@@ -237,11 +237,10 @@ func TestSecure(t *testing.T) {
237237
238238 csp := rec .Header ().Get (echo .HeaderContentSecurityPolicy )
239239
240- apiLoginDomain := "api-login-myorg123.cozy.example.com"
241240 orgInstanceDomain := "myorg123.cozy.example.com"
242241 orgInstanceWSDomain := "wss://myorg123.cozy.example.com"
243242 chatDomain := "chat-myorg123.tc-apps.cozy.example.com"
244- autoLoginDomain := "auto -login-myorg123.tc-apps.cozy.example.com"
243+ apiLoginDomain := "api -login-myorg123.tc-apps.cozy.example.com"
245244
246245 // Verify that connect-src contains the api-login domain
247246 connectSrcIndex := strings .Index (csp , "connect-src " )
@@ -253,31 +252,14 @@ func TestSecure(t *testing.T) {
253252 "connect-src should end with semicolon" )
254253
255254 connectSrcContent := csp [connectSrcIndex : connectSrcIndex + connectSrcEnd ]
256- assert .Contains (t , connectSrcContent , apiLoginDomain ,
257- "connect-src should contain %s. Found: %s" , apiLoginDomain , connectSrcContent )
258255 assert .Contains (t , connectSrcContent , orgInstanceDomain ,
259256 "connect-src should contain %s. Found: %s" , orgInstanceDomain , connectSrcContent )
260257 assert .Contains (t , connectSrcContent , orgInstanceWSDomain ,
261258 "connect-src should contain %s. Found: %s" , orgInstanceWSDomain , connectSrcContent )
262259 assert .Contains (t , connectSrcContent , chatDomain ,
263260 "connect-src should contain %s. Found: %s" , chatDomain , connectSrcContent )
264- assert .Contains (t , connectSrcContent , autoLoginDomain ,
265- "connect-src should contain %s. Found: %s" , autoLoginDomain , connectSrcContent )
266-
267- // Verify that frame-src contains the Twake Chat domains.
268- frameSrcIndex := strings .Index (csp , "frame-src " )
269- assert .NotEqual (t , - 1 , frameSrcIndex ,
270- "frame-src should be present in CSP. Full CSP: %s" , csp )
271-
272- frameSrcEnd := strings .Index (csp [frameSrcIndex :], ";" )
273- assert .NotEqual (t , - 1 , frameSrcEnd ,
274- "frame-src should end with semicolon" )
275-
276- frameSrcContent := csp [frameSrcIndex : frameSrcIndex + frameSrcEnd ]
277- assert .Contains (t , frameSrcContent , chatDomain ,
278- "frame-src should contain %s. Found: %s" , chatDomain , frameSrcContent )
279- assert .Contains (t , frameSrcContent , autoLoginDomain ,
280- "frame-src should contain %s. Found: %s" , autoLoginDomain , frameSrcContent )
261+ assert .Contains (t , connectSrcContent , apiLoginDomain ,
262+ "connect-src should contain %s. Found: %s" , apiLoginDomain , connectSrcContent )
281263
282264 // Verify that other directives do NOT contain the api-login domain
283265 otherDirectives := []string {
@@ -301,6 +283,8 @@ func TestSecure(t *testing.T) {
301283 directiveEnd := strings .Index (csp [directiveIndex :], ";" )
302284 if directiveEnd != - 1 {
303285 directiveContent := csp [directiveIndex : directiveIndex + directiveEnd ]
286+ assert .NotContains (t , directiveContent , chatDomain ,
287+ "Directive %s should NOT contain %s. Found: %s" , directivePattern , chatDomain , directiveContent )
304288 assert .NotContains (t , directiveContent , apiLoginDomain ,
305289 "Directive %s should NOT contain %s. Found: %s" , directivePattern , apiLoginDomain , directiveContent )
306290 assert .NotContains (t , directiveContent , orgInstanceDomain ,
@@ -323,6 +307,8 @@ func TestSecure(t *testing.T) {
323307 imgSrcContent := csp [imgSrcIndex : imgSrcIndex + imgSrcEnd ]
324308 assert .Contains (t , imgSrcContent , orgInstanceDomain ,
325309 "img-src should contain %s. Found: %s" , orgInstanceDomain , imgSrcContent )
310+ assert .NotContains (t , imgSrcContent , chatDomain ,
311+ "img-src should NOT contain %s. Found: %s" , chatDomain , imgSrcContent )
326312 assert .NotContains (t , imgSrcContent , apiLoginDomain ,
327313 "img-src should NOT contain %s. Found: %s" , apiLoginDomain , imgSrcContent )
328314 assert .NotContains (t , imgSrcContent , orgInstanceWSDomain ,
@@ -362,7 +348,7 @@ func TestSecure(t *testing.T) {
362348 expectedDomain := "myorg123.example.com"
363349 expectedWSDomain := "wss://myorg123.example.com"
364350 chatDomain := "chat-myorg123.tc-apps.cozy.example.com"
365- autoLoginDomain := "auto -login-myorg123.tc-apps.cozy.example.com"
351+ apiLoginDomain := "api -login-myorg123.tc-apps.cozy.example.com"
366352
367353 count := strings .Count (csp , expectedDomain )
368354 assert .Equal (t , 3 , count ,
@@ -384,23 +370,8 @@ func TestSecure(t *testing.T) {
384370 "connect-src should contain %s. Found: %s" , expectedWSDomain , connectSrcContent )
385371 assert .Contains (t , connectSrcContent , chatDomain ,
386372 "connect-src should contain %s. Found: %s" , chatDomain , connectSrcContent )
387- assert .Contains (t , connectSrcContent , autoLoginDomain ,
388- "connect-src should contain %s. Found: %s" , autoLoginDomain , connectSrcContent )
389-
390- // Verify that frame-src contains the Twake Chat domains.
391- frameSrcIndex := strings .Index (csp , "frame-src " )
392- assert .NotEqual (t , - 1 , frameSrcIndex ,
393- "frame-src should be present in CSP. Full CSP: %s" , csp )
394-
395- frameSrcEnd := strings .Index (csp [frameSrcIndex :], ";" )
396- assert .NotEqual (t , - 1 , frameSrcEnd ,
397- "frame-src should end with semicolon" )
398-
399- frameSrcContent := csp [frameSrcIndex : frameSrcIndex + frameSrcEnd ]
400- assert .Contains (t , frameSrcContent , chatDomain ,
401- "frame-src should contain %s. Found: %s" , chatDomain , frameSrcContent )
402- assert .Contains (t , frameSrcContent , autoLoginDomain ,
403- "frame-src should contain %s. Found: %s" , autoLoginDomain , frameSrcContent )
373+ assert .Contains (t , connectSrcContent , apiLoginDomain ,
374+ "connect-src should contain %s. Found: %s" , apiLoginDomain , connectSrcContent )
404375
405376 // Verify that img-src also contains the org domain
406377 imgSrcIndex := strings .Index (csp , "img-src " )
0 commit comments