github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/framing/framing_test.go

github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/framing/framing_test.go (about)

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //	https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package framing
    16  
    17  import (
    18  	"testing"
    19  
    20  	"github.com/google/go-safeweb/safehttp/plugins/framing/internalunsafeframing"
    21  	"github.com/google/go-safeweb/safehttp/plugins/framing/internalunsafeframing/unsafeframing"
    22  	"github.com/google/go-safeweb/safehttp/plugins/framing/internalunsafeframing/unsafeframingfortests"
    23  
    24  	"github.com/google/go-safeweb/safehttp"
    25  	"github.com/google/go-safeweb/safehttp/safehttptest"
    26  )
    27  
    28  const headerKey = "X-Frame-Options"
    29  
    30  func TestFramingProtection(t *testing.T) {
    31  	req := safehttptest.NewRequest("GET", "https://go.dev/", nil)
    32  	fakeRW, rr := safehttptest.NewFakeResponseWriter()
    33  
    34  	xfoInterceptor{}.Before(fakeRW, req, nil)
    35  	if got, want := rr.Header().Get(headerKey), "SAMEORIGIN"; got != want {
    36  		t.Errorf(`response.Header().Get(%q): got %q want %q`, headerKey, got, want)
    37  	}
    38  }
    39  
    40  func TestDisableFramingProtection(t *testing.T) {
    41  	tests := []struct {
    42  		name   string
    43  		config safehttp.InterceptorConfig
    44  	}{
    45  		{
    46  			name:   "unsafeframing",
    47  			config: unsafeframing.Disable("testing", true),
    48  		},
    49  		{
    50  			name:   "allowlist",
    51  			config: unsafeframing.Allow("testing", false, "test.goog"),
    52  		},
    53  		{
    54  			name:   "internal",
    55  			config: internalunsafeframing.Disable{SkipReports: true},
    56  		},
    57  		{
    58  			name:   "testing",
    59  			config: unsafeframingfortests.Disable(),
    60  		},
    61  	}
    62  	for _, tt := range tests {
    63  		t.Run(tt.name, func(t *testing.T) {
    64  			req := safehttptest.NewRequest("GET", "https://go.dev/", nil)
    65  			fakeRW, rr := safehttptest.NewFakeResponseWriter()
    66  
    67  			if got, want := (xfoInterceptor{}).Match(tt.config), true; got != want {
    68  				t.Errorf(`xfoInterceptor{}.Match(%T): got %v, want %v`, tt.config, got, want)
    69  			}
    70  
    71  			xfoInterceptor{}.Before(fakeRW, req, tt.config)
    72  			if got, want := rr.Header().Get(headerKey), "ALLOWALL"; got != want {
    73  				t.Errorf(`response.Header().Get(%q): got %q want %q`, headerKey, got, want)
    74  			}
    75  		})
    76  	}
    77  
    78  }