ContentSecurityPolicyTest.php 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace Test\AppFramework\Http;
  8. use OCP\AppFramework\Http\ContentSecurityPolicy;
  9. /**
  10. * Class ContentSecurityPolicyTest
  11. *
  12. * @package OC\AppFramework\Http
  13. */
  14. class ContentSecurityPolicyTest extends \Test\TestCase {
  15. /** @var ContentSecurityPolicy */
  16. private $contentSecurityPolicy;
  17. protected function setUp(): void {
  18. parent::setUp();
  19. $this->contentSecurityPolicy = new ContentSecurityPolicy();
  20. }
  21. public function testGetPolicyDefault() {
  22. $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  23. $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
  24. }
  25. public function testGetPolicyScriptDomainValid() {
  26. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  27. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  28. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  29. }
  30. public function testGetPolicyScriptDomainValidMultiple() {
  31. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  32. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  33. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
  34. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  35. }
  36. public function testGetPolicyDisallowScriptDomain() {
  37. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  38. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  39. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
  40. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  41. }
  42. public function testGetPolicyDisallowScriptDomainMultiple() {
  43. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  44. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  45. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
  46. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  47. }
  48. public function testGetPolicyDisallowScriptDomainMultipleStacked() {
  49. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  50. $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
  51. $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
  52. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  53. }
  54. public function testGetPolicyScriptDisallowEval() {
  55. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  56. $this->contentSecurityPolicy->allowEvalScript(false);
  57. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  58. }
  59. public function testGetPolicyStyleDomainValid() {
  60. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  61. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  62. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  63. }
  64. public function testGetPolicyStyleDomainValidMultiple() {
  65. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  66. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  67. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
  68. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  69. }
  70. public function testGetPolicyDisallowStyleDomain() {
  71. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  72. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  73. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
  74. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  75. }
  76. public function testGetPolicyDisallowStyleDomainMultiple() {
  77. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  78. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  79. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
  80. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  81. }
  82. public function testGetPolicyDisallowStyleDomainMultipleStacked() {
  83. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  84. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  85. $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
  86. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  87. }
  88. public function testGetPolicyStyleAllowInline() {
  89. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  90. $this->contentSecurityPolicy->allowInlineStyle(true);
  91. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  92. }
  93. public function testGetPolicyStyleAllowInlineWithDomain() {
  94. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  95. $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
  96. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  97. }
  98. public function testGetPolicyStyleDisallowInline() {
  99. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  100. $this->contentSecurityPolicy->allowInlineStyle(false);
  101. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  102. }
  103. public function testGetPolicyImageDomainValid() {
  104. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  105. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  106. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  107. }
  108. public function testGetPolicyImageDomainValidMultiple() {
  109. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  110. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  111. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
  112. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  113. }
  114. public function testGetPolicyDisallowImageDomain() {
  115. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  116. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  117. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
  118. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  119. }
  120. public function testGetPolicyDisallowImageDomainMultiple() {
  121. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  122. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  123. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
  124. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  125. }
  126. public function testGetPolicyDisallowImageDomainMultipleStakes() {
  127. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  128. $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
  129. $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
  130. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  131. }
  132. public function testGetPolicyFontDomainValid() {
  133. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  134. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  135. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  136. }
  137. public function testGetPolicyFontDomainValidMultiple() {
  138. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  139. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  140. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
  141. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  142. }
  143. public function testGetPolicyDisallowFontDomain() {
  144. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  145. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  146. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
  147. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  148. }
  149. public function testGetPolicyDisallowFontDomainMultiple() {
  150. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  151. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  152. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
  153. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  154. }
  155. public function testGetPolicyDisallowFontDomainMultipleStakes() {
  156. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  157. $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
  158. $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
  159. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  160. }
  161. public function testGetPolicyConnectDomainValid() {
  162. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
  163. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  164. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  165. }
  166. public function testGetPolicyConnectDomainValidMultiple() {
  167. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self';frame-ancestors 'self';form-action 'self'";
  168. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  169. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
  170. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  171. }
  172. public function testGetPolicyDisallowConnectDomain() {
  173. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  174. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  175. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
  176. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  177. }
  178. public function testGetPolicyDisallowConnectDomainMultiple() {
  179. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
  180. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  181. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
  182. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  183. }
  184. public function testGetPolicyDisallowConnectDomainMultipleStakes() {
  185. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  186. $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
  187. $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
  188. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  189. }
  190. public function testGetPolicyMediaDomainValid() {
  191. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  192. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  193. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  194. }
  195. public function testGetPolicyMediaDomainValidMultiple() {
  196. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  197. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  198. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
  199. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  200. }
  201. public function testGetPolicyDisallowMediaDomain() {
  202. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  203. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  204. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
  205. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  206. }
  207. public function testGetPolicyDisallowMediaDomainMultiple() {
  208. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  209. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  210. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
  211. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  212. }
  213. public function testGetPolicyDisallowMediaDomainMultipleStakes() {
  214. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  215. $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
  216. $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
  217. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  218. }
  219. public function testGetPolicyObjectDomainValid() {
  220. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  221. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  222. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  223. }
  224. public function testGetPolicyObjectDomainValidMultiple() {
  225. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  226. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  227. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
  228. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  229. }
  230. public function testGetPolicyDisallowObjectDomain() {
  231. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  232. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  233. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
  234. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  235. }
  236. public function testGetPolicyDisallowObjectDomainMultiple() {
  237. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  238. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  239. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
  240. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  241. }
  242. public function testGetPolicyDisallowObjectDomainMultipleStakes() {
  243. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  244. $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
  245. $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
  246. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  247. }
  248. public function testGetAllowedFrameDomain() {
  249. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  250. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  251. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  252. }
  253. public function testGetPolicyFrameDomainValidMultiple() {
  254. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
  255. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  256. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
  257. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  258. }
  259. public function testGetPolicyDisallowFrameDomain() {
  260. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  261. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  262. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
  263. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  264. }
  265. public function testGetPolicyDisallowFrameDomainMultiple() {
  266. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  267. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  268. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
  269. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  270. }
  271. public function testGetPolicyDisallowFrameDomainMultipleStakes() {
  272. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  273. $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
  274. $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
  275. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  276. }
  277. public function testGetAllowedChildSrcDomain() {
  278. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com;frame-ancestors 'self';form-action 'self'";
  279. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  280. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  281. }
  282. public function testGetPolicyChildSrcValidMultiple() {
  283. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'self';form-action 'self'";
  284. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
  285. $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
  286. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  287. }
  288. public function testGetPolicyDisallowChildSrcDomain() {
  289. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  290. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  291. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
  292. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  293. }
  294. public function testGetPolicyDisallowChildSrcDomainMultiple() {
  295. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
  296. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  297. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
  298. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  299. }
  300. public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
  301. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  302. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  303. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  304. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  305. }
  306. public function testGetAllowedFrameAncestorDomain() {
  307. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com;form-action 'self'";
  308. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  309. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  310. }
  311. public function testGetPolicyFrameAncestorValidMultiple() {
  312. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com foo.nextcloud.com;form-action 'self'";
  313. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
  314. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('foo.nextcloud.com');
  315. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  316. }
  317. public function testGetPolicyDisallowFrameAncestorDomain() {
  318. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  319. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  320. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.com');
  321. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  322. }
  323. public function testGetPolicyDisallowFrameAncestorDomainMultiple() {
  324. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' www.nextcloud.com;form-action 'self'";
  325. $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
  326. $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.org');
  327. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  328. }
  329. public function testGetPolicyDisallowFrameAncestorDomainMultipleStakes() {
  330. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  331. $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
  332. $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
  333. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  334. }
  335. public function testGetPolicyUnsafeEval() {
  336. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  337. $this->contentSecurityPolicy->allowEvalScript(true);
  338. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  339. }
  340. public function testGetPolicyUnsafeWasmEval() {
  341. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  342. $this->contentSecurityPolicy->allowEvalWasm(true);
  343. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  344. }
  345. public function testGetPolicyNonce() {
  346. $nonce = 'my-nonce';
  347. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  348. $this->contentSecurityPolicy->useJsNonce($nonce);
  349. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  350. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  351. }
  352. public function testGetPolicyNonceDefault() {
  353. $nonce = 'my-nonce';
  354. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';script-src-elem 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  355. $this->contentSecurityPolicy->useJsNonce($nonce);
  356. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  357. }
  358. public function testGetPolicyNonceStrictDynamic() {
  359. $nonce = 'my-nonce';
  360. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  361. $this->contentSecurityPolicy->useJsNonce($nonce);
  362. $this->contentSecurityPolicy->useStrictDynamic(true);
  363. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  364. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  365. }
  366. public function testGetPolicyNonceStrictDynamicDefault() {
  367. $nonce = 'my-nonce';
  368. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  369. $this->contentSecurityPolicy->useJsNonce($nonce);
  370. $this->contentSecurityPolicy->useStrictDynamic(true);
  371. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  372. }
  373. public function testGetPolicyStrictDynamicOnScriptsOff() {
  374. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  375. $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
  376. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  377. }
  378. public function testGetPolicyStrictDynamicAndStrictDynamicOnScripts() {
  379. $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
  380. $this->contentSecurityPolicy->useStrictDynamic(true);
  381. $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
  382. $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
  383. }
  384. }