From c056aa7aa2438d16b1a3f1db20e6aac2694ca455 Mon Sep 17 00:00:00 2001
From: Ed Tanous <ed@tanous.net>
Date: Sun, 14 Apr 2024 09:57:09 -0700
Subject: Implement a Content-Security-Policy TODO

This TODO has been in bmcweb for a very long time.  Implement it.

W3 sets rules for what security policies apply to which content
types[1].  Reading through this, essentially CSP should only apply to
HTML files.

Tested: Unit tests pass.  Webui loads properly.  Chrome network window
Shows headers show up as expected.

[1] https://www.w3.org/TR/CSP2/#which-policy-applies

Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58
Signed-off-by: Ed Tanous <ed@tanous.net>
---
 test/http/http2_connection_test.cpp | 35 +++++++++++------------------------
 test/http/http_connection_test.cpp  |  8 --------
 2 files changed, 11 insertions(+), 32 deletions(-)

(limited to 'test')

diff --git a/test/http/http2_connection_test.cpp b/test/http/http2_connection_test.cpp
index 81c78a9a60..34dc7cd20e 100644
--- a/test/http/http2_connection_test.cpp
+++ b/test/http/http2_connection_test.cpp
@@ -136,8 +136,8 @@ TEST(http_connection, RequestPropogates)
         // Settings ACK from server to client
         "\x00\x00\x00\x04\x01\x00\x00\x00\x00"
 
-        // Start Headers frame stream 1, size 0x034b
-        "\x00\x03\x4b\x01\x04\x00\x00\x00\x01"sv;
+        // Start Headers frame stream 1, size 0x005f
+        "\x00\x00\x5f\x01\x04\x00\x00\x00\x01"sv;
 
     std::string_view expectedPostfix =
         // Data Frame, Length 12, Stream 1, End Stream flag set
@@ -146,7 +146,7 @@ TEST(http_connection, RequestPropogates)
         "StringOutput"sv;
 
     std::string_view outStr;
-    constexpr size_t headerSize = 0x34b;
+    constexpr size_t headerSize = 0x05f;
 
     // Run until we receive the expected amount of data
     while (outStr.size() <
@@ -164,27 +164,14 @@ TEST(http_connection, RequestPropogates)
     unpackHeaders(outStr.substr(0, headerSize), headers);
     outStr.remove_prefix(headerSize);
 
-    EXPECT_THAT(
-        headers,
-        UnorderedElementsAre(
-            Pair(":status", "200"), Pair("content-length", "12"),
-            Pair("strict-transport-security",
-                 "max-age=31536000; includeSubdomains"),
-            Pair("x-frame-options", "DENY"), Pair("pragma", "no-cache"),
-            Pair("cache-control", "no-store, max-age=0"),
-            Pair("x-content-type-options", "nosniff"),
-            Pair("referrer-policy", "no-referrer"),
-            Pair(
-                "permissions-policy",
-                "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()"),
-            Pair("x-permitted-cross-domain-policies", "none"),
-            Pair("cross-origin-embedder-policy", "require-corp"),
-            Pair("cross-origin-opener-policy", "same-origin"),
-            Pair("cross-origin-resource-policy", "same-origin"),
-            Pair(
-                "content-security-policy",
-                "default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'"),
-            Pair("date", "TestTime")));
+    EXPECT_THAT(headers,
+                UnorderedElementsAre(
+                    Pair(":status", "200"), Pair("content-length", "12"),
+                    Pair("strict-transport-security",
+                         "max-age=31536000; includeSubdomains"),
+                    Pair("cache-control", "no-store, max-age=0"),
+                    Pair("x-content-type-options", "nosniff"),
+                    Pair("pragma", "no-cache"), Pair("date", "TestTime")));
 
     EXPECT_EQ(outStr, expectedPostfix);
 }
diff --git a/test/http/http_connection_test.cpp b/test/http/http_connection_test.cpp
index 4dda70ecf8..caf50c8a62 100644
--- a/test/http/http_connection_test.cpp
+++ b/test/http/http_connection_test.cpp
@@ -84,17 +84,9 @@ TEST(http_connection, RequestPropogates)
         "HTTP/1.1 200 OK\r\n"
         "Connection: close\r\n"
         "Strict-Transport-Security: max-age=31536000; includeSubdomains\r\n"
-        "X-Frame-Options: DENY\r\n"
         "Pragma: no-cache\r\n"
         "Cache-Control: no-store, max-age=0\r\n"
         "X-Content-Type-Options: nosniff\r\n"
-        "Referrer-Policy: no-referrer\r\n"
-        "Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()\r\n"
-        "X-Permitted-Cross-Domain-Policies: none\r\n"
-        "Cross-Origin-Embedder-Policy: require-corp\r\n"
-        "Cross-Origin-Opener-Policy: same-origin\r\n"
-        "Cross-Origin-Resource-Policy: same-origin\r\n"
-        "Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'\r\n"
         "Date: TestTime\r\n"
         "Content-Length: 0\r\n\r\n";
     EXPECT_EQ(outStr, expected);
-- 
cgit v1.2.3