-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcsp-config.test.ts
More file actions
56 lines (46 loc) · 2.07 KB
/
Copy pathcsp-config.test.ts
File metadata and controls
56 lines (46 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import { createHash } from 'node:crypto';
import { readFileSync } from 'node:fs';
import { describe, it, expect } from 'vitest';
import config from '../../svelte.config.js';
describe('SvelteKit CSP configuration', () => {
const csp = config.kit?.csp;
it('is configured', () => {
expect(csp).toBeDefined();
});
it('enforces the policy (directives), not report-only mode', () => {
expect(csp?.directives).toBeDefined();
expect(csp?.reportOnly).toBeUndefined();
});
it('uses auto mode so SvelteKit picks nonce vs hash per route', () => {
expect(csp?.mode).toBe('auto');
});
it('locks down framing, base-uri, form-action and object-src', () => {
const r = csp!.directives!;
expect(r['frame-ancestors']).toEqual(['none']);
expect(r['base-uri']).toEqual(['self']);
expect(r['form-action']).toEqual(['self']);
expect(r['object-src']).toEqual(['none']);
});
it('keeps script-src restricted to same-origin (no unsafe-inline / unsafe-eval)', () => {
const scriptSrc = csp!.directives!['script-src'] ?? [];
expect(scriptSrc).toContain('self');
expect(scriptSrc).not.toContain('unsafe-inline');
expect(scriptSrc).not.toContain('unsafe-eval');
});
it('pins a sha256 hash matching the inline <script> in app.html', () => {
const appHtml = readFileSync(new URL('../../src/app.html', import.meta.url), 'utf8');
const inlineScriptBody = appHtml.match(/<script>([\s\S]*?)<\/script>/)?.[1];
expect(inlineScriptBody, 'src/app.html should contain an inline <script>').toBeDefined();
const expected = `sha256-${createHash('sha256').update(inlineScriptBody!).digest('base64')}`;
expect(csp!.directives!['script-src']).toContain(expected);
});
it('allows data: images for inline icon SVGs', () => {
expect(csp!.directives!['img-src']).toContain('data:');
});
it('allows the Iconify API in connect-src for @iconify/svelte icon loading', () => {
expect(csp!.directives!['connect-src']).toContain('https://api.iconify.design');
});
it('points violations at the in-app CSP report sink', () => {
expect(csp!.directives!['report-uri']).toEqual(['/api/csp-report']);
});
});