X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/b9a58859a4ef14b7971ca7d07318e1ac6f276b40..refs/pull/3365/head:/tests/SecurityHeaderTest.php diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php index 78691badb..d8ba5873f 100644 --- a/tests/SecurityHeaderTest.php +++ b/tests/SecurityHeaderTest.php @@ -119,6 +119,25 @@ class SecurityHeaderTest extends TestCase $this->assertEquals('base-uri \'self\'', $scriptHeader); } + public function test_frame_src_csp_header_set() + { + $resp = $this->get('/'); + $scriptHeader = $this->getCspHeader($resp, 'frame-src'); + $this->assertEquals('frame-src \'self\' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com', $scriptHeader); + } + + public function test_frame_src_csp_header_has_drawio_host_added() + { + config()->set([ + 'app.iframe_sources' => 'https://example.com', + 'services.drawio' => 'https://diagrams.example.com/testing?cat=dog', + ]); + + $resp = $this->get('/'); + $scriptHeader = $this->getCspHeader($resp, 'frame-src'); + $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader); + } + public function test_cache_control_headers_are_strict_on_responses_when_logged_in() { $this->asEditor(); @@ -133,10 +152,14 @@ class SecurityHeaderTest extends TestCase */ protected function getCspHeader(TestResponse $resp, string $type): string { - $cspHeaders = collect($resp->headers->all('Content-Security-Policy')); + $cspHeaders = explode('; ', $resp->headers->get('Content-Security-Policy')); + + foreach ($cspHeaders as $cspHeader) { + if (strpos($cspHeader, $type) === 0) { + return $cspHeader; + } + } - return $cspHeaders->filter(function ($val) use ($type) { - return strpos($val, $type) === 0; - })->first() ?? ''; + return ''; } }