Fix unit tests

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

diff --git a/build/integration/features/sharing-v1.feature b/build/integration/features/sharing-v1.feature
index 9678720b262e327d7fa41dff1067205a632bdf96..5708b7115e4e33f447cdc86b1374e0c3fe3335e1 100644 (file)
--- a/build/integration/features/sharing-v1.feature
+++ b/build/integration/features/sharing-v1.feature
@@ -14,7 +14,7 @@ Feature: sharing
     Then the OCS status code should be "100"
     And the HTTP status code should be "200"
     And The following headers should be set
-      | Content-Security-Policy | default-src 'none';base-uri 'none' |
+      | Content-Security-Policy | default-src 'none';base-uri 'none';manifest-src 'self' |
 
   Scenario: Creating a share with a group
     Given user "user0" exists

diff --git a/tests/lib/AppFramework/Controller/ControllerTest.php b/tests/lib/AppFramework/Controller/ControllerTest.php
index 9d14f3aace8f8450b0865b6ab45965e73a105e0e..59e2904e7405e884ad24bbd6a369533c77252aee 100644 (file)
--- a/tests/lib/AppFramework/Controller/ControllerTest.php
+++ b/tests/lib/AppFramework/Controller/ControllerTest.php
@@ -184,7 +184,7 @@ class ControllerTest extends \Test\TestCase {
                        'test' => 'something',
                        'Cache-Control' => 'no-cache, no-store, must-revalidate',
                        'Content-Type' => 'application/json; charset=utf-8',
-                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'",
+                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'",
                ];
 
                $response = $this->controller->customDataResponse(array('hi'));

diff --git a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
index fa46e596d76fc642d205666f3c4f5f5cc7cc0c66..503148d633a73f4fc4a752b7d4a82543ca600931 100644 (file)
--- a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
@@ -28,19 +28,19 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDefault() {
-               $defaultPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
                $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' www.owncloud.com www.owncloud.org 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
@@ -48,7 +48,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
@@ -56,7 +56,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
@@ -64,7 +64,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
@@ -72,14 +72,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyScriptAllowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->allowInlineScript(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptAllowInlineWithDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' www.owncloud.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->allowInlineScript(true);
@@ -87,7 +87,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyScriptDisallowInlineAndEval() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->allowInlineScript(false);
                $this->contentSecurityPolicy->allowEvalScript(false);
@@ -95,14 +95,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
@@ -110,7 +110,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
@@ -118,7 +118,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
@@ -126,7 +126,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
@@ -134,35 +134,35 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleAllowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->allowInlineStyle(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleAllowInlineWithDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDisallowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->allowInlineStyle(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
@@ -170,7 +170,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
@@ -178,7 +178,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
@@ -186,7 +186,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
@@ -194,14 +194,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyFontDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFontDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
@@ -209,7 +209,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
@@ -217,7 +217,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' www.owncloud.com;connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
@@ -225,7 +225,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
@@ -233,14 +233,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyConnectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyConnectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
@@ -248,7 +248,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
@@ -256,7 +256,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self' www.owncloud.com;media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
@@ -264,7 +264,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
@@ -272,14 +272,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyMediaDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyMediaDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
@@ -287,7 +287,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
@@ -295,7 +295,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
@@ -303,7 +303,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
@@ -311,14 +311,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyObjectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyObjectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
@@ -326,7 +326,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
@@ -334,7 +334,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
@@ -342,7 +342,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
@@ -350,14 +350,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFrameDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
@@ -365,7 +365,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
@@ -373,7 +373,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
@@ -381,7 +381,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
@@ -389,14 +389,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyChildSrcValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
@@ -404,7 +404,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
@@ -412,7 +412,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';child-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
@@ -420,7 +420,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');

diff --git a/tests/lib/AppFramework/Http/DataResponseTest.php b/tests/lib/AppFramework/Http/DataResponseTest.php
index bbd23c874d73b04b7b8b1504806cdc34b014e01d..5b5eda8f11d7a10befa671d405e258f73e2ca357 100644 (file)
--- a/tests/lib/AppFramework/Http/DataResponseTest.php
+++ b/tests/lib/AppFramework/Http/DataResponseTest.php
@@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase {
 
                $expectedHeaders = [
                        'Cache-Control' => 'no-cache, no-store, must-revalidate',
-                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'",
+                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'",
                ];
                $expectedHeaders = array_merge($expectedHeaders, $headers);
 

diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
index ee4ec6c368c7956947a6dd9faef4b07f20ae9762..7c30df730d3c526026443161c0531af4efe99c9e 100644 (file)
--- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
@@ -28,19 +28,19 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDefault() {
-               $defaultPolicy = "default-src 'none';base-uri 'none'";
+               $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
                $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
@@ -48,7 +48,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
@@ -56,7 +56,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
@@ -64,7 +64,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
@@ -72,14 +72,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyScriptAllowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src  'unsafe-inline'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src  'unsafe-inline'";
 
                $this->contentSecurityPolicy->allowInlineScript(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptAllowInlineWithDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src www.owncloud.com 'unsafe-inline'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->allowInlineScript(true);
@@ -87,7 +87,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyScriptAllowInlineAndEval() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src  'unsafe-inline' 'unsafe-eval'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src  'unsafe-inline' 'unsafe-eval'";
 
                $this->contentSecurityPolicy->allowInlineScript(true);
                $this->contentSecurityPolicy->allowEvalScript(true);
@@ -95,14 +95,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';style-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';style-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
@@ -110,7 +110,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
@@ -118,7 +118,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';style-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
@@ -126,7 +126,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
@@ -134,14 +134,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleAllowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';style-src  'unsafe-inline'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src  'unsafe-inline'";
 
                $this->contentSecurityPolicy->allowInlineStyle(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleAllowInlineWithDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';style-src www.owncloud.com 'unsafe-inline'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com 'unsafe-inline'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->allowInlineStyle(true);
@@ -149,21 +149,21 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleDisallowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->allowInlineStyle(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';img-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';img-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
@@ -171,7 +171,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
@@ -179,7 +179,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';img-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
@@ -187,7 +187,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
@@ -195,14 +195,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyFontDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';font-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFontDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';font-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
@@ -210,7 +210,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
@@ -218,7 +218,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';font-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
@@ -226,7 +226,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
@@ -234,14 +234,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyConnectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';connect-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyConnectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';connect-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
@@ -249,7 +249,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
@@ -257,7 +257,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';connect-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
@@ -265,7 +265,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
@@ -273,14 +273,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyMediaDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';media-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyMediaDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';media-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
@@ -288,7 +288,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
@@ -296,7 +296,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';media-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
@@ -304,7 +304,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
@@ -312,14 +312,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyObjectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';object-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyObjectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';object-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
@@ -327,7 +327,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
@@ -335,7 +335,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';object-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
@@ -343,7 +343,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
@@ -351,14 +351,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';frame-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFrameDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';frame-src www.owncloud.com www.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com www.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
@@ -366,7 +366,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
@@ -374,7 +374,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';frame-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
@@ -382,7 +382,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
@@ -390,14 +390,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';child-src child.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyChildSrcValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';child-src child.owncloud.com child.owncloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com child.owncloud.org";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
@@ -405,7 +405,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
@@ -413,7 +413,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';child-src www.owncloud.com";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src www.owncloud.com";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
@@ -421,7 +421,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
@@ -429,7 +429,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyWithJsNonceAndScriptDomains() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'nonce-TXlKc05vbmNl' www.nextcloud.com www.nextcloud.org";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl' www.nextcloud.com www.nextcloud.org";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
                $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
@@ -438,7 +438,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyWithJsNonceAndSelfScriptDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'nonce-TXlKc05vbmNl'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl'";
 
                $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
                $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
@@ -446,7 +446,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyWithoutJsNonceAndSelfScriptDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';script-src 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());

diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php
index 0331bb42c01773b46b48d8db8b65638f6e3fd153..4840a5f94c33907a84878e4d07e63e82f75d2996 100644 (file)
--- a/tests/lib/AppFramework/Http/ResponseTest.php
+++ b/tests/lib/AppFramework/Http/ResponseTest.php
@@ -58,14 +58,14 @@ class ResponseTest extends \Test\TestCase {
 
                $this->childResponse->setHeaders($expected);
                $headers = $this->childResponse->getHeaders();
-               $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
+               $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
 
                $this->assertEquals($expected, $headers);
        }
 
        public function testOverwriteCsp() {
                $expected = [
-                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self'",
+                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self'",
                ];
                $policy = new Http\ContentSecurityPolicy();
                $policy->allowInlineScript(true);

diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
index 4d70d4fa28fa0c26a152751308ea2594f615317e..f0fb1610d98419ec824822e939800e7ebf7f6ba2 100644 (file)
--- a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
+++ b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
@@ -60,7 +60,7 @@ class ContentSecurityPolicyManagerTest extends \Test\TestCase {
                $expected->addAllowedImageDomain('anotherdomain.de');
                $expected->addAllowedImageDomain('example.org');
                $expected->addAllowedChildSrcDomain('childdomain');
-               $expectedStringPolicy = 'default-src \'none\';base-uri \'none\';script-src \'self\' \'unsafe-inline\' \'unsafe-eval\';style-src \'self\' \'unsafe-inline\';img-src \'self\' data: blob: anotherdomain.de example.org;font-src \'self\' mydomain.com example.com anotherFontDomain;connect-src \'self\';media-src \'self\';child-src childdomain';
+               $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain";
 
                $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
                $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());