@Test
public void testNonceSource() throws ParseException, TokeniserException {
assertEquals(
"script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='",
parse("script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
Policy p = parse("script-src 'nonce-MTIzNDU2Nw=='");
Policy q = parse("script-src 'nonce-MTIzNDU2Nw=='");
ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
assertEquals("hash code matches", p.hashCode(), q.hashCode());
assertTrue("nonce-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
q = parse("script-src 'nonce-aGVsbG8gd29ybGQ='");
assertFalse("sandbox !equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
}
@Test
public void sourceListTest() throws ParseException, TokeniserException {
Policy p = parse("script-src http://a https://b; style-src http://e");
Policy q = parse("script-src c d");
ScriptSrcDirective d1 = p.getDirectiveByType(ScriptSrcDirective.class);
assertFalse(
"source-list inequality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
d1.union(q.getDirectiveByType(ScriptSrcDirective.class));
assertEquals("source-list union", "script-src http://a https://b c d", d1.show());
ScriptSrcDirective d2 = q.getDirectiveByType(ScriptSrcDirective.class);
p = parse("script-src http://a https://b");
q = parse("script-src http://a https://b");
d1 = p.getDirectiveByType(ScriptSrcDirective.class);
assertTrue("source-list equality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
assertEquals("source-list hashcode equality", p.hashCode(), q.hashCode());
}
@Test
public void testHashSource() throws ParseException, TokeniserException {
failsToParse(
"script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
failsToParse(
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
parse(
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
parse(
"script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
parse(
"script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
Policy p =
parse(
"script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
Policy q =
parse(
"script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
q =
parse(
"script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
try {
parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
}
try {
parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
}
try {
parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
}
}