-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecfetch_test.go
More file actions
92 lines (87 loc) · 2.2 KB
/
Copy pathsecfetch_test.go
File metadata and controls
92 lines (87 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package CaddyHeaderVerification
import (
"net/http/httptest"
"testing"
)
func TestValidateSecFetchRequests(t *testing.T) {
h := HeaderChecker{}
tests := []struct {
name string
headers map[string]string
urlPath string
wantValid bool
}{
{
name: "empty headers => false",
headers: map[string]string{},
urlPath: "/some/path",
wantValid: false,
},
{
name: "valid image request with correct Sec-Fetch headers => true",
headers: map[string]string{
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "no-cors",
"Sec-Fetch-Dest": "image",
"Accept": "image/webp,image/apng,image/*,*/*;q=0.8",
"Content-Type": "image/png",
},
urlPath: "/images/photo.png",
wantValid: true,
},
{
name: "image request with incorrect Sec-Fetch headers => false",
headers: map[string]string{
"Sec-Fetch-Site": "cross-site",
"Sec-Fetch-Mode": "no-cors",
"Sec-Fetch-Dest": "image",
"Accept": "image/webp,image/apng,image/*,*/*;q=0.8",
"Content-Type": "image/png",
},
urlPath: "/images/photo.png",
wantValid: false,
},
{
name: "valid navigate request => true",
headers: map[string]string{
"Sec-Fetch-Site": "none",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Dest": "document",
},
urlPath: "/home",
wantValid: true,
},
{
name: "invalid navigate request (missing header) => false",
headers: map[string]string{
"Sec-Fetch-Site": "none",
// missing Sec-Fetch-Mode
"Sec-Fetch-Dest": "document",
},
urlPath: "/home",
wantValid: false,
},
{
name: "non-image and non-navigate request same server => true",
headers: map[string]string{
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "no-cors",
"Sec-Fetch-Dest": "script",
},
urlPath: "/scripts/app.js",
wantValid: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("GET", "http://example.com"+tt.urlPath, nil)
for k, v := range tt.headers {
req.Header.Set(k, v)
}
got := h.validateSecFetchRequests(req)
if got != tt.wantValid {
t.Errorf("validateSecFetchRequests() = %v, want %v", got, tt.wantValid)
}
})
}
}