diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/check_framework/test_security.py | 25 | ||||
| -rw-r--r-- | tests/middleware/test_security.py | 39 | ||||
| -rw-r--r-- | tests/project_template/test_settings.py | 1 |
3 files changed, 65 insertions, 0 deletions
diff --git a/tests/check_framework/test_security.py b/tests/check_framework/test_security.py index 3a3b9cf774..774ba068f9 100644 --- a/tests/check_framework/test_security.py +++ b/tests/check_framework/test_security.py @@ -504,3 +504,28 @@ class CSRFFailureViewTest(SimpleTestCase): csrf.check_csrf_failure_view(None), [Error(msg, id='security.E101')], ) + + +class CheckCrossOriginOpenerPolicyTest(SimpleTestCase): + @override_settings( + MIDDLEWARE=['django.middleware.security.SecurityMiddleware'], + SECURE_CROSS_ORIGIN_OPENER_POLICY=None, + ) + def test_no_coop(self): + self.assertEqual(base.check_cross_origin_opener_policy(None), []) + + @override_settings(MIDDLEWARE=['django.middleware.security.SecurityMiddleware']) + def test_with_coop(self): + tests = ['same-origin', 'same-origin-allow-popups', 'unsafe-none'] + for value in tests: + with self.subTest(value=value), override_settings( + SECURE_CROSS_ORIGIN_OPENER_POLICY=value, + ): + self.assertEqual(base.check_cross_origin_opener_policy(None), []) + + @override_settings( + MIDDLEWARE=['django.middleware.security.SecurityMiddleware'], + SECURE_CROSS_ORIGIN_OPENER_POLICY='invalid-value', + ) + def test_with_invalid_coop(self): + self.assertEqual(base.check_cross_origin_opener_policy(None), [base.E024]) diff --git a/tests/middleware/test_security.py b/tests/middleware/test_security.py index d766643b9b..1b7434c9a8 100644 --- a/tests/middleware/test_security.py +++ b/tests/middleware/test_security.py @@ -282,3 +282,42 @@ class SecurityMiddlewareTest(SimpleTestCase): """ response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'}) self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url') + + @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY=None) + def test_coop_off(self): + """ + With SECURE_CROSS_ORIGIN_OPENER_POLICY set to None, the middleware does + not add a "Cross-Origin-Opener-Policy" header to the response. + """ + self.assertNotIn('Cross-Origin-Opener-Policy', self.process_response()) + + def test_coop_default(self): + """SECURE_CROSS_ORIGIN_OPENER_POLICY defaults to same-origin.""" + self.assertEqual( + self.process_response().headers['Cross-Origin-Opener-Policy'], + 'same-origin', + ) + + def test_coop_on(self): + """ + With SECURE_CROSS_ORIGIN_OPENER_POLICY set to a valid value, the + middleware adds a "Cross-Origin_Opener-Policy" header to the response. + """ + tests = ['same-origin', 'same-origin-allow-popups', 'unsafe-none'] + for value in tests: + with self.subTest(value=value), override_settings( + SECURE_CROSS_ORIGIN_OPENER_POLICY=value, + ): + self.assertEqual( + self.process_response().headers['Cross-Origin-Opener-Policy'], + value, + ) + + @override_settings(SECURE_CROSS_ORIGIN_OPENER_POLICY='unsafe-none') + def test_coop_already_present(self): + """ + The middleware doesn't override a "Cross-Origin-Opener-Policy" header + already present in the response. + """ + response = self.process_response(headers={'Cross-Origin-Opener-Policy': 'same-origin'}) + self.assertEqual(response.headers['Cross-Origin-Opener-Policy'], 'same-origin') diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py index e8d466938d..e526e10331 100644 --- a/tests/project_template/test_settings.py +++ b/tests/project_template/test_settings.py @@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase): self.assertEqual(headers, [ b'Content-Length: 0', b'Content-Type: text/html; charset=utf-8', + b'Cross-Origin-Opener-Policy: same-origin', b'Referrer-Policy: same-origin', b'X-Content-Type-Options: nosniff', b'X-Frame-Options: DENY', |
