in header when csp.policies is set',
    async () => {
      const policies = {
        'default-src': [`'self'`],
        'script-src': [`'self'`],
        'style-src': [`'self'`]
      }

      const nuxt = await startCSPTestServer({
        policies
      })

      for (let i = 0; i < 5; i++) {
        await rp(url('/stateless'), {
          resolveWithFullResponse: true
        })
      }

      const { headers } = await rp(url('/stateful'), {
        resolveWithFullResponse: true
      })

      const hashes = headers['content-security-policy'].split(' ').filter(s => s.startsWith('\'sha256-'))
      const uniqueHashes = [...new Set(hashes)]

      expect(uniqueHashes.length).toBe(hashes.length)

      await nuxt.close()
    }
  )
})
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`import { getPort, loadFixture, Nuxt, rp } from '../utils'`
eslint: fix import/order 2018-03-16 19:52:17 +00:00
working tests 2018-03-18 23:41:14 +00:00			`let port`
add more test 2018-02-01 13:31:02 +00:00			`const url = route => 'http://localhost:' + port + route`

basic migration to jest 2018-03-18 19:31:32 +00:00			`const startCSPTestServer = async (csp) => {`
working tests 2018-03-18 23:41:14 +00:00			`const options = loadFixture('basic', { render: { csp } })`
			`const nuxt = new Nuxt(options)`
			`port = await getPort()`
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.listen(port, '0.0.0.0')`
add more test 2018-02-01 13:31:02 +00:00			`return nuxt`
			`}`

basic migration to jest 2018-03-18 19:31:32 +00:00			`describe('basic ssr csp', () => {`
			`test(`
refactor: smiplify csp 2018-07-01 12:39:30 +00:00			`'Not contain Content-Security-Policy header, when csp is false',`
basic migration to jest 2018-03-18 19:31:32 +00:00			`async () => {`
refactor: smiplify csp 2018-07-01 12:39:30 +00:00			`const nuxt = await startCSPTestServer(false)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy']).toBe(undefined)`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.close()`
			`}`
			`)`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`test(`
refactor: smiplify csp 2018-07-01 12:39:30 +00:00			`'Contain Content-Security-Policy header, when csp is set',`
basic migration to jest 2018-03-18 19:31:32 +00:00			`async () => {`
refactor: smiplify csp 2018-07-01 12:39:30 +00:00			`const nuxt = await startCSPTestServer(true)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'$/)`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.close()`
			`}`
			`)`

fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`test(`
			`'Contain only unique hashes in header when csp is set',`
			`async () => {`
			`const nuxt = await startCSPTestServer(true)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers['content-security-policy'].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`

			`await nuxt.close()`
			`}`
			`)`

basic migration to jest 2018-03-18 19:31:32 +00:00			`test(`
			`'Contain Content-Security-Policy header, when csp.allowedSources set',`
			`async () => {`
			`const cspOption = {`
			`allowedSources: ['https://example.com', 'https://example.io']`
			`}`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`const nuxt = await startCSPTestServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'/)`
			`expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)`
			`expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.close()`
add more test 2018-02-01 13:31:02 +00:00			`}`
basic migration to jest 2018-03-18 19:31:32 +00:00			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.policies set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`],
			`'script-src': ['https://example.com', 'https://example.io']`
			`}`
			`}`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`const nuxt = await startCSPTestServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add more test 2018-02-01 13:31:02 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy']).toMatch(/default-src 'none'/)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`expect(headers['content-security-policy']).toMatch(/script-src 'sha256-(.*)?' 'self'/)`
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)`
			`expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)`
add test case 2018-02-02 02:51:16 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.close()`
add test case 2018-02-02 02:51:16 +00:00			`}`
basic migration to jest 2018-03-18 19:31:32 +00:00			`)`

			`test(`
			`'Contain Content-Security-Policy header, when csp.policies.script-src is not set',`
			`async () => {`
			`const cspOption = {`
			`enabled: true,`
			`policies: {`
			'default-src': [`'none'`]
			`}`
			`}`
add test case 2018-02-02 02:51:16 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`const nuxt = await startCSPTestServer(cspOption)`
			`const { headers } = await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
add test case 2018-02-02 02:51:16 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`expect(headers['content-security-policy']).toMatch(/default-src 'none'/)`
fix(csp): remove duplicate sha-256 hashes (#3574) 2018-07-26 13:48:28 +00:00			`expect(headers['content-security-policy']).toMatch(/script-src 'sha256-.*' 'self'$/)`

			`await nuxt.close()`
			`}`
			`)`

			`test(`
			`'Contain only unique hashes in header when csp.policies is set',`
			`async () => {`
			`const policies = {`
			'default-src': [`'self'`],
			'script-src': [`'self'`],
			'style-src': [`'self'`]
			`}`

			`const nuxt = await startCSPTestServer({`
			`policies`
			`})`

			`for (let i = 0; i < 5; i++) {`
			`await rp(url('/stateless'), {`
			`resolveWithFullResponse: true`
			`})`
			`}`

			`const { headers } = await rp(url('/stateful'), {`
			`resolveWithFullResponse: true`
			`})`

			`const hashes = headers['content-security-policy'].split(' ').filter(s => s.startsWith('\'sha256-'))`
			`const uniqueHashes = [...new Set(hashes)]`

			`expect(uniqueHashes.length).toBe(hashes.length)`
add test case 2018-02-02 02:51:16 +00:00
basic migration to jest 2018-03-18 19:31:32 +00:00			`await nuxt.close()`
			`}`
			`)`
add test case 2018-02-02 02:51:16 +00:00			`})`