EmptyContentSecurityPolicyTest.php 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469
  1. <?php
  2. /**
  3. * Copyright (c) 2015 Lukas Reschke lukas@owncloud.com
  4. * This file is licensed under the Affero General Public License version 3 or
  5. * later.
  6. * See the COPYING-README file.
  7. */
  8. namespace Test\AppFramework\Http;
  9. use OCP\AppFramework\Http;
  10. use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
  11. /**
  12. * Class ContentSecurityPolicyTest
  13. *
  14. * @package OC\AppFramework\Http
  15. */
  16. class EmptyContentSecurityPolicyTest extends \Test\TestCase {
  17. /** @var EmptyContentSecurityPolicy */
  18. private $contentSecurityPolicy;
  19. public function setUp() {
  20. parent::setUp();
  21. $this->contentSecurityPolicy = new EmptyContentSecurityPolicy();
  22. }
  23. public function testGetPolicyDefault() {
  24. $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  25. $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
  26. }
  27. public function testGetPolicyScriptDomainValid() {
  28. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com";
  29. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  30. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  31. }
  32. public function testGetPolicyScriptDomainValidMultiple() {
  33. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com www.owncloud.org";
  34. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  35. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
  36. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  37. }
  38. public function testGetPolicyDisallowScriptDomain() {
  39. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  40. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  41. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
  42. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  43. }
  44. public function testGetPolicyDisallowScriptDomainMultiple() {
  45. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com";
  46. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  47. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
  48. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  49. }
  50. public function testGetPolicyDisallowScriptDomainMultipleStacked() {
  51. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  52. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  53. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
  54. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  55. }
  56. public function testGetPolicyScriptAllowInline() {
  57. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline'";
  58. $this->contentSecurityPolicy->allowInlineScript(true);
  59. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  60. }
  61. public function testGetPolicyScriptAllowInlineWithDomain() {
  62. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline'";
  63. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  64. $this->contentSecurityPolicy->allowInlineScript(true);
  65. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  66. }
  67. public function testGetPolicyScriptAllowInlineAndEval() {
  68. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline' 'unsafe-eval'";
  69. $this->contentSecurityPolicy->allowInlineScript(true);
  70. $this->contentSecurityPolicy->allowEvalScript(true);
  71. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  72. }
  73. public function testGetPolicyStyleDomainValid() {
  74. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com";
  75. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  76. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  77. }
  78. public function testGetPolicyStyleDomainValidMultiple() {
  79. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com www.owncloud.org";
  80. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  81. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
  82. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  83. }
  84. public function testGetPolicyDisallowStyleDomain() {
  85. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  86. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  87. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
  88. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  89. }
  90. public function testGetPolicyDisallowStyleDomainMultiple() {
  91. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com";
  92. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  93. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
  94. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  95. }
  96. public function testGetPolicyDisallowStyleDomainMultipleStacked() {
  97. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  98. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  99. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
  100. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  101. }
  102. public function testGetPolicyStyleAllowInline() {
  103. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src 'unsafe-inline'";
  104. $this->contentSecurityPolicy->allowInlineStyle(true);
  105. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  106. }
  107. public function testGetPolicyStyleAllowInlineWithDomain() {
  108. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com 'unsafe-inline'";
  109. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  110. $this->contentSecurityPolicy->allowInlineStyle(true);
  111. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  112. }
  113. public function testGetPolicyStyleDisallowInline() {
  114. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  115. $this->contentSecurityPolicy->allowInlineStyle(false);
  116. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  117. }
  118. public function testGetPolicyImageDomainValid() {
  119. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com";
  120. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  121. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  122. }
  123. public function testGetPolicyImageDomainValidMultiple() {
  124. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com www.owncloud.org";
  125. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  126. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
  127. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  128. }
  129. public function testGetPolicyDisallowImageDomain() {
  130. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  131. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  132. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
  133. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  134. }
  135. public function testGetPolicyDisallowImageDomainMultiple() {
  136. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com";
  137. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  138. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
  139. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  140. }
  141. public function testGetPolicyDisallowImageDomainMultipleStakes() {
  142. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  143. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  144. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
  145. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  146. }
  147. public function testGetPolicyFontDomainValid() {
  148. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com";
  149. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  150. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  151. }
  152. public function testGetPolicyFontDomainValidMultiple() {
  153. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com www.owncloud.org";
  154. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  155. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
  156. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  157. }
  158. public function testGetPolicyDisallowFontDomain() {
  159. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  160. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  161. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
  162. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  163. }
  164. public function testGetPolicyDisallowFontDomainMultiple() {
  165. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com";
  166. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  167. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
  168. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  169. }
  170. public function testGetPolicyDisallowFontDomainMultipleStakes() {
  171. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  172. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  173. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
  174. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  175. }
  176. public function testGetPolicyConnectDomainValid() {
  177. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com";
  178. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  179. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  180. }
  181. public function testGetPolicyConnectDomainValidMultiple() {
  182. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com www.owncloud.org";
  183. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  184. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
  185. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  186. }
  187. public function testGetPolicyDisallowConnectDomain() {
  188. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  189. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  190. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
  191. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  192. }
  193. public function testGetPolicyDisallowConnectDomainMultiple() {
  194. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com";
  195. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  196. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
  197. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  198. }
  199. public function testGetPolicyDisallowConnectDomainMultipleStakes() {
  200. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  201. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  202. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
  203. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  204. }
  205. public function testGetPolicyMediaDomainValid() {
  206. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com";
  207. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  208. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  209. }
  210. public function testGetPolicyMediaDomainValidMultiple() {
  211. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com www.owncloud.org";
  212. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  213. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
  214. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  215. }
  216. public function testGetPolicyDisallowMediaDomain() {
  217. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  218. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  219. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
  220. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  221. }
  222. public function testGetPolicyDisallowMediaDomainMultiple() {
  223. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com";
  224. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  225. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
  226. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  227. }
  228. public function testGetPolicyDisallowMediaDomainMultipleStakes() {
  229. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  230. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  231. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
  232. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  233. }
  234. public function testGetPolicyObjectDomainValid() {
  235. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com";
  236. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  237. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  238. }
  239. public function testGetPolicyObjectDomainValidMultiple() {
  240. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com www.owncloud.org";
  241. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  242. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
  243. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  244. }
  245. public function testGetPolicyDisallowObjectDomain() {
  246. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  247. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  248. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
  249. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  250. }
  251. public function testGetPolicyDisallowObjectDomainMultiple() {
  252. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com";
  253. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  254. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
  255. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  256. }
  257. public function testGetPolicyDisallowObjectDomainMultipleStakes() {
  258. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  259. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  260. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
  261. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  262. }
  263. public function testGetAllowedFrameDomain() {
  264. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com";
  265. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  266. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  267. }
  268. public function testGetPolicyFrameDomainValidMultiple() {
  269. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com www.owncloud.org";
  270. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  271. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
  272. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  273. }
  274. public function testGetPolicyDisallowFrameDomain() {
  275. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  276. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  277. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
  278. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  279. }
  280. public function testGetPolicyDisallowFrameDomainMultiple() {
  281. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com";
  282. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  283. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
  284. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  285. }
  286. public function testGetPolicyDisallowFrameDomainMultipleStakes() {
  287. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  288. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  289. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
  290. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  291. }
  292. public function testGetAllowedChildSrcDomain() {
  293. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com";
  294. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  295. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  296. }
  297. public function testGetPolicyChildSrcValidMultiple() {
  298. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com child.owncloud.org";
  299. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  300. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
  301. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  302. }
  303. public function testGetPolicyDisallowChildSrcDomain() {
  304. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  305. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  306. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
  307. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  308. }
  309. public function testGetPolicyDisallowChildSrcDomainMultiple() {
  310. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src www.owncloud.com";
  311. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  312. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
  313. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  314. }
  315. public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
  316. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
  317. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  318. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  319. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  320. }
  321. public function testGetPolicyWithJsNonceAndScriptDomains() {
  322. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl' www.nextcloud.com www.nextcloud.org";
  323. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
  324. $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
  325. $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.org');
  326. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  327. }
  328. public function testGetPolicyWithJsNonceAndSelfScriptDomain() {
  329. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl'";
  330. $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
  331. $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
  332. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  333. }
  334. public function testGetPolicyWithoutJsNonceAndSelfScriptDomain() {
  335. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self'";
  336. $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
  337. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  338. }
  339. public function testGetPolicyWithReportUri() {
  340. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com";
  341. $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
  342. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  343. }
  344. public function testGetPolicyWithMultipleReportUri() {
  345. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com https://my-other-report-uri.com";
  346. $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
  347. $this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com");
  348. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  349. }
  350. }