cloudsmith-docs/src/lib/csp.test.ts at 6a23b7f2cf1d1440cde4d8429fa50f88c5af48f9 · cloudsmith-io/cloudsmith-docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import { getContentSecurityPolicyHeaderValue } from './csp';

describe('lib', () => {
  describe('csp.ts', () => {
    describe('getContentSecurityPolicyHeaderValue()', () => {
      test('returns a trimmed string', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toBe(result.trim());
      });

      test('includes default-src self', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toContain("default-src 'self'");
      });

      test('includes required script-src sources', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toContain("'unsafe-inline'");
        expect(result).toContain("'wasm-unsafe-eval'");
        expect(result).toContain('https://simple.cloudsmith.com');
        expect(result).toContain('https://va.vercel-scripts.com');
      });

      test('includes required connect-src sources', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toContain('https://api.cloudsmith.io');
        expect(result).toContain('https://queue.simpleanalyticscdn.com');
        expect(result).toContain('https://simple.cloudsmith.io');
        expect(result).toContain('https://simple.cloudsmith.com');
      });

      test('sets frame-src and object-src to none', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toContain("frame-src 'none'");
        expect(result).toContain("object-src 'none'");
      });

      test('sets base-uri to none', () => {
        const result = getContentSecurityPolicyHeaderValue();
        expect(result).toContain("base-uri 'none'");
      });

      test('deduplicates values within a directive', () => {
        const result = getContentSecurityPolicyHeaderValue();
        const scriptSrcMatch = result.match(/script-src ([^;]+)/);
        expect(scriptSrcMatch).not.toBeNull();
        const values = scriptSrcMatch![1].trim().split(' ');
        const unique = new Set(values);
        expect(values.length).toBe(unique.size);
      });
    });
  });
});