public function SecKitTestCaseTest::testCspReportUri in Security Kit 8
Same name and namespace in other branches
- 2.x tests/src/Functional/SecKitTestCaseTest.php \Drupal\Tests\seckit\Functional\SecKitTestCaseTest::testCspReportUri()
Tests different values for Content Security Policy report-uri.
File
- tests/
src/ Functional/ SecKitTestCaseTest.php, line 277
Class
- SecKitTestCaseTest
- Functional tests for Security Kit.
Namespace
Drupal\Tests\seckit\FunctionalCode
public function testCspReportUri() {
$report_uris = [
[
'uri' => '//example.com/csp-report',
'absolute' => TRUE,
'valid' => TRUE,
],
[
'uri' => 'https://example.com/report-uri',
'absolute' => TRUE,
'valid' => TRUE,
],
[
'uri' => 'http://in<val>.id/url',
'absolute' => TRUE,
'valid' => FALSE,
],
[
'uri' => $this->reportPath,
'absolute' => FALSE,
'valid' => TRUE,
],
[
// This path should be accessible to all users.
'uri' => 'filter/tips',
'absolute' => FALSE,
'valid' => TRUE,
],
[
'uri' => 'non-existent-path',
'absolute' => FALSE,
'valid' => FALSE,
],
[
// Used to test URI with leading slash.
'uri' => '/' . $this->reportPath,
'absolute' => FALSE,
'valid' => TRUE,
],
];
foreach ($report_uris as $report_uri) {
$form['seckit_xss[csp][checkbox]'] = TRUE;
$form['seckit_xss[csp][vendor-prefix][x]'] = TRUE;
$form['seckit_xss[csp][vendor-prefix][webkit]'] = TRUE;
$form['seckit_xss[csp][default-src]'] = 'self';
$form['seckit_xss[csp][report-uri]'] = $report_uri['uri'];
$this
->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
if ($report_uri['valid']) {
$base_path = $report_uri['absolute'] ? '' : base_path();
$expected = 'default-src self; report-uri ' . $base_path . $report_uri['uri'];
if (!$report_uri['absolute'] && strpos($report_uri['uri'], '/') === 0) {
// In this case, check that the leading slash on the relative path
// was not mistakenly turned into two leading slashes.
$expected = 'default-src self; report-uri ' . $base_path . ltrim($report_uri['uri'], '/');
}
$this
->assertSession()
->responseHeaderEquals('Content-Security-Policy', $expected);
$this
->assertSession()
->responseHeaderEquals('X-Content-Security-Policy', $expected);
$this
->assertSession()
->responseHeaderEquals('X-WebKit-CSP', $expected);
}
else {
if ($report_uri['absolute']) {
$expected = 'The CSP report-uri seems absolute but does not seem to be a valid URI.';
$uri_type = 'absolute';
}
else {
$expected = 'The CSP report-uri seems relative but does not seem to be a valid path.';
$uri_type = 'relative';
}
$this
->assertSession()
->responseContains($expected, sprintf('Invalid %s setting for CSP report-uri was rejected.', $uri_type));
}
}
}