http/tests/Http.DI/HttpExtension.csp.phpt at 4b12bd559a5ec0acc18643da03fdbfdf6f7697c0 · nette/http · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<?php

/**
 * Test: HttpExtension.
 */

declare(strict_types=1);

use Nette\Bridges\HttpDI\HttpExtension;
use Nette\DI;
use Tester\Assert;


require __DIR__ . '/../bootstrap.php';

if (PHP_SAPI === 'cli') {
	Tester\Environment::skip('Headers are not testable in CLI mode');
}


$compiler = new DI\Compiler;
$compiler->addExtension('http', new HttpExtension);
$loader = new DI\Config\Loader;
$config = $loader->load(Tester\FileMock::create(<<<'EOD'
http:
	csp:
		default-src: "'self' https://example.com"
		upgrade-insecure-requests:
		script-src: 'nonce'
		style-src:
			- self
			- https://example.com
		require-sri-for: style
		sandbox: allow-forms
		plugin-types: application/x-java-applet

	cspReportOnly:
		default-src: "'nonce'"
		report-uri: https://example.com/report
		upgrade-insecure-requests: true
		block-all-mixed-content: false
EOD
, 'neon'));

eval($compiler->addConfig($config)->compile());

$container = new Container;
$container->getService('http.response');

$headers = headers_list();

preg_match('#nonce-([\w+/]+=*)#', implode($headers), $nonce);
Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com; require-sri-for style; sandbox allow-forms; plugin-types application/x-java-applet;", $headers);
Assert::contains("Content-Security-Policy-Report-Only: default-src 'nonce-$nonce[1]'; report-uri https://example.com/report; upgrade-insecure-requests;", $headers);


echo ' '; @ob_flush(); flush();

Assert::true(headers_sent());

Assert::exception(function () use ($container) {
	$container->createService('http.response');
}, Nette\InvalidStateException::class, 'Cannot send header after %a%');