X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/253f386f006eb0bcdf1151008b75213e96c4edf9..refs/pull/3069/head:/tests/SecurityHeaderTest.php
diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php
index 57f4ab0df..78691badb 100644
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@@ -76,7 +76,7 @@ class SecurityHeaderTest extends TestCase
$nonce = app()->make(CspService::class)->getNonce();
$this->assertStringContainsString('nonce-' . $nonce, $scriptHeader);
- $resp->assertSee('');
+ $resp->assertSee('', false);
}
public function test_script_csp_nonce_changes_per_request()
@@ -105,12 +105,36 @@ class SecurityHeaderTest extends TestCase
$this->assertNotEmpty($scriptHeader);
}
+ public function test_object_src_csp_header_set()
+ {
+ $resp = $this->get('/');
+ $scriptHeader = $this->getCspHeader($resp, 'object-src');
+ $this->assertEquals('object-src \'self\'', $scriptHeader);
+ }
+
+ public function test_base_uri_csp_header_set()
+ {
+ $resp = $this->get('/');
+ $scriptHeader = $this->getCspHeader($resp, 'base-uri');
+ $this->assertEquals('base-uri \'self\'', $scriptHeader);
+ }
+
+ public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
+ {
+ $this->asEditor();
+ $resp = $this->get('/');
+ $resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
+ $resp->assertHeader('Pragma', 'no-cache');
+ $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
+ }
+
/**
* Get the value of the first CSP header of the given type.
*/
protected function getCspHeader(TestResponse $resp, string $type): string
{
$cspHeaders = collect($resp->headers->all('Content-Security-Policy'));
+
return $cspHeaders->filter(function ($val) use ($type) {
return strpos($val, $type) === 0;
})->first() ?? '';