809ff5ac95
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.
To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.
To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');
$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```
If you now open the files app the policy should be:
```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
429 lines
25 KiB
PHP
429 lines
25 KiB
PHP
<?php
|
|
/**
|
|
* Copyright (c) 2015 Lukas Reschke lukas@owncloud.com
|
|
* This file is licensed under the Affero General Public License version 3 or
|
|
* later.
|
|
* See the COPYING-README file.
|
|
*/
|
|
|
|
|
|
namespace OC\AppFramework\Http;
|
|
|
|
use OCP\AppFramework\Http;
|
|
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
|
|
|
/**
|
|
* Class ContentSecurityPolicyTest
|
|
*
|
|
* @package OC\AppFramework\Http
|
|
*/
|
|
class ContentSecurityPolicyTest extends \Test\TestCase {
|
|
|
|
/** @var ContentSecurityPolicy */
|
|
private $contentSecurityPolicy;
|
|
|
|
public function setUp() {
|
|
parent::setUp();
|
|
$this->contentSecurityPolicy = new ContentSecurityPolicy();
|
|
}
|
|
|
|
public function testGetPolicyDefault() {
|
|
$defaultPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
$this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyScriptDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyScriptDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' www.owncloud.com www.owncloud.org 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowScriptDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowScriptDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowScriptDomainMultipleStacked() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyScriptAllowInline() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->allowInlineScript(true);
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyScriptAllowInlineWithDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' www.owncloud.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->allowInlineScript(true);
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyScriptDisallowInlineAndEval() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->allowInlineScript(false);
|
|
$this->contentSecurityPolicy->allowEvalScript(false);
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyStyleDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyStyleDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowStyleDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowStyleDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowStyleDomainMultipleStacked() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyStyleAllowInline() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->allowInlineStyle(true);
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyStyleAllowInlineWithDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyStyleDisallowInline() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->allowInlineStyle(false);
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyImageDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyImageDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowImageDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowImageDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowImageDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyFontDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyFontDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFontDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFontDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFontDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyConnectDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyConnectDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowConnectDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowConnectDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowConnectDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyMediaDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyMediaDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org";
|
|
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowMediaDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowMediaDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowMediaDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyObjectDomainValid() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyObjectDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org";
|
|
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowObjectDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowObjectDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowObjectDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetAllowedFrameDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyFrameDomainValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFrameDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFrameDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowFrameDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetAllowedChildSrcDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyChildSrcValidMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org";
|
|
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowChildSrcDomain() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowChildSrcDomainMultiple() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src www.owncloud.com";
|
|
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
|
|
public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
|
|
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
|
|
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
|
|
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
|
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
|
}
|
|
}
|