diff options
| author | Ed Tanous <ed@tanous.net> | 2024-04-14 19:57:09 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2024-04-23 17:58:29 +0300 |
| commit | c056aa7aa2438d16b1a3f1db20e6aac2694ca455 (patch) | |
| tree | 7328ae94e1c35298b27d542480d42dcff36d7203 /test | |
| parent | 003301a24bad4cfe066bb1f5720243a3f7c45742 (diff) | |
| download | bmcweb-c056aa7aa2438d16b1a3f1db20e6aac2694ca455.tar.xz | |
Implement a Content-Security-Policy TODO
This TODO has been in bmcweb for a very long time. Implement it.
W3 sets rules for what security policies apply to which content
types[1]. Reading through this, essentially CSP should only apply to
HTML files.
Tested: Unit tests pass. Webui loads properly. Chrome network window
Shows headers show up as expected.
[1] https://www.w3.org/TR/CSP2/#which-policy-applies
Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'test')
| -rw-r--r-- | test/http/http2_connection_test.cpp | 35 | ||||
| -rw-r--r-- | test/http/http_connection_test.cpp | 8 |
2 files changed, 11 insertions, 32 deletions
diff --git a/test/http/http2_connection_test.cpp b/test/http/http2_connection_test.cpp index 81c78a9a60..34dc7cd20e 100644 --- a/test/http/http2_connection_test.cpp +++ b/test/http/http2_connection_test.cpp @@ -136,8 +136,8 @@ TEST(http_connection, RequestPropogates) // Settings ACK from server to client "\x00\x00\x00\x04\x01\x00\x00\x00\x00" - // Start Headers frame stream 1, size 0x034b - "\x00\x03\x4b\x01\x04\x00\x00\x00\x01"sv; + // Start Headers frame stream 1, size 0x005f + "\x00\x00\x5f\x01\x04\x00\x00\x00\x01"sv; std::string_view expectedPostfix = // Data Frame, Length 12, Stream 1, End Stream flag set @@ -146,7 +146,7 @@ TEST(http_connection, RequestPropogates) "StringOutput"sv; std::string_view outStr; - constexpr size_t headerSize = 0x34b; + constexpr size_t headerSize = 0x05f; // Run until we receive the expected amount of data while (outStr.size() < @@ -164,27 +164,14 @@ TEST(http_connection, RequestPropogates) unpackHeaders(outStr.substr(0, headerSize), headers); outStr.remove_prefix(headerSize); - EXPECT_THAT( - headers, - UnorderedElementsAre( - Pair(":status", "200"), Pair("content-length", "12"), - Pair("strict-transport-security", - "max-age=31536000; includeSubdomains"), - Pair("x-frame-options", "DENY"), Pair("pragma", "no-cache"), - Pair("cache-control", "no-store, max-age=0"), - Pair("x-content-type-options", "nosniff"), - Pair("referrer-policy", "no-referrer"), - Pair( - "permissions-policy", - "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()"), - Pair("x-permitted-cross-domain-policies", "none"), - Pair("cross-origin-embedder-policy", "require-corp"), - Pair("cross-origin-opener-policy", "same-origin"), - Pair("cross-origin-resource-policy", "same-origin"), - Pair( - "content-security-policy", - "default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'"), - Pair("date", "TestTime"))); + EXPECT_THAT(headers, + UnorderedElementsAre( + Pair(":status", "200"), Pair("content-length", "12"), + Pair("strict-transport-security", + "max-age=31536000; includeSubdomains"), + Pair("cache-control", "no-store, max-age=0"), + Pair("x-content-type-options", "nosniff"), + Pair("pragma", "no-cache"), Pair("date", "TestTime"))); EXPECT_EQ(outStr, expectedPostfix); } diff --git a/test/http/http_connection_test.cpp b/test/http/http_connection_test.cpp index 4dda70ecf8..caf50c8a62 100644 --- a/test/http/http_connection_test.cpp +++ b/test/http/http_connection_test.cpp @@ -84,17 +84,9 @@ TEST(http_connection, RequestPropogates) "HTTP/1.1 200 OK\r\n" "Connection: close\r\n" "Strict-Transport-Security: max-age=31536000; includeSubdomains\r\n" - "X-Frame-Options: DENY\r\n" "Pragma: no-cache\r\n" "Cache-Control: no-store, max-age=0\r\n" "X-Content-Type-Options: nosniff\r\n" - "Referrer-Policy: no-referrer\r\n" - "Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()\r\n" - "X-Permitted-Cross-Domain-Policies: none\r\n" - "Cross-Origin-Embedder-Policy: require-corp\r\n" - "Cross-Origin-Opener-Policy: same-origin\r\n" - "Cross-Origin-Resource-Policy: same-origin\r\n" - "Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'\r\n" "Date: TestTime\r\n" "Content-Length: 0\r\n\r\n"; EXPECT_EQ(outStr, expected); |