mirror of https://github.com/nuxt/nuxt.git
115 lines
3.2 KiB
JavaScript
115 lines
3.2 KiB
JavaScript
import { loadFixture, getPort, Nuxt, rp } from '../utils'
|
|
|
|
let port
|
|
const url = route => 'http://localhost:' + port + route
|
|
|
|
const startCSPTestServer = async (csp) => {
|
|
const options = loadFixture('basic', { render: { csp } })
|
|
const nuxt = new Nuxt(options)
|
|
port = await getPort()
|
|
await nuxt.listen(port, '0.0.0.0')
|
|
return nuxt
|
|
}
|
|
|
|
describe('basic ssr csp', () => {
|
|
test(
|
|
'Not contain Content-Security-Policy header, when csp.enabled is not set',
|
|
async () => {
|
|
const nuxt = await startCSPTestServer({})
|
|
const { headers } = await rp(url('/stateless'), {
|
|
resolveWithFullResponse: true
|
|
})
|
|
|
|
expect(headers['content-security-policy']).toBe(undefined)
|
|
|
|
await nuxt.close()
|
|
}
|
|
)
|
|
|
|
test(
|
|
'Contain Content-Security-Policy header, when csp.enabled is only set',
|
|
async () => {
|
|
const cspOption = {
|
|
enabled: true
|
|
}
|
|
|
|
const nuxt = await startCSPTestServer(cspOption)
|
|
const { headers } = await rp(url('/stateless'), {
|
|
resolveWithFullResponse: true
|
|
})
|
|
|
|
expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'$/)
|
|
|
|
await nuxt.close()
|
|
}
|
|
)
|
|
|
|
test(
|
|
'Contain Content-Security-Policy header, when csp.allowedSources set',
|
|
async () => {
|
|
const cspOption = {
|
|
enabled: true,
|
|
allowedSources: ['https://example.com', 'https://example.io']
|
|
}
|
|
|
|
const nuxt = await startCSPTestServer(cspOption)
|
|
const { headers } = await rp(url('/stateless'), {
|
|
resolveWithFullResponse: true
|
|
})
|
|
|
|
expect(headers['content-security-policy']).toMatch(/^script-src 'self' 'sha256-.*'/)
|
|
expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)
|
|
expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)
|
|
|
|
await nuxt.close()
|
|
}
|
|
)
|
|
|
|
test(
|
|
'Contain Content-Security-Policy header, when csp.policies set',
|
|
async () => {
|
|
const cspOption = {
|
|
enabled: true,
|
|
policies: {
|
|
'default-src': [`'none'`],
|
|
'script-src': ['https://example.com', 'https://example.io']
|
|
}
|
|
}
|
|
|
|
const nuxt = await startCSPTestServer(cspOption)
|
|
const { headers } = await rp(url('/stateless'), {
|
|
resolveWithFullResponse: true
|
|
})
|
|
|
|
expect(headers['content-security-policy']).toMatch(/default-src 'none'/)
|
|
expect(headers['content-security-policy']).toMatch(/script-src 'self' 'sha256-.*'/)
|
|
expect(headers['content-security-policy'].includes('https://example.com')).toBe(true)
|
|
expect(headers['content-security-policy'].includes('https://example.io')).toBe(true)
|
|
|
|
await nuxt.close()
|
|
}
|
|
)
|
|
|
|
test(
|
|
'Contain Content-Security-Policy header, when csp.policies.script-src is not set',
|
|
async () => {
|
|
const cspOption = {
|
|
enabled: true,
|
|
policies: {
|
|
'default-src': [`'none'`]
|
|
}
|
|
}
|
|
|
|
const nuxt = await startCSPTestServer(cspOption)
|
|
const { headers } = await rp(url('/stateless'), {
|
|
resolveWithFullResponse: true
|
|
})
|
|
|
|
expect(headers['content-security-policy']).toMatch(/default-src 'none'/)
|
|
expect(headers['content-security-policy']).toMatch(/script-src 'self' 'sha256-.*'/)
|
|
|
|
await nuxt.close()
|
|
}
|
|
)
|
|
})
|