ContentSecurityPolicyTest.php 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516
  1. <?php
  2. /**
  3. * Copyright (c) 2015 Lukas Reschke lukas@owncloud.com
  4. * This file is licensed under the Affero General Public License version 3 or
  5. * later.
  6. * See the COPYING-README file.
  7. */
  8. namespace Test\AppFramework\Http;
  9. use OCP\AppFramework\Http\ContentSecurityPolicy;
  10. /**
  11. * Class ContentSecurityPolicyTest
  12. *
  13. * @package OC\AppFramework\Http
  14. */
  15. class ContentSecurityPolicyTest extends \Test\TestCase {
  16. /** @var ContentSecurityPolicy */
  17. private $contentSecurityPolicy;
  18. protected function setUp(): void {
  19. parent::setUp();
  20. $this->contentSecurityPolicy = new ContentSecurityPolicy();
  21. }
  22. public function testGetPolicyDefault() {
  23. $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  24. $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
  25. }
  26. public function testGetPolicyScriptDomainValid() {
  27. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  28. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  29. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  30. }
  31. public function testGetPolicyScriptDomainValidMultiple() {
  32. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  33. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  34. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
  35. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  36. }
  37. public function testGetPolicyDisallowScriptDomain() {
  38. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  39. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  40. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
  41. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  42. }
  43. public function testGetPolicyDisallowScriptDomainMultiple() {
  44. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  45. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  46. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
  47. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  48. }
  49. public function testGetPolicyDisallowScriptDomainMultipleStacked() {
  50. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  51. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  52. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
  53. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  54. }
  55. public function testGetPolicyScriptDisallowEval() {
  56. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  57. $this->contentSecurityPolicy->allowEvalScript(false);
  58. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  59. }
  60. public function testGetPolicyStyleDomainValid() {
  61. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  62. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  63. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  64. }
  65. public function testGetPolicyStyleDomainValidMultiple() {
  66. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  67. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  68. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
  69. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  70. }
  71. public function testGetPolicyDisallowStyleDomain() {
  72. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  73. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  74. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
  75. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  76. }
  77. public function testGetPolicyDisallowStyleDomainMultiple() {
  78. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  79. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  80. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
  81. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  82. }
  83. public function testGetPolicyDisallowStyleDomainMultipleStacked() {
  84. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  85. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  86. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
  87. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  88. }
  89. public function testGetPolicyStyleAllowInline() {
  90. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  91. $this->contentSecurityPolicy->allowInlineStyle(true);
  92. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  93. }
  94. public function testGetPolicyStyleAllowInlineWithDomain() {
  95. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  96. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  97. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  98. }
  99. public function testGetPolicyStyleDisallowInline() {
  100. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  101. $this->contentSecurityPolicy->allowInlineStyle(false);
  102. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  103. }
  104. public function testGetPolicyImageDomainValid() {
  105. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  106. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  107. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  108. }
  109. public function testGetPolicyImageDomainValidMultiple() {
  110. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  111. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  112. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
  113. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  114. }
  115. public function testGetPolicyDisallowImageDomain() {
  116. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  117. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  118. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
  119. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  120. }
  121. public function testGetPolicyDisallowImageDomainMultiple() {
  122. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  123. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  124. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
  125. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  126. }
  127. public function testGetPolicyDisallowImageDomainMultipleStakes() {
  128. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  129. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  130. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
  131. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  132. }
  133. public function testGetPolicyFontDomainValid() {
  134. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  135. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  136. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  137. }
  138. public function testGetPolicyFontDomainValidMultiple() {
  139. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  140. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  141. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
  142. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  143. }
  144. public function testGetPolicyDisallowFontDomain() {
  145. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  146. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  147. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
  148. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  149. }
  150. public function testGetPolicyDisallowFontDomainMultiple() {
  151. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  152. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  153. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
  154. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  155. }
  156. public function testGetPolicyDisallowFontDomainMultipleStakes() {
  157. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  158. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  159. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
  160. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  161. }
  162. public function testGetPolicyConnectDomainValid() {
  163. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
  164. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  165. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  166. }
  167. public function testGetPolicyConnectDomainValidMultiple() {
  168. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self';frame-ancestors 'self';form-action 'self'";
  169. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  170. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
  171. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  172. }
  173. public function testGetPolicyDisallowConnectDomain() {
  174. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  175. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  176. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
  177. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  178. }
  179. public function testGetPolicyDisallowConnectDomainMultiple() {
  180. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
  181. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  182. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
  183. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  184. }
  185. public function testGetPolicyDisallowConnectDomainMultipleStakes() {
  186. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  187. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  188. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
  189. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  190. }
  191. public function testGetPolicyMediaDomainValid() {
  192. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  193. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  194. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  195. }
  196. public function testGetPolicyMediaDomainValidMultiple() {
  197. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  198. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  199. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
  200. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  201. }
  202. public function testGetPolicyDisallowMediaDomain() {
  203. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  204. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  205. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
  206. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  207. }
  208. public function testGetPolicyDisallowMediaDomainMultiple() {
  209. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  210. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  211. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
  212. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  213. }
  214. public function testGetPolicyDisallowMediaDomainMultipleStakes() {
  215. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  216. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  217. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
  218. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  219. }
  220. public function testGetPolicyObjectDomainValid() {
  221. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  222. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  223. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  224. }
  225. public function testGetPolicyObjectDomainValidMultiple() {
  226. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  227. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  228. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
  229. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  230. }
  231. public function testGetPolicyDisallowObjectDomain() {
  232. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  233. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  234. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
  235. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  236. }
  237. public function testGetPolicyDisallowObjectDomainMultiple() {
  238. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  239. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  240. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
  241. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  242. }
  243. public function testGetPolicyDisallowObjectDomainMultipleStakes() {
  244. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  245. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  246. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
  247. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  248. }
  249. public function testGetAllowedFrameDomain() {
  250. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  251. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  252. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  253. }
  254. public function testGetPolicyFrameDomainValidMultiple() {
  255. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  256. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  257. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
  258. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  259. }
  260. public function testGetPolicyDisallowFrameDomain() {
  261. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  262. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  263. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
  264. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  265. }
  266. public function testGetPolicyDisallowFrameDomainMultiple() {
  267. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  268. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  269. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
  270. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  271. }
  272. public function testGetPolicyDisallowFrameDomainMultipleStakes() {
  273. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  274. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  275. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
  276. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  277. }
  278. public function testGetAllowedChildSrcDomain() {
  279. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com;frame-ancestors 'self';form-action 'self'";
  280. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  281. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  282. }
  283. public function testGetPolicyChildSrcValidMultiple() {
  284. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'self';form-action 'self'";
  285. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  286. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
  287. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  288. }
  289. public function testGetPolicyDisallowChildSrcDomain() {
  290. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  291. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  292. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
  293. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  294. }
  295. public function testGetPolicyDisallowChildSrcDomainMultiple() {
  296. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  297. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  298. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
  299. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  300. }
  301. public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
  302. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  303. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  304. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  305. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  306. }
  307. public function testGetAllowedFrameAncestorDomain() {
  308. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com;form-action 'self'";
  309. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  310. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  311. }
  312. public function testGetPolicyFrameAncestorValidMultiple() {
  313. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com foo.nextcloud.com;form-action 'self'";
  314. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  315. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('foo.nextcloud.com');
  316. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  317. }
  318. public function testGetPolicyDisallowFrameAncestorDomain() {
  319. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  320. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  321. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.com');
  322. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  323. }
  324. public function testGetPolicyDisallowFrameAncestorDomainMultiple() {
  325. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' www.nextcloud.com;form-action 'self'";
  326. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  327. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.org');
  328. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  329. }
  330. public function testGetPolicyDisallowFrameAncestorDomainMultipleStakes() {
  331. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  332. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  333. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  334. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  335. }
  336. public function testGetPolicyUnsafeEval() {
  337. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  338. $this->contentSecurityPolicy->allowEvalScript(true);
  339. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  340. }
  341. public function testGetPolicyUnsafeWasmEval() {
  342. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  343. $this->contentSecurityPolicy->allowEvalWasm(true);
  344. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  345. }
  346. public function testGetPolicyNonce() {
  347. $nonce = 'my-nonce';
  348. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  349. $this->contentSecurityPolicy->useJsNonce($nonce);
  350. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  351. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  352. }
  353. public function testGetPolicyNonceDefault() {
  354. $nonce = 'my-nonce';
  355. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';script-src-elem 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  356. $this->contentSecurityPolicy->useJsNonce($nonce);
  357. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  358. }
  359. public function testGetPolicyNonceStrictDynamic() {
  360. $nonce = 'my-nonce';
  361. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  362. $this->contentSecurityPolicy->useJsNonce($nonce);
  363. $this->contentSecurityPolicy->useStrictDynamic(true);
  364. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  365. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  366. }
  367. public function testGetPolicyNonceStrictDynamicDefault() {
  368. $nonce = 'my-nonce';
  369. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  370. $this->contentSecurityPolicy->useJsNonce($nonce);
  371. $this->contentSecurityPolicy->useStrictDynamic(true);
  372. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  373. }
  374. public function testGetPolicyStrictDynamicOnScriptsOff() {
  375. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  376. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  377. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  378. }
  379. public function testGetPolicyStrictDynamicAndStrictDynamicOnScripts() {
  380. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  381. $this->contentSecurityPolicy->useStrictDynamic(true);
  382. $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
  383. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  384. }
  385. }