You are here

public function SecKitTestCaseTest::testCspReportUri in Security Kit 8

Same name and namespace in other branches
  1. 2.x tests/src/Functional/SecKitTestCaseTest.php \Drupal\Tests\seckit\Functional\SecKitTestCaseTest::testCspReportUri()

Tests different values for Content Security Policy report-uri.

File

tests/src/Functional/SecKitTestCaseTest.php, line 277

Class

SecKitTestCaseTest
Functional tests for Security Kit.

Namespace

Drupal\Tests\seckit\Functional

Code

public function testCspReportUri() {
  $report_uris = [
    [
      'uri' => '//example.com/csp-report',
      'absolute' => TRUE,
      'valid' => TRUE,
    ],
    [
      'uri' => 'https://example.com/report-uri',
      'absolute' => TRUE,
      'valid' => TRUE,
    ],
    [
      'uri' => 'http://in<val>.id/url',
      'absolute' => TRUE,
      'valid' => FALSE,
    ],
    [
      'uri' => $this->reportPath,
      'absolute' => FALSE,
      'valid' => TRUE,
    ],
    [
      // This path should be accessible to all users.
      'uri' => 'filter/tips',
      'absolute' => FALSE,
      'valid' => TRUE,
    ],
    [
      'uri' => 'non-existent-path',
      'absolute' => FALSE,
      'valid' => FALSE,
    ],
    [
      // Used to test URI with leading slash.
      'uri' => '/' . $this->reportPath,
      'absolute' => FALSE,
      'valid' => TRUE,
    ],
  ];
  foreach ($report_uris as $report_uri) {
    $form['seckit_xss[csp][checkbox]'] = TRUE;
    $form['seckit_xss[csp][vendor-prefix][x]'] = TRUE;
    $form['seckit_xss[csp][vendor-prefix][webkit]'] = TRUE;
    $form['seckit_xss[csp][default-src]'] = 'self';
    $form['seckit_xss[csp][report-uri]'] = $report_uri['uri'];
    $this
      ->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
    if ($report_uri['valid']) {
      $base_path = $report_uri['absolute'] ? '' : base_path();
      $expected = 'default-src self; report-uri ' . $base_path . $report_uri['uri'];
      if (!$report_uri['absolute'] && strpos($report_uri['uri'], '/') === 0) {

        // In this case, check that the leading slash on the relative path
        // was not mistakenly turned into two leading slashes.
        $expected = 'default-src self; report-uri ' . $base_path . ltrim($report_uri['uri'], '/');
      }
      $this
        ->assertSession()
        ->responseHeaderEquals('Content-Security-Policy', $expected);
      $this
        ->assertSession()
        ->responseHeaderEquals('X-Content-Security-Policy', $expected);
      $this
        ->assertSession()
        ->responseHeaderEquals('X-WebKit-CSP', $expected);
    }
    else {
      if ($report_uri['absolute']) {
        $expected = 'The CSP report-uri seems absolute but does not seem to be a valid URI.';
        $uri_type = 'absolute';
      }
      else {
        $expected = 'The CSP report-uri seems relative but does not seem to be a valid path.';
        $uri_type = 'relative';
      }
      $this
        ->assertSession()
        ->responseContains($expected, sprintf('Invalid %s setting for CSP report-uri was rejected.', $uri_type));
    }
  }
}