def test_provides_csp_features_no_case01(self):
"""
Test case in which site do not provides CSP features.
"""
hrds = {}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
self.assertFalse(provides_csp_features(http_response))
def test_provides_csp_features_yes_case03(self):
"""
Test case in which site provides CSP features using report-only +
mandatory policies.
"""
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'self'"
hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_CONNECTION + " *"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
self.assertTrue(provides_csp_features(http_response))
def test_provides_csp_features_no_case03(self):
"""
Test case in which site provides broken CSP.
"""
# Note the errors in the directive:
# default-src -> default-source
# img-src -> image-src
header_value = "default-src ' '; img-src ' '"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
self.assertFalse(provides_csp_features(http_response))
def test_provides_csp_features_yes_case02(self):
"""
Test case in which site provides CSP features using only report-only
policies.
"""
header_value = "default-src 'self'; img-src *; object-src"\
" media1.example.com media2.example.com"\
" *.cdn.example.com; script-src"\
" trustedscripts.example.com"
hrds = {CSP_HEADER_W3C_REPORT_ONLY: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
self.assertTrue(provides_csp_features(http_response))