summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/check_framework/test_security.py25
-rw-r--r--tests/middleware/test_security.py39
-rw-r--r--tests/project_template/test_settings.py1
3 files changed, 65 insertions, 0 deletions
diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py
index 3a3b9cf774..774ba068f9 100644
--- a/tests/check_framework/test_security.py
+++ b/tests/check_framework/test_security.py
@@ -504,3 +504,28 @@ class CSRFFailureViewTest(SimpleTestCase):
csrf.check_csrf_failure_view(None),
[Error(msg, id='security.E101')],
)
+
+
+class CheckCrossOriginOpenerPolicyTest(SimpleTestCase):
+ @override_settings(
+ MIDDLEWARE=['django.middleware.security.SecurityMiddleware'],
+ SECURE_CROSS_ORIGIN_OPENER_POLICY=None,
+ )
+ def test_no_coop(self):
+ self.assertEqual(base.check_cross_origin_opener_policy(None), [])
+
+ @override_settings(MIDDLEWARE=['django.middleware.security.SecurityMiddleware'])
+ def test_with_coop(self):
+ tests = ['same-origin', 'same-origin-allow-popups', 'unsafe-none']
+ for value in tests:
+ with self.subTest(value=value), override_settings(
+ SECURE_CROSS_ORIGIN_OPENER_POLICY=value,
+ ):
+ self.assertEqual(base.check_cross_origin_opener_policy(None), [])
+
+ @override_settings(
+ MIDDLEWARE=['django.middleware.security.SecurityMiddleware'],
+ SECURE_CROSS_ORIGIN_OPENER_POLICY='invalid-value',
+ )
+ def test_with_invalid_coop(self):
+ self.assertEqual(base.check_cross_origin_opener_policy(None), [base.E024])
diff --git a/tests/middleware/test_security.py b/tests/middleware/test_security.py
index d766643b9b..1b7434c9a8 100644
--- a/tests/middleware/test_security.py
+++ b/tests/middleware/test_security.py
@@ -282,3 +282,42 @@ class SecurityMiddlewareTest(SimpleTestCase):
"""
response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url')
+
+ @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY=None)
+ def test_coop_off(self):
+ """
+ With SECURE_CROSS_ORIGIN_OPENER_POLICY set to None, the middleware does
+ not add a "Cross-Origin-Opener-Policy" header to the response.
+ """
+ self.assertNotIn('Cross-Origin-Opener-Policy', self.process_response())
+
+ def test_coop_default(self):
+ """SECURE_CROSS_ORIGIN_OPENER_POLICY defaults to same-origin."""
+ self.assertEqual(
+ self.process_response().headers['Cross-Origin-Opener-Policy'],
+ 'same-origin',
+ )
+
+ def test_coop_on(self):
+ """
+ With SECURE_CROSS_ORIGIN_OPENER_POLICY set to a valid value, the
+ middleware adds a "Cross-Origin_Opener-Policy" header to the response.
+ """
+ tests = ['same-origin', 'same-origin-allow-popups', 'unsafe-none']
+ for value in tests:
+ with self.subTest(value=value), override_settings(
+ SECURE_CROSS_ORIGIN_OPENER_POLICY=value,
+ ):
+ self.assertEqual(
+ self.process_response().headers['Cross-Origin-Opener-Policy'],
+ value,
+ )
+
+ @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY='unsafe-none')
+ def test_coop_already_present(self):
+ """
+ The middleware doesn't override a "Cross-Origin-Opener-Policy" header
+ already present in the response.
+ """
+ response = self.process_response(headers={'Cross-Origin-Opener-Policy': 'same-origin'})
+ self.assertEqual(response.headers['Cross-Origin-Opener-Policy'], 'same-origin')
diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
index e8d466938d..e526e10331 100644
--- a/tests/project_template/test_settings.py
+++ b/tests/project_template/test_settings.py
@@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase):
self.assertEqual(headers, [
b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8',
+ b'Cross-Origin-Opener-Policy: same-origin',
b'Referrer-Policy: same-origin',
b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: DENY',