Refactor tests

Natallia Harshunova · Natallia Harshunova · commit f537e1123839 · 2026-05-13T17:53:48.000Z
diff --git a/tests/security_policies.test.ts b/tests/security_policies.test.ts
@@ -0,0 +1,238 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import assert from 'node:assert/strict';
+import {describe, it} from 'node:test';
+
+import {lighthouseAudit} from '../src/tools/lighthouse.js';
+import {navigatePage} from '../src/tools/pages.js';
+import {evaluateScript} from '../src/tools/script.js';
+
+import {serverHooks} from './server.js';
+import {withMcpContext} from './utils.js';
+
+describe('Security Policies Integration', () => {
+  const server = serverHooks();
+
+  it('blocks URLs in blocklist', async () => {
+    server.addHtmlRoute('/allowed.html', '<html><body>Allowed</body></html>');
+    server.addHtmlRoute('/blocked.html', '<html><body>Blocked</body></html>');
+
+    await withMcpContext(
+      async (response, context) => {
+        const allowedUrl = server.getRoute('/allowed.html');
+        await navigatePage().handler(
+          {
+            params: {url: allowedUrl},
+            page: context.getSelectedMcpPage(),
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          response.responseLines[0],
+          `Successfully navigated to ${allowedUrl}.`,
+        );
+
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {function: String(() => document.body.textContent)},
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Allowed',
+        );
+
+        const blockedUrl = server.getRoute('/blocked.html');
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {
+              function: `async () => {
+                try {
+                  await fetch("${blockedUrl}");
+                  return 'SUCCESS';
+                } catch (err) {
+                  return err instanceof Error ? err.message : String(err);
+                }
+              }`,
+            },
+          },
+          response,
+          context,
+        );
+
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Failed to fetch',
+        );
+      },
+      {
+        blocklist: [server.getRoute('/blocked.html')],
+      },
+    );
+  });
+
+  it('blocks URLs not in allowlist', async () => {
+    server.addHtmlRoute('/allowed.html', '<html><body>Allowed</body></html>');
+    server.addHtmlRoute('/blocked.html', '<html><body>Blocked</body></html>');
+
+    await withMcpContext(
+      async (response, context) => {
+        const allowedUrl = server.getRoute('/allowed.html');
+        await navigatePage().handler(
+          {
+            params: {url: allowedUrl},
+            page: context.getSelectedMcpPage(),
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          response.responseLines[0],
+          `Successfully navigated to ${allowedUrl}.`,
+        );
+
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {function: String(() => document.body.textContent)},
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Allowed',
+        );
+
+        const blockedUrl = server.getRoute('/blocked.html');
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {
+              function: `async () => {
+                try {
+                  await fetch("${blockedUrl}");
+                  return 'SUCCESS';
+                } catch (err) {
+                  return err instanceof Error ? err.message : String(err);
+                }
+              }`,
+            },
+          },
+          response,
+          context,
+        );
+
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Failed to fetch',
+        );
+      },
+      {
+        allowlist: [server.getRoute('/allowed.html')],
+      },
+    );
+  });
+
+  it('respects blocklist after Lighthouse audits', async () => {
+    server.addHtmlRoute('/allowed.html', '<html><body>Allowed</body></html>');
+    server.addHtmlRoute('/blocked.html', '<html><body>Blocked</body></html>');
+
+    await withMcpContext(
+      async (response, context) => {
+        const allowedUrl = server.getRoute('/allowed.html');
+        await navigatePage().handler(
+          {
+            params: {url: allowedUrl},
+            page: context.getSelectedMcpPage(),
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          response.responseLines[0],
+          `Successfully navigated to ${allowedUrl}.`,
+        );
+
+        const blockedUrl = server.getRoute('/blocked.html');
+
+        // Verifies fetch is blocked before Lighthouse audit
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {
+              function: `async () => {
+                try {
+                  await fetch("${blockedUrl}");
+                  return 'SUCCESS';
+                } catch (err) {
+                  return err instanceof Error ? err.message : String(err);
+                }
+              }`,
+            },
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Failed to fetch',
+          'Fetch should be blocked before audit',
+        );
+
+        await lighthouseAudit.handler(
+          {
+            params: {
+              mode: 'navigation',
+              device: 'desktop',
+            },
+            page: context.getSelectedMcpPage(),
+          },
+          response,
+          context,
+        );
+
+        assert.equal(
+          response.attachedLighthouseResult?.summary.mode,
+          'navigation',
+        );
+
+        // 2. Verify fetch remains blocked AFTER Lighthouse audit
+        response.resetResponseLineForTesting();
+        await evaluateScript().handler(
+          {
+            params: {
+              function: `async () => {
+                try {
+                  await fetch("${blockedUrl}");
+                  return 'SUCCESS';
+                } catch (err) {
+                  return err instanceof Error ? err.message : String(err);
+                }
+              }`,
+            },
+          },
+          response,
+          context,
+        );
+        assert.strictEqual(
+          JSON.parse(response.responseLines.at(2)!),
+          'Failed to fetch',
+          'Fetch should still be blocked after audit',
+        );
+      },
+      {
+        blocklist: [server.getRoute('/blocked.html')],
+      },
+    );
+  });
+});
diff --git a/tests/utils.ts b/tests/utils.ts
@@ -74,6 +74,8 @@ export async function withBrowser(
     autoOpenDevTools?: boolean;
     executablePath?: string;
     args?: string[];
+    blocklist?: string[];
+    allowlist?: string[];
   } = {},
 ) {
   const launchOptions: LaunchOptions = {
@@ -86,6 +88,8 @@ export async function withBrowser(
     handleDevToolsAsPage: true,
     args: [...(options.args || []), '--screen-info={3840x2160}'],
     enableExtensions: true,
+    blocklist: options.blocklist,
+    allowlist: options.allowlist,
   };
   const key = JSON.stringify(launchOptions);
 
@@ -115,6 +119,8 @@ export async function withMcpContext(
     performanceCrux?: boolean;
     executablePath?: string;
     args?: string[];
+    blocklist?: string[];
+    allowlist?: string[];
   } = {},
   args: ParsedArguments = {} as ParsedArguments,
 ) {
