EmptyContentSecurityPolicyTest.php 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace Test\AppFramework\Http;
  8. use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
  9. /**
  10. * Class ContentSecurityPolicyTest
  11. *
  12. * @package OC\AppFramework\Http
  13. */
  14. class EmptyContentSecurityPolicyTest extends \Test\TestCase {
  15. /** @var EmptyContentSecurityPolicy */
  16. private $contentSecurityPolicy;
  17. protected function setUp(): void {
  18. parent::setUp();
  19. $this->contentSecurityPolicy = new EmptyContentSecurityPolicy();
  20. }
  21. public function testGetPolicyDefault() {
  22. $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  23. $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
  24. }
  25. public function testGetPolicyScriptDomainValid() {
  26. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.nextcloud.com;frame-ancestors 'none'";
  27. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  28. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  29. }
  30. public function testGetPolicyScriptDomainValidMultiple() {
  31. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  32. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  33. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.org');
  34. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  35. }
  36. public function testGetPolicyDisallowScriptDomain() {
  37. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  38. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  39. $this->contentSecurityPolicy->disallowScriptDomain('www.nextcloud.com');
  40. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  41. }
  42. public function testGetPolicyDisallowScriptDomainMultiple() {
  43. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.nextcloud.com;frame-ancestors 'none'";
  44. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  45. $this->contentSecurityPolicy->disallowScriptDomain('www.nextcloud.org');
  46. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  47. }
  48. public function testGetPolicyDisallowScriptDomainMultipleStacked() {
  49. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  50. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  51. $this->contentSecurityPolicy->disallowScriptDomain('www.nextcloud.org')->disallowScriptDomain('www.nextcloud.com');
  52. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  53. }
  54. public function testGetPolicyScriptAllowEval() {
  55. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-eval';frame-ancestors 'none'";
  56. $this->contentSecurityPolicy->allowEvalScript(true);
  57. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  58. }
  59. public function testGetPolicyScriptAllowWasmEval() {
  60. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'";
  61. $this->contentSecurityPolicy->allowEvalWasm(true);
  62. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  63. }
  64. public function testGetPolicyStyleDomainValid() {
  65. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.nextcloud.com;frame-ancestors 'none'";
  66. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  67. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  68. }
  69. public function testGetPolicyStyleDomainValidMultiple() {
  70. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  71. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  72. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.org');
  73. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  74. }
  75. public function testGetPolicyDisallowStyleDomain() {
  76. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  77. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  78. $this->contentSecurityPolicy->disallowStyleDomain('www.nextcloud.com');
  79. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  80. }
  81. public function testGetPolicyDisallowStyleDomainMultiple() {
  82. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.nextcloud.com;frame-ancestors 'none'";
  83. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  84. $this->contentSecurityPolicy->disallowStyleDomain('www.nextcloud.org');
  85. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  86. }
  87. public function testGetPolicyDisallowStyleDomainMultipleStacked() {
  88. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  89. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  90. $this->contentSecurityPolicy->disallowStyleDomain('www.nextcloud.org')->disallowStyleDomain('www.nextcloud.com');
  91. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  92. }
  93. public function testGetPolicyStyleAllowInline() {
  94. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src 'unsafe-inline';frame-ancestors 'none'";
  95. $this->contentSecurityPolicy->allowInlineStyle(true);
  96. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  97. }
  98. public function testGetPolicyStyleAllowInlineWithDomain() {
  99. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.nextcloud.com 'unsafe-inline';frame-ancestors 'none'";
  100. $this->contentSecurityPolicy->addAllowedStyleDomain('www.nextcloud.com');
  101. $this->contentSecurityPolicy->allowInlineStyle(true);
  102. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  103. }
  104. public function testGetPolicyStyleDisallowInline() {
  105. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  106. $this->contentSecurityPolicy->allowInlineStyle(false);
  107. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  108. }
  109. public function testGetPolicyImageDomainValid() {
  110. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.nextcloud.com;frame-ancestors 'none'";
  111. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.com');
  112. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  113. }
  114. public function testGetPolicyImageDomainValidMultiple() {
  115. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  116. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.com');
  117. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.org');
  118. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  119. }
  120. public function testGetPolicyDisallowImageDomain() {
  121. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  122. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.com');
  123. $this->contentSecurityPolicy->disallowImageDomain('www.nextcloud.com');
  124. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  125. }
  126. public function testGetPolicyDisallowImageDomainMultiple() {
  127. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.nextcloud.com;frame-ancestors 'none'";
  128. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.com');
  129. $this->contentSecurityPolicy->disallowImageDomain('www.nextcloud.org');
  130. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  131. }
  132. public function testGetPolicyDisallowImageDomainMultipleStakes() {
  133. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  134. $this->contentSecurityPolicy->addAllowedImageDomain('www.nextcloud.com');
  135. $this->contentSecurityPolicy->disallowImageDomain('www.nextcloud.org')->disallowImageDomain('www.nextcloud.com');
  136. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  137. }
  138. public function testGetPolicyFontDomainValid() {
  139. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.nextcloud.com;frame-ancestors 'none'";
  140. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.com');
  141. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  142. }
  143. public function testGetPolicyFontDomainValidMultiple() {
  144. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  145. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.com');
  146. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.org');
  147. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  148. }
  149. public function testGetPolicyDisallowFontDomain() {
  150. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  151. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.com');
  152. $this->contentSecurityPolicy->disallowFontDomain('www.nextcloud.com');
  153. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  154. }
  155. public function testGetPolicyDisallowFontDomainMultiple() {
  156. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.nextcloud.com;frame-ancestors 'none'";
  157. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.com');
  158. $this->contentSecurityPolicy->disallowFontDomain('www.nextcloud.org');
  159. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  160. }
  161. public function testGetPolicyDisallowFontDomainMultipleStakes() {
  162. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  163. $this->contentSecurityPolicy->addAllowedFontDomain('www.nextcloud.com');
  164. $this->contentSecurityPolicy->disallowFontDomain('www.nextcloud.org')->disallowFontDomain('www.nextcloud.com');
  165. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  166. }
  167. public function testGetPolicyConnectDomainValid() {
  168. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.nextcloud.com;frame-ancestors 'none'";
  169. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.com');
  170. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  171. }
  172. public function testGetPolicyConnectDomainValidMultiple() {
  173. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  174. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.com');
  175. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.org');
  176. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  177. }
  178. public function testGetPolicyDisallowConnectDomain() {
  179. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  180. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.com');
  181. $this->contentSecurityPolicy->disallowConnectDomain('www.nextcloud.com');
  182. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  183. }
  184. public function testGetPolicyDisallowConnectDomainMultiple() {
  185. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.nextcloud.com;frame-ancestors 'none'";
  186. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.com');
  187. $this->contentSecurityPolicy->disallowConnectDomain('www.nextcloud.org');
  188. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  189. }
  190. public function testGetPolicyDisallowConnectDomainMultipleStakes() {
  191. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  192. $this->contentSecurityPolicy->addAllowedConnectDomain('www.nextcloud.com');
  193. $this->contentSecurityPolicy->disallowConnectDomain('www.nextcloud.org')->disallowConnectDomain('www.nextcloud.com');
  194. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  195. }
  196. public function testGetPolicyMediaDomainValid() {
  197. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.nextcloud.com;frame-ancestors 'none'";
  198. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.com');
  199. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  200. }
  201. public function testGetPolicyMediaDomainValidMultiple() {
  202. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  203. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.com');
  204. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.org');
  205. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  206. }
  207. public function testGetPolicyDisallowMediaDomain() {
  208. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  209. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.com');
  210. $this->contentSecurityPolicy->disallowMediaDomain('www.nextcloud.com');
  211. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  212. }
  213. public function testGetPolicyDisallowMediaDomainMultiple() {
  214. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.nextcloud.com;frame-ancestors 'none'";
  215. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.com');
  216. $this->contentSecurityPolicy->disallowMediaDomain('www.nextcloud.org');
  217. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  218. }
  219. public function testGetPolicyDisallowMediaDomainMultipleStakes() {
  220. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  221. $this->contentSecurityPolicy->addAllowedMediaDomain('www.nextcloud.com');
  222. $this->contentSecurityPolicy->disallowMediaDomain('www.nextcloud.org')->disallowMediaDomain('www.nextcloud.com');
  223. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  224. }
  225. public function testGetPolicyObjectDomainValid() {
  226. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.nextcloud.com;frame-ancestors 'none'";
  227. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.com');
  228. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  229. }
  230. public function testGetPolicyObjectDomainValidMultiple() {
  231. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  232. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.com');
  233. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.org');
  234. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  235. }
  236. public function testGetPolicyDisallowObjectDomain() {
  237. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  238. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.com');
  239. $this->contentSecurityPolicy->disallowObjectDomain('www.nextcloud.com');
  240. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  241. }
  242. public function testGetPolicyDisallowObjectDomainMultiple() {
  243. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.nextcloud.com;frame-ancestors 'none'";
  244. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.com');
  245. $this->contentSecurityPolicy->disallowObjectDomain('www.nextcloud.org');
  246. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  247. }
  248. public function testGetPolicyDisallowObjectDomainMultipleStakes() {
  249. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  250. $this->contentSecurityPolicy->addAllowedObjectDomain('www.nextcloud.com');
  251. $this->contentSecurityPolicy->disallowObjectDomain('www.nextcloud.org')->disallowObjectDomain('www.nextcloud.com');
  252. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  253. }
  254. public function testGetAllowedFrameDomain() {
  255. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.nextcloud.com;frame-ancestors 'none'";
  256. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.com');
  257. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  258. }
  259. public function testGetPolicyFrameDomainValidMultiple() {
  260. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  261. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.com');
  262. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.org');
  263. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  264. }
  265. public function testGetPolicyDisallowFrameDomain() {
  266. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  267. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.com');
  268. $this->contentSecurityPolicy->disallowFrameDomain('www.nextcloud.com');
  269. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  270. }
  271. public function testGetPolicyDisallowFrameDomainMultiple() {
  272. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.nextcloud.com;frame-ancestors 'none'";
  273. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.com');
  274. $this->contentSecurityPolicy->disallowFrameDomain('www.nextcloud.org');
  275. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  276. }
  277. public function testGetPolicyDisallowFrameDomainMultipleStakes() {
  278. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  279. $this->contentSecurityPolicy->addAllowedFrameDomain('www.nextcloud.com');
  280. $this->contentSecurityPolicy->disallowFrameDomain('www.nextcloud.org')->disallowFrameDomain('www.nextcloud.com');
  281. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  282. }
  283. public function testGetAllowedChildSrcDomain() {
  284. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.nextcloud.com;frame-ancestors 'none'";
  285. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.nextcloud.com');
  286. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  287. }
  288. public function testGetPolicyChildSrcValidMultiple() {
  289. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.nextcloud.com child.nextcloud.org;frame-ancestors 'none'";
  290. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.nextcloud.com');
  291. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.nextcloud.org');
  292. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  293. }
  294. public function testGetPolicyDisallowChildSrcDomain() {
  295. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  296. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.nextcloud.com');
  297. $this->contentSecurityPolicy->disallowChildSrcDomain('www.nextcloud.com');
  298. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  299. }
  300. public function testGetPolicyDisallowChildSrcDomainMultiple() {
  301. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src www.nextcloud.com;frame-ancestors 'none'";
  302. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.nextcloud.com');
  303. $this->contentSecurityPolicy->disallowChildSrcDomain('www.nextcloud.org');
  304. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  305. }
  306. public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
  307. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  308. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.nextcloud.com');
  309. $this->contentSecurityPolicy->disallowChildSrcDomain('www.nextcloud.org')->disallowChildSrcDomain('www.nextcloud.com');
  310. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  311. }
  312. public function testGetPolicyWithJsNonceAndScriptDomains() {
  313. $nonce = base64_encode('MyJsNonce');
  314. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-$nonce' www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
  315. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  316. $this->contentSecurityPolicy->useJsNonce($nonce);
  317. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.org');
  318. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  319. }
  320. public function testGetPolicyWithJsNonceAndStrictDynamic() {
  321. $nonce = base64_encode('MyJsNonce');
  322. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-$nonce' www.nextcloud.com;frame-ancestors 'none'";
  323. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  324. $this->contentSecurityPolicy->useStrictDynamic(true);
  325. $this->contentSecurityPolicy->useJsNonce($nonce);
  326. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  327. }
  328. public function testGetPolicyWithJsNonceAndStrictDynamicAndStrictDynamicOnScripts() {
  329. $nonce = base64_encode('MyJsNonce');
  330. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-$nonce' www.nextcloud.com;frame-ancestors 'none'";
  331. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  332. $this->contentSecurityPolicy->useStrictDynamic(true);
  333. $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
  334. $this->contentSecurityPolicy->useJsNonce($nonce);
  335. // Should be same as `testGetPolicyWithJsNonceAndStrictDynamic` because of fallback
  336. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  337. }
  338. public function testGetPolicyWithJsNonceAndStrictDynamicOnScripts() {
  339. $nonce = base64_encode('MyJsNonce');
  340. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-$nonce' www.nextcloud.com;script-src-elem 'strict-dynamic' 'nonce-$nonce' www.nextcloud.com;frame-ancestors 'none'";
  341. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  342. $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
  343. $this->contentSecurityPolicy->useJsNonce($nonce);
  344. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  345. }
  346. public function testGetPolicyWithStrictDynamicOnScripts() {
  347. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
  348. $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
  349. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  350. }
  351. public function testGetPolicyWithJsNonceAndSelfScriptDomain() {
  352. $nonce = base64_encode('MyJsNonce');
  353. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-$nonce';frame-ancestors 'none'";
  354. $this->contentSecurityPolicy->useJsNonce($nonce);
  355. $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
  356. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  357. }
  358. public function testGetPolicyWithoutJsNonceAndSelfScriptDomain() {
  359. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';frame-ancestors 'none'";
  360. $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
  361. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  362. }
  363. public function testGetPolicyWithReportUri() {
  364. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none';report-uri https://my-report-uri.com";
  365. $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
  366. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  367. }
  368. public function testGetPolicyWithMultipleReportUri() {
  369. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none';report-uri https://my-report-uri.com https://my-other-report-uri.com";
  370. $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
  371. $this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com");
  372. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  373. }
  374. }