-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: e2e tests for autoCsp #28701
base: main
Are you sure you want to change the base?
test: e2e tests for autoCsp #28701
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor suggestions, hopefully @clydin can take a quick look once he's back just to make sure we're restricting the test to esbuild correctly.
import { updateJsonFile, updateServerFileForWebpack, useSha } from '../../utils/project'; | ||
|
||
const MULTI_HASH_CSP = | ||
/script-src 'strict-dynamic' (?:'sha256-[^']+' )+https: 'unsafe-inline';object-src 'none';base-uri 'self';/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this level of abstraction I wouldn't assert on the policy this precisely, that's more of a unit test level assertion. Instead I'd just check:
- That a CSP policy was added (regex match for
<meta http-equiv="Content-Security-Policy"
), don't care what the policy is. - That the browser did not error from that policy.
Optionally it might also be good to verify that the scripts actually executed (maybe just check that they printed to the console?). That way we know we aren't asserting too soon before the scripts have been checked, I think there's a low risk of a false positive there though, so probably not too important.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think verifying that there are no errors should cover the script execution cases but to ensure i think it would be good to check the console output for the added script logging (Inline Script...
) cases as well.
import { updateJsonFile, updateServerFileForWebpack, useSha } from '../../utils/project'; | ||
|
||
const MULTI_HASH_CSP = | ||
/script-src 'strict-dynamic' (?:'sha256-[^']+' )+https: 'unsafe-inline';object-src 'none';base-uri 'self';/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think verifying that there are no errors should cover the script execution cases but to ensure i think it would be good to check the console output for the added script logging (Inline Script...
) cases as well.
PR Checklist
Please check to confirm your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
No e2e tests for #28663
Issue Number: N/A
What is the new behavior?
e2e tests for #28663
Does this PR introduce a breaking change?
Other information