]> BookStack Code Mirror - bookstack/blob - tests/SecurityHeaderTest.php
888dac8106af4b8088ecf2f28fb8d82bd96d12f6
[bookstack] / tests / SecurityHeaderTest.php
1 <?php
2
3 namespace Tests;
4
5 use Illuminate\Support\Str;
6
7 class SecurityHeaderTest extends TestCase
8 {
9     public function test_cookies_samesite_lax_by_default()
10     {
11         $resp = $this->get('/');
12         foreach ($resp->headers->getCookies() as $cookie) {
13             $this->assertEquals('lax', $cookie->getSameSite());
14         }
15     }
16
17     public function test_cookies_samesite_none_when_iframe_hosts_set()
18     {
19         $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {
20             $resp = $this->get('/');
21             foreach ($resp->headers->getCookies() as $cookie) {
22                 $this->assertEquals('none', $cookie->getSameSite());
23             }
24         });
25     }
26
27     public function test_secure_cookies_controlled_by_app_url()
28     {
29         $this->runWithEnv('APP_URL', 'http://example.com', function () {
30             $resp = $this->get('/');
31             foreach ($resp->headers->getCookies() as $cookie) {
32                 $this->assertFalse($cookie->isSecure());
33             }
34         });
35
36         $this->runWithEnv('APP_URL', 'https://example.com', function () {
37             $resp = $this->get('/');
38             foreach ($resp->headers->getCookies() as $cookie) {
39                 $this->assertTrue($cookie->isSecure());
40             }
41         });
42     }
43
44     public function test_iframe_csp_self_only_by_default()
45     {
46         $resp = $this->get('/');
47         $cspHeaders = collect($resp->headers->get('Content-Security-Policy'));
48         $frameHeaders = $cspHeaders->filter(function ($val) {
49             return Str::startsWith($val, 'frame-ancestors');
50         });
51
52         $this->assertTrue($frameHeaders->count() === 1);
53         $this->assertEquals('frame-ancestors \'self\'', $frameHeaders->first());
54     }
55
56     public function test_iframe_csp_includes_extra_hosts_if_configured()
57     {
58         $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {
59             $resp = $this->get('/');
60             $cspHeaders = collect($resp->headers->get('Content-Security-Policy'));
61             $frameHeaders = $cspHeaders->filter(function ($val) {
62                 return Str::startsWith($val, 'frame-ancestors');
63             });
64
65             $this->assertTrue($frameHeaders->count() === 1);
66             $this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeaders->first());
67         });
68     }
69 }