MCPcopy Index your code
hub / github.com/coder/coder / TestCSP

Function TestCSP

coderd/httpmw/csp_test.go:72–121  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

70}
71
72func TestCSP(t *testing.T) {
73 t.Parallel()
74
75 proxyHosts := []*proxyhealth.ProxyHost{
76 {
77 Host: "test.com",
78 AppHost: "*.test.com",
79 },
80 {
81 Host: "coder.com",
82 AppHost: "*.coder.com",
83 },
84 {
85 // Host is not added because it duplicates the host header.
86 Host: "example.com",
87 AppHost: "*.coder2.com",
88 },
89 }
90 expectedMedia := []string{"media.com", "media2.com"}
91
92 expected := []string{
93 "frame-src 'self' *.test.com *.coder.com *.coder2.com",
94 "media-src 'self' " + strings.Join(expectedMedia, " "),
95 strings.Join([]string{
96 "connect-src", "'self'",
97 // Added from host header.
98 "wss://example.com", "ws://example.com",
99 // Added via proxy hosts.
100 "wss://test.com", "ws://test.com", "https://test.com", "http://test.com",
101 "wss://coder.com", "ws://coder.com", "https://coder.com", "http://coder.com",
102 }, " "),
103 }
104
105 // When the host is empty, it uses example.com.
106 r := httptest.NewRequest(http.MethodGet, "/", nil)
107 rw := httptest.NewRecorder()
108
109 httpmw.CSPHeaders(false, func() []*proxyhealth.ProxyHost {
110 return proxyHosts
111 }, map[httpmw.CSPFetchDirective][]string{
112 httpmw.CSPDirectiveMediaSrc: expectedMedia,
113 })(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
114 rw.WriteHeader(http.StatusOK)
115 })).ServeHTTP(rw, r)
116
117 require.NotEmpty(t, rw.Header().Get("Content-Security-Policy"), "Content-Security-Policy header should not be empty")
118 for _, e := range expected {
119 require.Contains(t, rw.Header().Get("Content-Security-Policy"), e)
120 }
121}

Callers

nothing calls this directly

Calls 7

CSPHeadersFunction · 0.92
NotEmptyMethod · 0.80
GetMethod · 0.65
ServeHTTPMethod · 0.45
WriteHeaderMethod · 0.45
HeaderMethod · 0.45
ContainsMethod · 0.45

Tested by

no test coverage detected