|
4 | 4 | package template // import "miniflux.app/v2/internal/template" |
5 | 5 |
|
6 | 6 | import ( |
| 7 | + "strings" |
7 | 8 | "testing" |
8 | 9 | "time" |
9 | 10 |
|
10 | 11 | "miniflux.app/v2/internal/locale" |
| 12 | + "miniflux.app/v2/internal/model" |
11 | 13 | ) |
12 | 14 |
|
13 | 15 | func TestDict(t *testing.T) { |
@@ -159,3 +161,96 @@ func TestFormatFileSize(t *testing.T) { |
159 | 161 | } |
160 | 162 | } |
161 | 163 | } |
| 164 | + |
| 165 | +func TestCSPExternalFont(t *testing.T) { |
| 166 | + want := []string{ |
| 167 | + `default-src 'none';`, |
| 168 | + `img-src * data:;`, |
| 169 | + `media-src *;`, |
| 170 | + `frame-src *;`, |
| 171 | + `style-src 'nonce-1234';`, |
| 172 | + `script-src 'nonce-1234'`, |
| 173 | + `'strict-dynamic';`, |
| 174 | + `font-src test.com;`, |
| 175 | + `require-trusted-types-for 'script';`, |
| 176 | + `trusted-types html url;`, |
| 177 | + `manifest-src 'self';`, |
| 178 | + } |
| 179 | + csp := contentSecurityPolicy{nonce: "1234"} |
| 180 | + got := csp.Content(&model.User{ExternalFontHosts: "test.com"}) |
| 181 | + |
| 182 | + for _, value := range want { |
| 183 | + if !strings.Contains(got, value) { |
| 184 | + t.Errorf(`Unexpected result, didn't find %q in %q`, value, got) |
| 185 | + } |
| 186 | + } |
| 187 | +} |
| 188 | + |
| 189 | +func TestCSPNoUser(t *testing.T) { |
| 190 | + want := []string{ |
| 191 | + `default-src 'none';`, |
| 192 | + `img-src * data:;`, |
| 193 | + `media-src *;`, |
| 194 | + `frame-src *;`, |
| 195 | + `style-src 'nonce-1234';`, |
| 196 | + `script-src 'nonce-1234'`, |
| 197 | + `'strict-dynamic';`, |
| 198 | + `require-trusted-types-for 'script';`, |
| 199 | + `trusted-types html url;`, |
| 200 | + `manifest-src 'self';`, |
| 201 | + } |
| 202 | + csp := contentSecurityPolicy{nonce: "1234"} |
| 203 | + got := csp.Content(nil) |
| 204 | + |
| 205 | + for _, value := range want { |
| 206 | + if !strings.Contains(got, value) { |
| 207 | + t.Errorf(`Unexpected result, didn't find %q in %q`, value, got) |
| 208 | + } |
| 209 | + } |
| 210 | +} |
| 211 | + |
| 212 | +func TestCSPCustomJSExternalFont(t *testing.T) { |
| 213 | + want := []string{ |
| 214 | + `default-src 'none';`, |
| 215 | + `img-src * data:;`, |
| 216 | + `media-src *;`, |
| 217 | + `frame-src *;`, |
| 218 | + `style-src 'nonce-1234';`, |
| 219 | + `script-src 'nonce-1234'`, |
| 220 | + `'strict-dynamic';`, |
| 221 | + `require-trusted-types-for 'script';`, |
| 222 | + `trusted-types html url;`, |
| 223 | + `manifest-src 'self';`, |
| 224 | + } |
| 225 | + csp := contentSecurityPolicy{nonce: "1234"} |
| 226 | + got := csp.Content(&model.User{ExternalFontHosts: "test.com", CustomJS: "alert(1)"}) |
| 227 | + |
| 228 | + for _, value := range want { |
| 229 | + if !strings.Contains(got, value) { |
| 230 | + t.Errorf(`Unexpected result, didn't find %q in %q`, value, got) |
| 231 | + } |
| 232 | + } |
| 233 | +} |
| 234 | + |
| 235 | +func TestCSPExternalFontStylesheet(t *testing.T) { |
| 236 | + want := []string{ |
| 237 | + `default-src 'none';`, |
| 238 | + `img-src * data:;`, |
| 239 | + `media-src *;`, |
| 240 | + `frame-src *;`, |
| 241 | + `style-src 'nonce-1234' test.com;`, |
| 242 | + `script-src 'nonce-1234'`, |
| 243 | + `'strict-dynamic';`, |
| 244 | + `require-trusted-types-for 'script';`, |
| 245 | + `trusted-types html url;`, |
| 246 | + `manifest-src 'self';`, |
| 247 | + } |
| 248 | + csp := contentSecurityPolicy{nonce: "1234"} |
| 249 | + got := csp.Content(&model.User{ExternalFontHosts: "test.com", Stylesheet: "a {color: red;}"}) |
| 250 | + |
| 251 | + for _, value := range want { |
| 252 | + if !strings.Contains(got, value) { |
| 253 | + t.Errorf(`Unexpected result, didn't find %q in %q`, value, got) |
| 254 | + } |
| 255 | + } |
| 256 | +} |
0 commit comments