def test_retrieve_csp_policies_with_policies_case04(self):
'''
Test case in which 4 policies are specified using 4 differents CSP
headers and in which 1 is specified using report only CSP header.
Test in which we want only mandatory policies.
'''
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + \
" trust.sample.com"
hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_SCRIPT + \
" report.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 3)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0],
"trust.sample.com")
def test_retrieve_csp_policies_without_policies(self):
"""
Test case in which no policies are specified into HTTP response.
"""
hrds = {}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 0)
def test_retrieve_csp_policies_without_policies(self):
'''
Test case in which no policies are specified into HTTP response.
'''
hrds = {}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 0)
def test_retrieve_csp_policies_with_special_policies_case01(self):
"""
Test case in which 2 policies are specified using special directives
with empty value.
"""
header_value = "sandbox ; script-nonce "
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 2)
self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SANDBOX][0], "")
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "")
def test_retrieve_csp_policies_with_special_policies_case01(self):
'''
Test case in which 2 policies are specified using special directives
with empty value.
'''
header_value = "sandbox ; script-nonce "
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 2)
self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SANDBOX][0], "")
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "")
def test_retrieve_csp_policies_with_special_policies_case02(self):
"""
Test case in which 2 policies are specified using special directives
with explicit values.
"""
header_value = "sandbox allow-forms allow-scripts ;" " script-nonce AABBCCDDEE"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 2)
self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 2)
self.assertTrue("allow-forms" in policies[CSP_DIRECTIVE_SANDBOX])
self.assertTrue("allow-scripts" in policies[CSP_DIRECTIVE_SANDBOX])
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "AABBCCDDEE")
def test_retrieve_csp_policies_with_policies_case05(self):
"""
Test case in which 4 policies are specified using 4 differents CSP
headers and in which 1 is specified using report only CSP header.
Test in which we want only report-only policies.
"""
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + " trust.sample.com"
hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_SCRIPT + " report.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response, True)
self.assertEqual(len(policies), 1)
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0], "report.sample.com")
def test_retrieve_csp_policies_with_special_policies_case02(self):
'''
Test case in which 2 policies are specified using special directives
with explicit values.
'''
header_value = "sandbox allow-forms allow-scripts ;"\
" script-nonce AABBCCDDEE"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 2)
self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 2)
self.assertTrue("allow-forms" in policies[CSP_DIRECTIVE_SANDBOX])
self.assertTrue("allow-scripts" in policies[CSP_DIRECTIVE_SANDBOX])
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "AABBCCDDEE")
def test_retrieve_csp_policies_with_policies_case03(self):
"""
Test case in which 3 policies are specified using 3 differents CSP headers.
"""
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + " trust.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 3)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0], "trust.sample.com")
def test_retrieve_csp_policies_with_policies_case01(self):
"""
Test case in which 1 same policy is specified using 3 differents CSP
headers.
"""
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'self'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_OBJECT + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_OBJECT + " *.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 1)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
self.assertTrue("self" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*.sample.com" in policies[CSP_DIRECTIVE_OBJECT])
def test_retrieve_csp_policies_with_policies_case01(self):
'''
Test case in which 1 same policy is specified using 3 differents CSP
headers.
'''
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'self'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_OBJECT + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_OBJECT + " *.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 1)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
self.assertTrue("self" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*.sample.com" in policies[CSP_DIRECTIVE_OBJECT])
def test_retrieve_csp_policies_with_policies_case03(self):
'''
Test case in which 3 policies are specified using 3 differents CSP headers.
'''
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + \
" trust.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 3)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0],
"trust.sample.com")
def test_retrieve_csp_policies_with_policies_case02(self):
'''
Test case in which several policies are specified using only 1 CSP
header but with 7 differents directives.
'''
header_value = "default-src 'self'; img-src *;"\
" object-src media1.example.com media2.example.com"\
" *.cdn.example.com; script-src trustedscripts.example.com;"\
" form-action /ctxroot/action1 /ctxroot/action2;"\
" plugin-types application/pdf application/x-java-applet;"\
" reflected-xss block"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 7)
self.assertEqual(len(policies[CSP_DIRECTIVE_DEFAULT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_DEFAULT][0], "self")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0],
"trustedscripts.example.com")
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
self.assertTrue("media1.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("media2.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*.cdn.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertEqual(len(policies[CSP_DIRECTIVE_FORM]), 2)
self.assertTrue("/ctxroot/action1" in policies[CSP_DIRECTIVE_FORM])
self.assertTrue("/ctxroot/action2" in policies[CSP_DIRECTIVE_FORM])
self.assertEqual(len(policies[CSP_DIRECTIVE_PLUGIN_TYPES]), 2)
self.assertTrue(
"application/pdf" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
self.assertTrue("application/x-java-applet" in
policies[CSP_DIRECTIVE_PLUGIN_TYPES])
self.assertEqual(len(policies[CSP_DIRECTIVE_XSS]), 1)
self.assertTrue("block" in policies[CSP_DIRECTIVE_XSS])
def test_retrieve_csp_policies_with_policies_case02(self):
"""
Test case in which several policies are specified using only 1 CSP
header but with 7 differents directives.
"""
header_value = (
"default-src 'self'; img-src *;"
" object-src media1.example.com media2.example.com"
" *.cdn.example.com; script-src trustedscripts.example.com;"
" form-action /ctxroot/action1 /ctxroot/action2;"
" plugin-types application/pdf application/x-java-applet;"
" reflected-xss block"
)
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 7)
self.assertEqual(len(policies[CSP_DIRECTIVE_DEFAULT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_DEFAULT][0], "self")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0], "trustedscripts.example.com")
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
self.assertTrue("media1.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("media2.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertTrue("*.cdn.example.com" in policies[CSP_DIRECTIVE_OBJECT])
self.assertEqual(len(policies[CSP_DIRECTIVE_FORM]), 2)
self.assertTrue("/ctxroot/action1" in policies[CSP_DIRECTIVE_FORM])
self.assertTrue("/ctxroot/action2" in policies[CSP_DIRECTIVE_FORM])
self.assertEqual(len(policies[CSP_DIRECTIVE_PLUGIN_TYPES]), 2)
self.assertTrue("application/pdf" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
self.assertTrue("application/x-java-applet" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
self.assertEqual(len(policies[CSP_DIRECTIVE_XSS]), 1)
self.assertTrue("block" in policies[CSP_DIRECTIVE_XSS])