def test_header_invalid(self): self.reqs['responses']['auto'].headers['X-Frame-Options'] = 'whimsy' result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-header-invalid', result['result']) self.assertFalse(result['pass']) # common to see this header sent multiple times self.reqs['responses']['auto'].headers['X-Frame-Options'] = 'SAMEORIGIN, SAMEORIGIN' result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-header-invalid', result['result']) self.assertFalse(result['pass'])
def test_deny(self): self.reqs['responses']['auto'].headers['X-Frame-Options'] = 'DENY' result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-sameorigin-or-deny', result['result']) self.assertTrue(result['pass'])
def test_allow_from_origin(self): self.reqs['responses']['auto'].headers['X-Frame-Options'] = 'ALLOW-FROM https://mozilla.org' result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-allow-from-origin', result['result']) self.assertTrue(result['pass'])
def test_enabled_via_csp(self): self.reqs['responses']['auto'].headers['X-Frame-Options'] = 'DENY' self.reqs['responses']['auto'].headers['Content-Security-Policy'] = 'frame-ancestors https://mozilla.org' result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-implemented-via-csp', result['result']) self.assertTrue(result['pass'])
def test_missing(self): result = x_frame_options(self.reqs) self.assertEquals('x-frame-options-not-implemented', result['result']) self.assertFalse(result['pass'])