UNPKG

seespee

Version:

Create a Content-Security-Policy for a website based on the statically decidable relations

github.com/papandreou/seespee

papandreou/seespee

150 lines (140 loc) 4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
const run = require('./run'); const pathModule = require('path'); const expect = require('unexpected').clone(); expect.addAssertion( '<array> to yield output <string>', async (expect, args, expectedOutput) => { expect.errorMode = 'nested'; let stdout; let stderr; try { [stdout, stderr] = await run([ pathModule.resolve(__dirname, '..', 'lib', 'cli.js'), ...args, ]); } catch (err) { if (err.stderr) { expect.fail( `Child process exited with ${err.code} and stderr ${err.stderr}` ); } else { throw err; } } expect(stderr, 'when decoded as', 'utf-8', 'to equal', ''); expect(stdout, 'when decoded as', 'utf-8', 'to equal', expectedOutput); } ); expect.addAssertion( '<array> to error with <string>', async (expect, args, expectedErrorOutput) => { expect.errorMode = 'nested'; let stdout; let stderr; let err; try { [stdout, stderr] = await run([ pathModule.resolve(__dirname, '..', 'lib', 'cli.js'), ...args, ]); } catch (_err) { err = _err; } if (err) { expect(err.exitCode, 'to be greater than', 0); expect( err.stderr, 'when decoded as', 'utf-8', 'to equal', expectedErrorOutput ); } else { expect.fail(`Command did not fail\nstdout: ${stdout}\nstderr: ${stderr}`); } } ); describe('cli', function () { it('should generate a Content-Security-Policy from a local HTML file with no CSP meta tag', async function () { await expect( [ pathModule.relative( process.cwd(), pathModule.resolve( __dirname, '..', 'testdata', 'noExistingCsp', 'index.html' ) ), ], 'to yield output', "Content-Security-Policy:\n default-src 'none';\n script-src 'self';\n" ); }); describe('in --validate mode', function () { it('should succeed when there is a CSP meta tag that covers all the resources that are used', async function () { await expect( [ '--validate', pathModule.relative( process.cwd(), pathModule.resolve( __dirname, '..', 'testdata', 'existingCompleteCsp', 'index.html' ) ), ], 'to yield output', "Content-Security-Policy:\n default-src 'none';\n script-src 'self';\n" ); }); it('should fail when some resources are not covered by the existing CSP', async function () { await expect( [ '--validate', pathModule.relative( process.cwd(), pathModule.resolve( __dirname, '..', 'testdata', 'existingIncompleteCsp', 'index.html' ) ), ], 'to error with', ' ✘ ERROR: Validation failed: The Content-Security-Policy does not whitelist the following resources:\n' + " script-src 'self';\n" + ' testdata/existingIncompleteCsp/script.js\n' ); }); it('should fail when there is no CSP', async function () { await expect( [ '--validate', pathModule.relative( process.cwd(), pathModule.resolve( __dirname, '..', 'testdata', 'noExistingCsp', 'index.html' ) ), ], 'to error with', ' ✘ ERROR: Validation failed: No existing Content-Security-Policy\n' + ' ✘ ERROR: Validation failed: The Content-Security-Policy does not whitelist the following resources:\n' + " script-src 'self';\n" + ' testdata/noExistingCsp/script.js\n' ); }); }); });