83 lines
3.0 KiB
TypeScript
83 lines
3.0 KiB
TypeScript
import { afterEach, describe, expect, it, vi } from 'vitest';
|
|
import type { NextConfig } from 'next';
|
|
|
|
async function loadConfig(): Promise<NextConfig> {
|
|
vi.resetModules();
|
|
const mod = await import('@/next.config');
|
|
return mod.default;
|
|
}
|
|
|
|
describe('Security response headers', () => {
|
|
afterEach(() => {
|
|
delete process.env.ALLOWED_FRAME_ANCESTORS;
|
|
});
|
|
|
|
describe('default (no ALLOWED_FRAME_ANCESTORS)', () => {
|
|
it('nextConfig.headers() is defined', async () => {
|
|
const config = await loadConfig();
|
|
expect(config.headers).toBeDefined();
|
|
expect(typeof config.headers).toBe('function');
|
|
});
|
|
|
|
it('includes X-Frame-Options SAMEORIGIN on all routes', async () => {
|
|
const config = await loadConfig();
|
|
const headerGroups = await config.headers!();
|
|
const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;
|
|
|
|
expect(allRouteGroup).toBeDefined();
|
|
expect(allRouteGroup.headers).toContainEqual({
|
|
key: 'X-Frame-Options',
|
|
value: 'SAMEORIGIN',
|
|
});
|
|
});
|
|
|
|
it("includes Content-Security-Policy frame-ancestors 'self'", async () => {
|
|
const config = await loadConfig();
|
|
const headerGroups = await config.headers!();
|
|
const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;
|
|
|
|
expect(allRouteGroup).toBeDefined();
|
|
expect(allRouteGroup.headers).toContainEqual({
|
|
key: 'Content-Security-Policy',
|
|
value: "frame-ancestors 'self'",
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('with ALLOWED_FRAME_ANCESTORS', () => {
|
|
it('appends allowed origins to frame-ancestors', async () => {
|
|
process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
|
|
const config = await loadConfig();
|
|
const headerGroups = await config.headers!();
|
|
const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;
|
|
|
|
expect(allRouteGroup.headers).toContainEqual({
|
|
key: 'Content-Security-Policy',
|
|
value: "frame-ancestors 'self' https://partner.example.com",
|
|
});
|
|
});
|
|
|
|
it('omits X-Frame-Options when custom ancestors are set', async () => {
|
|
process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
|
|
const config = await loadConfig();
|
|
const headerGroups = await config.headers!();
|
|
const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;
|
|
|
|
const xfo = allRouteGroup.headers.find((h) => h.key === 'X-Frame-Options');
|
|
expect(xfo).toBeUndefined();
|
|
});
|
|
|
|
it('supports multiple space-separated origins', async () => {
|
|
process.env.ALLOWED_FRAME_ANCESTORS = 'https://a.example.com https://b.example.com';
|
|
const config = await loadConfig();
|
|
const headerGroups = await config.headers!();
|
|
const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;
|
|
|
|
expect(allRouteGroup.headers).toContainEqual({
|
|
key: 'Content-Security-Policy',
|
|
value: "frame-ancestors 'self' https://a.example.com https://b.example.com",
|
|
});
|
|
});
|
|
});
|
|
});
|