Set frame-ancestors to none if none are filled

frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2020-11-17 16:19:03 +01:00
parent 5acabcf5cb
commit 9163790b7c
No known key found for this signature in database
GPG Key ID: F941078878347C0C
6 changed files with 63 additions and 61 deletions

View File

@ -14,7 +14,7 @@ Feature: sharing
Then the OCS status code should be "100" Then the OCS status code should be "100"
And the HTTP status code should be "200" And the HTTP status code should be "200"
And The following headers should be set And The following headers should be set
| Content-Security-Policy | default-src 'none';base-uri 'none';manifest-src 'self' | | Content-Security-Policy | default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' |
Scenario: Creating a share with a group Scenario: Creating a share with a group
Given user "user0" exists Given user "user0" exists

View File

@ -509,6 +509,8 @@ class EmptyContentSecurityPolicy {
if (!empty($this->allowedFrameAncestors)) { if (!empty($this->allowedFrameAncestors)) {
$policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors); $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
$policy .= ';'; $policy .= ';';
} else {
$policy .= 'frame-ancestors \'none\';';
} }
if (!empty($this->allowedWorkerSrcDomains)) { if (!empty($this->allowedWorkerSrcDomains)) {

View File

@ -112,7 +112,7 @@ class ControllerTest extends \Test\TestCase {
'test' => 'something', 'test' => 'something',
'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Type' => 'application/json; charset=utf-8', 'Content-Type' => 'application/json; charset=utf-8',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'", 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'",
'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'", 'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'",
'X-Robots-Tag' => 'none', 'X-Robots-Tag' => 'none',
]; ];

View File

@ -65,7 +65,7 @@ class DataResponseTest extends \Test\TestCase {
$expectedHeaders = [ $expectedHeaders = [
'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'", 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'",
'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'", 'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'",
'X-Robots-Tag' => 'none', 'X-Robots-Tag' => 'none',
]; ];

View File

@ -26,19 +26,19 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDefault() { public function testGetPolicyDefault() {
$defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyScriptDomainValid() { public function testGetPolicyScriptDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyScriptDomainValidMultiple() { public function testGetPolicyScriptDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
@ -46,7 +46,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowScriptDomain() { public function testGetPolicyDisallowScriptDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
@ -54,7 +54,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowScriptDomainMultiple() { public function testGetPolicyDisallowScriptDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
@ -62,7 +62,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowScriptDomainMultipleStacked() { public function testGetPolicyDisallowScriptDomainMultipleStacked() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
@ -70,14 +70,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyScriptAllowInline() { public function testGetPolicyScriptAllowInline() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline';frame-ancestors 'none'";
$this->contentSecurityPolicy->allowInlineScript(true); $this->contentSecurityPolicy->allowInlineScript(true);
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyScriptAllowInlineWithDomain() { public function testGetPolicyScriptAllowInlineWithDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
$this->contentSecurityPolicy->allowInlineScript(true); $this->contentSecurityPolicy->allowInlineScript(true);
@ -85,7 +85,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyScriptAllowInlineAndEval() { public function testGetPolicyScriptAllowInlineAndEval() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline' 'unsafe-eval'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline' 'unsafe-eval';frame-ancestors 'none'";
$this->contentSecurityPolicy->allowInlineScript(true); $this->contentSecurityPolicy->allowInlineScript(true);
$this->contentSecurityPolicy->allowEvalScript(true); $this->contentSecurityPolicy->allowEvalScript(true);
@ -93,14 +93,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyStyleDomainValid() { public function testGetPolicyStyleDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyStyleDomainValidMultiple() { public function testGetPolicyStyleDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
@ -108,7 +108,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowStyleDomain() { public function testGetPolicyDisallowStyleDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
@ -116,7 +116,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowStyleDomainMultiple() { public function testGetPolicyDisallowStyleDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
@ -124,7 +124,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowStyleDomainMultipleStacked() { public function testGetPolicyDisallowStyleDomainMultipleStacked() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
@ -132,14 +132,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyStyleAllowInline() { public function testGetPolicyStyleAllowInline() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src 'unsafe-inline'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src 'unsafe-inline';frame-ancestors 'none'";
$this->contentSecurityPolicy->allowInlineStyle(true); $this->contentSecurityPolicy->allowInlineStyle(true);
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyStyleAllowInlineWithDomain() { public function testGetPolicyStyleAllowInlineWithDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com 'unsafe-inline'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com 'unsafe-inline';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
$this->contentSecurityPolicy->allowInlineStyle(true); $this->contentSecurityPolicy->allowInlineStyle(true);
@ -147,21 +147,21 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyStyleDisallowInline() { public function testGetPolicyStyleDisallowInline() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->allowInlineStyle(false); $this->contentSecurityPolicy->allowInlineStyle(false);
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyImageDomainValid() { public function testGetPolicyImageDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyImageDomainValidMultiple() { public function testGetPolicyImageDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
@ -169,7 +169,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowImageDomain() { public function testGetPolicyDisallowImageDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
@ -177,7 +177,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowImageDomainMultiple() { public function testGetPolicyDisallowImageDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';img-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
@ -185,7 +185,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowImageDomainMultipleStakes() { public function testGetPolicyDisallowImageDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
@ -193,14 +193,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyFontDomainValid() { public function testGetPolicyFontDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyFontDomainValidMultiple() { public function testGetPolicyFontDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
@ -208,7 +208,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFontDomain() { public function testGetPolicyDisallowFontDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
@ -216,7 +216,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFontDomainMultiple() { public function testGetPolicyDisallowFontDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';font-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
@ -224,7 +224,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFontDomainMultipleStakes() { public function testGetPolicyDisallowFontDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
@ -232,14 +232,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyConnectDomainValid() { public function testGetPolicyConnectDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyConnectDomainValidMultiple() { public function testGetPolicyConnectDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
@ -247,7 +247,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowConnectDomain() { public function testGetPolicyDisallowConnectDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
@ -255,7 +255,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowConnectDomainMultiple() { public function testGetPolicyDisallowConnectDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';connect-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
@ -263,7 +263,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowConnectDomainMultipleStakes() { public function testGetPolicyDisallowConnectDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
@ -271,14 +271,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyMediaDomainValid() { public function testGetPolicyMediaDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyMediaDomainValidMultiple() { public function testGetPolicyMediaDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
@ -286,7 +286,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowMediaDomain() { public function testGetPolicyDisallowMediaDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
@ -294,7 +294,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowMediaDomainMultiple() { public function testGetPolicyDisallowMediaDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';media-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
@ -302,7 +302,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowMediaDomainMultipleStakes() { public function testGetPolicyDisallowMediaDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
@ -310,14 +310,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyObjectDomainValid() { public function testGetPolicyObjectDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyObjectDomainValidMultiple() { public function testGetPolicyObjectDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
@ -325,7 +325,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowObjectDomain() { public function testGetPolicyDisallowObjectDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
@ -333,7 +333,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowObjectDomainMultiple() { public function testGetPolicyDisallowObjectDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';object-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
@ -341,7 +341,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowObjectDomainMultipleStakes() { public function testGetPolicyDisallowObjectDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
@ -349,14 +349,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetAllowedFrameDomain() { public function testGetAllowedFrameDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyFrameDomainValidMultiple() { public function testGetPolicyFrameDomainValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com www.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
@ -364,7 +364,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFrameDomain() { public function testGetPolicyDisallowFrameDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
@ -372,7 +372,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFrameDomainMultiple() { public function testGetPolicyDisallowFrameDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
@ -380,7 +380,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowFrameDomainMultipleStakes() { public function testGetPolicyDisallowFrameDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
@ -388,14 +388,14 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetAllowedChildSrcDomain() { public function testGetAllowedChildSrcDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyChildSrcValidMultiple() { public function testGetPolicyChildSrcValidMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com child.owncloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
@ -403,7 +403,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowChildSrcDomain() { public function testGetPolicyDisallowChildSrcDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
@ -411,7 +411,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowChildSrcDomainMultiple() { public function testGetPolicyDisallowChildSrcDomainMultiple() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src www.owncloud.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';child-src www.owncloud.com;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org'); $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
@ -419,7 +419,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyDisallowChildSrcDomainMultipleStakes() { public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
@ -427,7 +427,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyWithJsNonceAndScriptDomains() { public function testGetPolicyWithJsNonceAndScriptDomains() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl' www.nextcloud.com www.nextcloud.org"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl' www.nextcloud.com www.nextcloud.org;frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com'); $this->contentSecurityPolicy->addAllowedScriptDomain('www.nextcloud.com');
$this->contentSecurityPolicy->useJsNonce('MyJsNonce'); $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
@ -436,7 +436,7 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyWithJsNonceAndSelfScriptDomain() { public function testGetPolicyWithJsNonceAndSelfScriptDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-TXlKc05vbmNl';frame-ancestors 'none'";
$this->contentSecurityPolicy->useJsNonce('MyJsNonce'); $this->contentSecurityPolicy->useJsNonce('MyJsNonce');
$this->contentSecurityPolicy->addAllowedScriptDomain("'self'"); $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
@ -444,21 +444,21 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
} }
public function testGetPolicyWithoutJsNonceAndSelfScriptDomain() { public function testGetPolicyWithoutJsNonceAndSelfScriptDomain() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self'"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';frame-ancestors 'none'";
$this->contentSecurityPolicy->addAllowedScriptDomain("'self'"); $this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyWithReportUri() { public function testGetPolicyWithReportUri() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none';report-uri https://my-report-uri.com";
$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com"); $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetPolicyWithMultipleReportUri() { public function testGetPolicyWithMultipleReportUri() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com https://my-other-report-uri.com"; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none';report-uri https://my-report-uri.com https://my-other-report-uri.com";
$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com"); $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
$this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com"); $this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com");

View File

@ -57,7 +57,7 @@ class ResponseTest extends \Test\TestCase {
$this->childResponse->setHeaders($expected); $this->childResponse->setHeaders($expected);
$headers = $this->childResponse->getHeaders(); $headers = $this->childResponse->getHeaders();
$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self'"; $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'";
$expected['Feature-Policy'] = "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"; $expected['Feature-Policy'] = "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'";
$this->assertEquals($expected, $headers); $this->assertEquals($expected, $headers);