Files
pocket-id/backend/internal/utils/csp_test.go
2026-06-26 14:51:56 +02:00

31 lines
963 B
Go

package utils
import (
"strings"
"testing"
"github.com/stretchr/testify/assert"
)
func TestBuildCSP(t *testing.T) {
csp := BuildCSP("test-nonce")
assert.Contains(t, csp, "form-action 'self';")
assert.Contains(t, csp, "script-src 'self' 'nonce-test-nonce'")
}
func TestBuildFormPostCSP(t *testing.T) {
csp := BuildFormPostCSP("test-nonce", "https://client.example.com/callback", "'sha256-abc123'")
// The client's redirect URI must be an allowed POST target
assert.Contains(t, csp, "form-action 'self' https://client.example.com/callback;")
// The single auto-submit script is allow-listed by hash alongside self and the nonce
assert.Contains(t, csp, "script-src 'self' 'nonce-test-nonce' 'sha256-abc123'")
// Inline scripts in general must stay forbidden in script-src
_, scriptSrc, found := strings.Cut(csp, "script-src")
assert.True(t, found, "csp must contain a script-src directive")
assert.NotContains(t, scriptSrc, "unsafe-inline")
}