Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: e2e tests for autoCsp #28701

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

test: e2e tests for autoCsp #28701

wants to merge 1 commit into from

Conversation

aaronshim
Copy link
Contributor

PR Checklist

Please check to confirm your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe: E2E tests

What is the current behavior?

No e2e tests for #28663

Issue Number: N/A

What is the new behavior?

e2e tests for #28663

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

dgp1130
dgp1130 approved these changes Oct 24, 2024
View reviewed changes
Copy link
Collaborator

@dgp1130 dgp1130 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor suggestions, hopefully @clydin can take a quick look once he's back just to make sure we're restricting the test to esbuild correctly.

tests/legacy-cli/e2e/tests/build/auto-csp.ts
</head>
<body>
<app-root></app-root>
<script>console.log("Inline Script Body");</script>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we include an external script tag here too to make sure that works? You can probably put a JS file in the src/public/ directory which will be included in the output so the browser can load it successfully.

tests/legacy-cli/e2e/tests/build/auto-csp.ts
expect(
await element(by.css('style[ng-app-id="ng"]')).isPresent()
).toBeFalsy();
expect(await element(by.css('style')).getText()).toMatch('');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can drop these CSS checks?

tests/legacy-cli/e2e/tests/build/auto-csp.ts
import { updateJsonFile, updateServerFileForWebpack, useSha } from '../../utils/project';

const MULTI_HASH_CSP =
/script-src 'strict-dynamic' (?:'sha256-[^']+' )+https: 'unsafe-inline';object-src 'none';base-uri 'self';/;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this level of abstraction I wouldn't assert on the policy this precisely, that's more of a unit test level assertion. Instead I'd just check:

  1. That a CSP policy was added (regex match for <meta http-equiv="Content-Security-Policy"), don't care what the policy is.
  2. That the browser did not error from that policy.

Optionally it might also be good to verify that the scripts actually executed (maybe just check that they printed to the console?). That way we know we aren't asserting too soon before the scripts have been checked, I think there's a low risk of a false positive there though, so probably not too important.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think verifying that there are no errors should cover the script execution cases but to ensure i think it would be good to check the console output for the added script logging (Inline Script...) cases as well.

@dgp1130 dgp1130 requested a review from clydin October 24, 2024 00:35
@dgp1130 dgp1130 added action: review The PR is still awaiting reviews from at least one requested reviewer target: rc This PR is targeted for the next release-candidate labels Oct 24, 2024
clydin
clydin reviewed Oct 24, 2024
View reviewed changes
tests/legacy-cli/e2e/tests/build/auto-csp.ts
Comment on lines +22 to +23
await useSha();
await installWorkspacePackages();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can also be commented out for now since it is only need for the above @angular/ssr installation.

tests/legacy-cli/e2e/tests/build/auto-csp.ts
import { updateJsonFile, updateServerFileForWebpack, useSha } from '../../utils/project';

const MULTI_HASH_CSP =
/script-src 'strict-dynamic' (?:'sha256-[^']+' )+https: 'unsafe-inline';object-src 'none';base-uri 'self';/;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think verifying that there are no errors should cover the script execution cases but to ensure i think it would be good to check the console output for the added script logging (Inline Script...) cases as well.

@alan-agius4 alan-agius4 added this to the v19 Candidates milestone Oct 30, 2024
@alan-agius4 alan-agius4 added action: cleanup The PR is in need of cleanup, either due to needing a rebase or in response to comments from reviews and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clydin clydin clydin left review comments

@dgp1130 dgp1130 dgp1130 approved these changes

Assignees
No one assigned
Labels
action: cleanup The PR is in need of cleanup, either due to needing a rebase or in response to comments from reviews target: rc This PR is targeted for the next release-candidate
Projects
None yet
Milestone
v19 Candidates
Development

Successfully merging this pull request may close these issues.
4 participants
@aaronshim @dgp1130 @clydin @alan-agius4