Introduce CSP headers to Kalamar (start of #72)
Change-Id: I84b7ff0accab3d783ad653fae123c25fee1d92b9
diff --git a/t/page.t b/t/page.t
index e04c5a7..029cb33 100644
--- a/t/page.t
+++ b/t/page.t
@@ -22,6 +22,12 @@
->attr_is('meta[property="og:url"]', 'content', '//korap2.ids-mannheim.de/')
;
+$t->get_ok('/')
+ ->header_like('Content-Security-Policy', qr!default-src 'self';!)
+ ->header_like('Content-Security-Policy', qr!media-src 'none';!)
+ ->header_like('Content-Security-Policy', qr!object-src 'self';!)
+ ;
+
done_testing;
1;
diff --git a/t/plugin/auth-oauth.t b/t/plugin/auth-oauth.t
index 117b690..22054d2 100644
--- a/t/plugin/auth-oauth.t
+++ b/t/plugin/auth-oauth.t
@@ -97,6 +97,7 @@
}
);
+my $q = qr!(?:\"|")!;
$t->get_ok('/realapi/v1.0')
->status_is(200)
@@ -106,7 +107,7 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
- ->content_like(qr/\"authorized\"\:null/)
+ ->content_like(qr/${q}authorized${q}:null/)
->element_exists_not('div.button.top a')
->element_exists_not('aside.active')
->element_exists_not('aside.off')
@@ -216,7 +217,7 @@
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->element_exists_not('div.notify-error')
- ->content_like(qr/\"authorized\"\:\"yes\"/)
+ ->content_like(qr/${q}authorized${q}:${q}yes${q}/)
->element_exists('div.button.top a')
->element_exists('div.button.top a.logout[title~="test"]')
;
@@ -225,7 +226,7 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Paum./i)
->text_is('#total-results', '')
- ->content_like(qr/\"authorized\"\:\"yes\"/)
+ ->content_like(qr/${q}authorized${q}:${q}yes${q}/)
->element_exists_not('p.hint')
;
@@ -251,14 +252,14 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
- ->content_like(qr/\"authorized\"\:null/)
+ ->content_like(qr/${q}authorized${q}:null/)
;
$t->get_ok('/?q=Paum')
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Paum./i)
->text_is('#total-results', '')
- ->content_like(qr/\"authorized\"\:null/)
+ ->content_like(qr/${q}authorized${q}:null/)
->text_is('p.hint', 'Maybe you need to log in first?')
;
@@ -320,7 +321,7 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
- ->content_like(qr/\"authorized\"\:\"yes\"/)
+ ->content_like(qr/${q}authorized${q}:${q}yes${q}/)
->header_is('X-Kalamar-Cache', 'true')
;
@@ -333,9 +334,9 @@
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
- ->content_like(qr/\"authorized\"\:\"yes\"/)
+ ->content_like(qr/${q}authorized${q}:${q}yes${q}/)
->header_isnt('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
->element_exists_not('#total-results')
;
@@ -364,7 +365,7 @@
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
- ->content_unlike(qr/\"authorized\"\:\"yes\"/)
+ ->content_unlike(qr/${q}authorized${q}:${q}yes${q}/)
->header_isnt('X-Kalamar-Cache', 'true')
->element_exists('p.no-results')
;
@@ -385,7 +386,7 @@
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
- ->content_like(qr/\"authorized\"\:\"yes\"/)
+ ->content_like(qr/${q}authorized${q}:${q}yes${q}/)
->header_isnt('X-Kalamar-Cache', 'true')
->element_exists_not('p.no-results')
;
@@ -405,7 +406,7 @@
->text_is('#error','')
->text_is('div.notify-error','Refresh token is expired')
->text_is('title', 'KorAP: Find »baum« with Poliqarp')
- ->content_unlike(qr/\"authorized\"\:\"yes\"/)
+ ->content_unlike(qr/${q}authorized${q}:${q}yes${q}/)
->element_exists('p.no-results')
->tx->res->dom->at('input[name="csrf_token"]')
->attr('value')
diff --git a/t/plugin/auth.t b/t/plugin/auth.t
index 63433b2..f5351de 100644
--- a/t/plugin/auth.t
+++ b/t/plugin/auth.t
@@ -29,6 +29,8 @@
# Configure fake backend
$fake_backend->pattern->defaults->{app}->log($t->app->log);
+my $q = qr!(?:\"|")!;
+
$t->get_ok('/realapi/v1.0')
->status_is(200)
->content_is('Fake server available');
@@ -37,7 +39,7 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
- ->content_like(qr/\"authorized\"\:null/)
+ ->content_like(qr/${q}authorized${q}:null/)
->element_exists_not('div.button.top a')
->element_exists_not('aside.active')
->element_exists_not('aside.off')
@@ -135,7 +137,7 @@
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
->element_exists_not('div.notify-error')
- ->content_like(qr/\"authorized\"\:\"test\"/)
+ ->content_like(qr/${q}authorized${q}:${q}test${q}/)
->element_exists('div.button.top a')
->element_exists('div.button.top a.logout[title~="test"]')
;
@@ -156,7 +158,7 @@
->status_is(200)
->text_like('h1 span', qr/KorAP: Find .Baum./i)
->text_like('#total-results', qr/\d+$/)
- ->content_like(qr/\"authorized\"\:null/)
+ ->content_like(qr/${q}authorized${q}:null/)
;
# Get redirect
diff --git a/t/query.t b/t/query.t
index 37bcdcb..73e488c 100644
--- a/t/query.t
+++ b/t/query.t
@@ -25,6 +25,8 @@
# Configure fake backend
$fake_backend->pattern->defaults->{app}->log($t->app->log);
+my $q = qr!(?:\"|")!;
+
# Query passed
$t->get_ok('/?q=baum')
->status_is(200)
@@ -41,11 +43,11 @@
->element_count_is('#pagination > a', 5)
# api_response
- ->content_like(qr/\"authorized\":null/)
- ->content_like(qr/\"pubDate\",\"subTitle\",\"author\"/)
+ ->content_like(qr/${q}authorized${q}:null/)
+ ->content_like(qr/${q}pubDate${q},${q}subTitle${q},${q}author${q}/)
# No cutOff
- ->content_unlike(qr!\"cutOff":true!)
+ ->content_unlike(qr!${q}cutOff${q}:true!)
->element_exists('li[data-text-sigle=GOE/AGI/00000]')
->element_exists('li:nth-of-type(1) div.flop')
@@ -84,7 +86,7 @@
$t->get_ok('/?q=[orth=das&ql=poliqarp')
->element_exists('.notify-error')
->text_is('.notify-error', '302: Parantheses/brackets unbalanced.')
- ->content_like(qr!KorAP\.koralQuery =!)
+ ->content_like(qr!data-koralquery=!)
->text_is('.no-results:nth-of-type(1)', 'Unable to perform the action.')
;
@@ -97,7 +99,7 @@
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
->header_isnt('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
->text_is('#total-results', 51)
;
@@ -109,7 +111,7 @@
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
->header_isnt('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
->element_exists_not('#total-results')
;
@@ -121,7 +123,7 @@
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
->header_is('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
->element_exists_not('#total-results')
;
@@ -133,7 +135,7 @@
->element_exists('meta[name="DC.title"][content="KorAP: Find »baum« with Poliqarp"]')
->element_exists('body[itemscope][itemtype="http://schema.org/SearchResultsPage"]')
->header_is('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
->text_is('#total-results', 51)
;
@@ -150,15 +152,15 @@
# Total pages
->element_count_is('#pagination > a', 7)
->text_is('#pagination a:nth-of-type(6) span', 7291)
- ->content_like(qr!\"count":2!)
- ->content_like(qr!\"startIndex":0!)
- ->content_like(qr!\"itemsPerPage":2!)
+ ->content_like(qr!${q}count${q}:2!)
+ ->content_like(qr!${q}startIndex${q}:0!)
+ ->content_like(qr!${q}itemsPerPage${q}:2!)
# No caching
->header_isnt('X-Kalamar-Cache', 'true')
# Not searched for "der" before
- ->content_unlike(qr!\"cutOff":true!)
+ ->content_unlike(qr!${q}cutOff${q}:true!)
;
# Check pagination repetion of page
@@ -180,13 +182,13 @@
# Total pages
->element_count_is('#pagination > a', 7)
->text_is('#pagination a:nth-of-type(6) span', 7291)
- ->content_like(qr!\"count":2!)
- ->content_like(qr!\"itemsPerPage":2!)
- ->content_like(qr!\"startIndex":2!)
+ ->content_like(qr!${q}count${q}:2!)
+ ->content_like(qr!${q}itemsPerPage${q}:2!)
+ ->content_like(qr!${q}startIndex${q}:2!)
# No caching
->header_isnt('X-Kalamar-Cache', 'true')
- ->content_like(qr!\"cutOff":true!)
+ ->content_like(qr!${q}cutOff${q}:true!)
;
# Query with failing parameters
@@ -237,7 +239,7 @@
$t->get_ok('/?q=baum&collection=availability+%3D+%2FCC-BY.*%2F')
->status_is(200)
->element_exists("input#cq[value='availability = /CC-BY.*/']")
- ->content_like(qr!\"availability\"!)
+ ->content_like(qr!${q}availability${q}!)
->text_is('#error','')
;
@@ -252,7 +254,7 @@
$t->get_ok('/?q=baum&cq=availability+%3D+%2FCC-BY.*%2F')
->status_is(200)
->element_exists("input#cq[value='availability = /CC-BY.*/']")
- ->content_like(qr!\"availability\"!)
+ ->content_like(qr!${q}availability${q}!)
->text_is('#error','')
->text_is('#special', 'Funny')
;
@@ -270,7 +272,7 @@
$t->get_ok('/?q=baum&pipe=glemm')
->status_is(200)
->text_is('#error','')
- ->content_like(qr/\"pipes\":"glemm"/)
+ ->content_like(qr/${q}pipes${q}:${q}glemm${q}/)
;
diff --git a/t/subfolder.t b/t/subfolder.t
index e4aa9a4..5731e13 100644
--- a/t/subfolder.t
+++ b/t/subfolder.t
@@ -12,6 +12,8 @@
$t->app->mode('production');
+my $q = qr!(?:\"|")!;
+
$t->post_ok('/user/login' => form => { handle => 'test', pwd => 'fail' })
->status_is(302)
->header_is('Location' => '/');
@@ -24,7 +26,7 @@
->text_is('div.notify-error', 'Bad CSRF token')
->element_exists('input[name=handle][value=test]')
->element_exists_not('div.button.top a')
- ->content_like(qr!KorAP\.URL = ''!)
+ ->attr_is('body','data-korap-url','')
;
is('kalamar',$t->app->sessions->cookie_name);
@@ -76,7 +78,7 @@
$t->get_ok('/')
->status_is(200)
->element_exists_not('div.notify-error')
- ->content_like(qr!KorAP\.URL = '/korap/test'!)
+ ->attr_is('body','data-korap-url','/korap/test')
;