BookStack/tests/SecurityHeaderTest.php

<?php

namespace Tests;

use Illuminate\Support\Str;

class SecurityHeaderTest extends TestCase
{
    public function test_cookies_samesite_lax_by_default()
    {
        $resp = $this->get('/');
        foreach ($resp->headers->getCookies() as $cookie) {
            $this->assertEquals('lax', $cookie->getSameSite());
        }
    }

    public function test_cookies_samesite_none_when_iframe_hosts_set()
    {
        $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertEquals('none', $cookie->getSameSite());
            }
        });
    }

    public function test_secure_cookies_controlled_by_app_url()
    {
        $this->runWithEnv('APP_URL', 'http://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertFalse($cookie->isSecure());
            }
        });

        $this->runWithEnv('APP_URL', 'https://example.com', function () {
            $resp = $this->get('/');
            foreach ($resp->headers->getCookies() as $cookie) {
                $this->assertTrue($cookie->isSecure());
            }
        });
    }

    public function test_iframe_csp_self_only_by_default()
    {
        $resp = $this->get('/');
        $cspHeaders = collect($resp->headers->get('Content-Security-Policy'));
        $frameHeaders = $cspHeaders->filter(function ($val) {
            return Str::startsWith($val, 'frame-ancestors');
        });

        $this->assertTrue($frameHeaders->count() === 1);
        $this->assertEquals('frame-ancestors \'self\'', $frameHeaders->first());
    }

    public function test_iframe_csp_includes_extra_hosts_if_configured()
    {
        $this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {
            $resp = $this->get('/');
            $cspHeaders = collect($resp->headers->get('Content-Security-Policy'));
            $frameHeaders = $cspHeaders->filter(function ($val) {
                return Str::startsWith($val, 'frame-ancestors');
            });

            $this->assertTrue($frameHeaders->count() === 1);
            $this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeaders->first());
        });
    }
}
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`<?php`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`namespace Tests;`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00
			`use Illuminate\Support\Str;`

			`class SecurityHeaderTest extends TestCase`
			`{`
			`public function test_cookies_samesite_lax_by_default()`
			`{`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`foreach ($resp->headers->getCookies() as $cookie) {`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->assertEquals('lax', $cookie->getSameSite());`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`}`
			`}`

			`public function test_cookies_samesite_none_when_iframe_hosts_set()`
			`{`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'http://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`foreach ($resp->headers->getCookies() as $cookie) {`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->assertEquals('none', $cookie->getSameSite());`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`}`
			`});`
			`}`

			`public function test_secure_cookies_controlled_by_app_url()`
			`{`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->runWithEnv('APP_URL', 'http://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`foreach ($resp->headers->getCookies() as $cookie) {`
			`$this->assertFalse($cookie->isSecure());`
			`}`
			`});`

Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->runWithEnv('APP_URL', 'https://example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`foreach ($resp->headers->getCookies() as $cookie) {`
			`$this->assertTrue($cookie->isSecure());`
			`}`
			`});`
			`}`

			`public function test_iframe_csp_self_only_by_default()`
			`{`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`$cspHeaders = collect($resp->headers->get('Content-Security-Policy'));`
			`$frameHeaders = $cspHeaders->filter(function ($val) {`
			`return Str::startsWith($val, 'frame-ancestors');`
			`});`

			`$this->assertTrue($frameHeaders->count() === 1);`
			`$this->assertEquals('frame-ancestors \'self\'', $frameHeaders->first());`
			`}`

			`public function test_iframe_csp_includes_extra_hosts_if_configured()`
			`{`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$this->runWithEnv('ALLOWED_IFRAME_HOSTS', 'https://a.example.com https://b.example.com', function () {`
			`$resp = $this->get('/');`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`$cspHeaders = collect($resp->headers->get('Content-Security-Policy'));`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`$frameHeaders = $cspHeaders->filter(function ($val) {`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`return Str::startsWith($val, 'frame-ancestors');`
			`});`

			`$this->assertTrue($frameHeaders->count() === 1);`
			`$this->assertEquals('frame-ancestors \'self\' https://a.example.com https://b.example.com', $frameHeaders->first());`
			`});`
			`}`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`}`