@@ -3,7 +3,7 @@ import { serve } from "../test";
33
44test ( "POST+GET /api/files" , async ( ) => {
55 const { helpers } = await serve ( ) ;
6- const { client, user } = await helpers . createUser ( ) ;
6+ const { client } = await helpers . createUser ( ) ;
77 const file = new File ( [ "Hello, world!" ] , "test.txt" ) ;
88 const resp = await client . files . upload ( file ) ;
99 expect ( resp . id ) . toBeString ( ) ;
@@ -12,3 +12,27 @@ test("POST+GET /api/files", async () => {
1212 const fileResp = await client . files . get ( resp . id ) ;
1313 expect ( await fileResp . text ( ) ) . toBe ( "Hello, world!" ) ;
1414} ) ;
15+
16+ test ( "GET /api/files serves uploaded files inline with restrictive headers" , async ( ) => {
17+ const { helpers } = await serve ( ) ;
18+ const { client } = await helpers . createUser ( ) ;
19+ const file = new File ( [ "<h1>content</h1>" ] , "content.html" , {
20+ type : "text/html" ,
21+ } ) ;
22+
23+ const uploaded = await client . files . upload ( file ) ;
24+ const response = await fetch ( uploaded . url ) ;
25+
26+ expect ( response . status ) . toBe ( 200 ) ;
27+ expect ( await response . text ( ) ) . toBe ( "<h1>content</h1>" ) ;
28+ expect ( response . headers . get ( "content-type" ) ) . toStartWith ( "text/html" ) ;
29+ expect ( response . headers . get ( "content-disposition" ) ) . toBe (
30+ 'inline; filename="content.html"'
31+ ) ;
32+ expect ( response . headers . get ( "x-content-type-options" ) ) . toBe ( "nosniff" ) ;
33+ const csp = response . headers . get ( "content-security-policy" ) ;
34+ expect ( csp ) . toContain ( "default-src 'none'" ) ;
35+ expect ( csp ) . toContain ( "sandbox" ) ;
36+ expect ( csp ) . toContain ( "frame-ancestors 'none'" ) ;
37+ expect ( response . headers . get ( "x-frame-options" ) ) . toBeNull ( ) ;
38+ } ) ;
0 commit comments