ContentSecurityPolicyTest.php 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477
  1. <?php
  2. /**
  3. * Copyright (c) 2015 Lukas Reschke lukas@owncloud.com
  4. * This file is licensed under the Affero General Public License version 3 or
  5. * later.
  6. * See the COPYING-README file.
  7. */
  8. namespace Test\AppFramework\Http;
  9. use OCP\AppFramework\Http;
  10. use OCP\AppFramework\Http\ContentSecurityPolicy;
  11. /**
  12. * Class ContentSecurityPolicyTest
  13. *
  14. * @package OC\AppFramework\Http
  15. */
  16. class ContentSecurityPolicyTest extends \Test\TestCase {
  17. /** @var ContentSecurityPolicy */
  18. private $contentSecurityPolicy;
  19. public function setUp() {
  20. parent::setUp();
  21. $this->contentSecurityPolicy = new ContentSecurityPolicy();
  22. }
  23. public function testGetPolicyDefault() {
  24. $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  25. $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
  26. }
  27. public function testGetPolicyScriptDomainValid() {
  28. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  29. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  30. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  31. }
  32. public function testGetPolicyScriptDomainValidMultiple() {
  33. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  34. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  35. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
  36. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  37. }
  38. public function testGetPolicyDisallowScriptDomain() {
  39. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  40. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  41. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
  42. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  43. }
  44. public function testGetPolicyDisallowScriptDomainMultiple() {
  45. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  46. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  47. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
  48. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  49. }
  50. public function testGetPolicyDisallowScriptDomainMultipleStacked() {
  51. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  52. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  53. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
  54. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  55. }
  56. public function testGetPolicyScriptAllowInline() {
  57. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  58. $this->contentSecurityPolicy->allowInlineScript(true);
  59. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  60. }
  61. public function testGetPolicyScriptAllowInlineWithDomain() {
  62. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  63. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  64. $this->contentSecurityPolicy->allowInlineScript(true);
  65. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  66. }
  67. public function testGetPolicyScriptDisallowInlineAndEval() {
  68. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  69. $this->contentSecurityPolicy->allowInlineScript(false);
  70. $this->contentSecurityPolicy->allowEvalScript(false);
  71. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  72. }
  73. public function testGetPolicyStyleDomainValid() {
  74. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  75. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  76. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  77. }
  78. public function testGetPolicyStyleDomainValidMultiple() {
  79. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  80. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  81. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
  82. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  83. }
  84. public function testGetPolicyDisallowStyleDomain() {
  85. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  86. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  87. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
  88. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  89. }
  90. public function testGetPolicyDisallowStyleDomainMultiple() {
  91. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  92. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  93. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
  94. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  95. }
  96. public function testGetPolicyDisallowStyleDomainMultipleStacked() {
  97. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  98. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  99. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
  100. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  101. }
  102. public function testGetPolicyStyleAllowInline() {
  103. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  104. $this->contentSecurityPolicy->allowInlineStyle(true);
  105. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  106. }
  107. public function testGetPolicyStyleAllowInlineWithDomain() {
  108. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  109. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  110. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  111. }
  112. public function testGetPolicyStyleDisallowInline() {
  113. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  114. $this->contentSecurityPolicy->allowInlineStyle(false);
  115. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  116. }
  117. public function testGetPolicyImageDomainValid() {
  118. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  119. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  120. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  121. }
  122. public function testGetPolicyImageDomainValidMultiple() {
  123. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  124. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  125. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
  126. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  127. }
  128. public function testGetPolicyDisallowImageDomain() {
  129. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  130. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  131. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
  132. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  133. }
  134. public function testGetPolicyDisallowImageDomainMultiple() {
  135. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  136. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  137. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
  138. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  139. }
  140. public function testGetPolicyDisallowImageDomainMultipleStakes() {
  141. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  142. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  143. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
  144. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  145. }
  146. public function testGetPolicyFontDomainValid() {
  147. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  148. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  149. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  150. }
  151. public function testGetPolicyFontDomainValidMultiple() {
  152. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  153. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  154. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
  155. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  156. }
  157. public function testGetPolicyDisallowFontDomain() {
  158. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  159. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  160. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
  161. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  162. }
  163. public function testGetPolicyDisallowFontDomainMultiple() {
  164. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  165. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  166. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
  167. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  168. }
  169. public function testGetPolicyDisallowFontDomainMultipleStakes() {
  170. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  171. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  172. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
  173. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  174. }
  175. public function testGetPolicyConnectDomainValid() {
  176. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self'";
  177. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  178. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  179. }
  180. public function testGetPolicyConnectDomainValidMultiple() {
  181. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self';frame-ancestors 'self'";
  182. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  183. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
  184. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  185. }
  186. public function testGetPolicyDisallowConnectDomain() {
  187. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  188. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  189. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
  190. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  191. }
  192. public function testGetPolicyDisallowConnectDomainMultiple() {
  193. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self'";
  194. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  195. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
  196. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  197. }
  198. public function testGetPolicyDisallowConnectDomainMultipleStakes() {
  199. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  200. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  201. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
  202. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  203. }
  204. public function testGetPolicyMediaDomainValid() {
  205. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self'";
  206. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  207. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  208. }
  209. public function testGetPolicyMediaDomainValidMultiple() {
  210. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org;frame-ancestors 'self'";
  211. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  212. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
  213. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  214. }
  215. public function testGetPolicyDisallowMediaDomain() {
  216. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  217. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  218. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
  219. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  220. }
  221. public function testGetPolicyDisallowMediaDomainMultiple() {
  222. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self'";
  223. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  224. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
  225. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  226. }
  227. public function testGetPolicyDisallowMediaDomainMultipleStakes() {
  228. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  229. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  230. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
  231. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  232. }
  233. public function testGetPolicyObjectDomainValid() {
  234. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self'";
  235. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  236. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  237. }
  238. public function testGetPolicyObjectDomainValidMultiple() {
  239. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'self'";
  240. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  241. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
  242. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  243. }
  244. public function testGetPolicyDisallowObjectDomain() {
  245. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  246. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  247. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
  248. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  249. }
  250. public function testGetPolicyDisallowObjectDomainMultiple() {
  251. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self'";
  252. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  253. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
  254. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  255. }
  256. public function testGetPolicyDisallowObjectDomainMultipleStakes() {
  257. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  258. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  259. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
  260. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  261. }
  262. public function testGetAllowedFrameDomain() {
  263. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self'";
  264. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  265. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  266. }
  267. public function testGetPolicyFrameDomainValidMultiple() {
  268. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'self'";
  269. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  270. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
  271. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  272. }
  273. public function testGetPolicyDisallowFrameDomain() {
  274. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  275. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  276. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
  277. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  278. }
  279. public function testGetPolicyDisallowFrameDomainMultiple() {
  280. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self'";
  281. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  282. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
  283. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  284. }
  285. public function testGetPolicyDisallowFrameDomainMultipleStakes() {
  286. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  287. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  288. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
  289. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  290. }
  291. public function testGetAllowedChildSrcDomain() {
  292. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com;frame-ancestors 'self'";
  293. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  294. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  295. }
  296. public function testGetPolicyChildSrcValidMultiple() {
  297. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'self'";
  298. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  299. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
  300. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  301. }
  302. public function testGetPolicyDisallowChildSrcDomain() {
  303. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  304. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  305. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
  306. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  307. }
  308. public function testGetPolicyDisallowChildSrcDomainMultiple() {
  309. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src www.owncloud.com;frame-ancestors 'self'";
  310. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  311. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
  312. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  313. }
  314. public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
  315. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  316. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  317. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  318. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  319. }
  320. public function testGetAllowedFrameAncestorDomain() {
  321. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com";
  322. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  323. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  324. }
  325. public function testGetPolicyFrameAncestorValidMultiple() {
  326. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com foo.nextcloud.com";
  327. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  328. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('foo.nextcloud.com');
  329. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  330. }
  331. public function testGetPolicyDisallowFrameAncestorDomain() {
  332. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  333. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  334. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.com');
  335. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  336. }
  337. public function testGetPolicyDisallowFrameAncestorDomainMultiple() {
  338. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' www.nextcloud.com";
  339. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  340. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.org');
  341. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  342. }
  343. public function testGetPolicyDisallowFrameAncestorDomainMultipleStakes() {
  344. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  345. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  346. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  347. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  348. }
  349. public function testGetPolicyUnsafeEval() {
  350. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
  351. $this->contentSecurityPolicy->allowEvalScript(true);
  352. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  353. }
  354. }