mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-17 16:29:55 +00:00
31 lines
963 B
Go
31 lines
963 B
Go
package utils
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestBuildCSP(t *testing.T) {
|
|
csp := BuildCSP("test-nonce")
|
|
|
|
assert.Contains(t, csp, "form-action 'self';")
|
|
assert.Contains(t, csp, "script-src 'self' 'nonce-test-nonce'")
|
|
}
|
|
|
|
func TestBuildFormPostCSP(t *testing.T) {
|
|
csp := BuildFormPostCSP("test-nonce", "https://client.example.com/callback", "'sha256-abc123'")
|
|
|
|
// The client's redirect URI must be an allowed POST target
|
|
assert.Contains(t, csp, "form-action 'self' https://client.example.com/callback;")
|
|
|
|
// The single auto-submit script is allow-listed by hash alongside self and the nonce
|
|
assert.Contains(t, csp, "script-src 'self' 'nonce-test-nonce' 'sha256-abc123'")
|
|
|
|
// Inline scripts in general must stay forbidden in script-src
|
|
_, scriptSrc, found := strings.Cut(csp, "script-src")
|
|
assert.True(t, found, "csp must contain a script-src directive")
|
|
assert.NotContains(t, scriptSrc, "unsafe-inline")
|
|
}
|