diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-04-03 18:42:34 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-04-16 14:09:39 +0200 |
commit | 7276735eb423ed126333923bb921d9d4bef16f07 (patch) | |
tree | 4131f2b8665f2e5066eb84d9ef39691709accc42 /tests | |
parent | 4e88cd3aae0b1c8e662197dd10e2e65ffe8cf489 (diff) | |
download | nextcloud-server-7276735eb423ed126333923bb921d9d4bef16f07.tar.gz nextcloud-server-7276735eb423ed126333923bb921d9d4bef16f07.zip |
Set empty CSP by default
For #14179
By default responses should have the strictest (and simplest) CSP
possible. Only template responses should require an actual CSP.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/lib/AppFramework/Controller/ControllerTest.php | 2 | ||||
-rw-r--r-- | tests/lib/AppFramework/Http/DataResponseTest.php | 2 | ||||
-rw-r--r-- | tests/lib/AppFramework/Http/ResponseTest.php | 4 |
3 files changed, 4 insertions, 4 deletions
diff --git a/tests/lib/AppFramework/Controller/ControllerTest.php b/tests/lib/AppFramework/Controller/ControllerTest.php index 3d1d7e66e84..c37a2a3456c 100644 --- a/tests/lib/AppFramework/Controller/ControllerTest.php +++ b/tests/lib/AppFramework/Controller/ControllerTest.php @@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase { 'test' => 'something', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Content-Type' => 'application/json; charset=utf-8', - 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'", + 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'", ]; $response = $this->controller->customDataResponse(array('hi')); diff --git a/tests/lib/AppFramework/Http/DataResponseTest.php b/tests/lib/AppFramework/Http/DataResponseTest.php index 67ffdde8669..e0eca83f6e9 100644 --- a/tests/lib/AppFramework/Http/DataResponseTest.php +++ b/tests/lib/AppFramework/Http/DataResponseTest.php @@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase { $expectedHeaders = [ 'Cache-Control' => 'no-cache, no-store, must-revalidate', - 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'", + 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'", ]; $expectedHeaders = array_merge($expectedHeaders, $headers); diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php index 18a9a398f72..e840111db19 100644 --- a/tests/lib/AppFramework/Http/ResponseTest.php +++ b/tests/lib/AppFramework/Http/ResponseTest.php @@ -59,7 +59,7 @@ class ResponseTest extends \Test\TestCase { $this->childResponse->setHeaders($expected); $headers = $this->childResponse->getHeaders(); - $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'"; + $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self'"; $this->assertEquals($expected, $headers); } @@ -86,7 +86,7 @@ class ResponseTest extends \Test\TestCase { } public function testGetCspEmpty() { - $this->assertNull($this->childResponse->getContentSecurityPolicy()); + $this->assertEquals(new Http\EmptyContentSecurityPolicy(), $this->childResponse->getContentSecurityPolicy()); } public function testAddHeaderValueNullDeletesIt(){ |