-
Notifications
You must be signed in to change notification settings - Fork 368
/
x-frame-options.test.ts
74 lines (67 loc) · 2.38 KB
/
x-frame-options.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import { check } from "./helpers";
import xFrameOptions from "../middlewares/x-frame-options";
describe("X-Frame-Options middleware", () => {
it('sets "X-Frame-Options: SAMEORIGIN" when passed no action', async () => {
await check(xFrameOptions(), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions({}), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions(Object.create(null)), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions({ action: undefined }), {
"x-frame-options": "SAMEORIGIN",
});
});
it('can set "X-Frame-Options: DENY"', async () => {
await check(xFrameOptions({ action: "deny" }), {
"x-frame-options": "DENY",
});
// These are not allowed by the types, but are supported.
await check(xFrameOptions({ action: "DENY" as any }), {
"x-frame-options": "DENY",
});
await check(xFrameOptions({ action: "deNY" as any }), {
"x-frame-options": "DENY",
});
});
it('can set "X-Frame-Options: SAMEORIGIN" when specified', async () => {
await check(xFrameOptions({ action: "sameorigin" }), {
"x-frame-options": "SAMEORIGIN",
});
// These are not allowed by the types, but are supported.
await check(xFrameOptions({ action: "SAMEORIGIN" as any }), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions({ action: "sameORIGIN" as any }), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions({ action: "SAME-ORIGIN" as any }), {
"x-frame-options": "SAMEORIGIN",
});
await check(xFrameOptions({ action: "same-origin" as any }), {
"x-frame-options": "SAMEORIGIN",
});
});
it("throws when passed invalid actions", () => {
for (const action of ["allow-from", "ALLOW-FROM"]) {
expect(() => xFrameOptions({ action: action as any })).toThrow(
/^X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https:\/\/github.com\/helmetjs\/helmet\/wiki\/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.$/
);
}
for (const action of [
"",
"foo",
" deny",
123,
null,
new String("SAMEORIGIN"),
]) {
expect(() => xFrameOptions({ action: action as any })).toThrow(
/^X-Frame-Options received an invalid action /
);
}
});
});