Files
tolaria/src/utils/tauriCsp.test.ts
2026-05-11 18:21:12 +02:00

50 lines
2.3 KiB
TypeScript

import { readFileSync } from 'node:fs'
import { RUNTIME_STYLE_NONCE_SOURCE } from '../lib/runtimeStyleNonce'
describe('Tauri Content Security Policy', () => {
it('allows nonce-tagged runtime style elements and React style attributes', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const csp = config.app.security.csp as Record<string, string>
expect(csp['style-src']).toContain("'unsafe-inline'")
expect(csp['style-src-elem']).toContain(RUNTIME_STYLE_NONCE_SOURCE)
expect(csp['style-src-elem']).toContain('https://fonts.googleapis.com')
expect(csp['style-src-attr']).toBe("'unsafe-inline'")
})
it('allows PDF object previews from scoped Tauri asset URLs', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const csp = config.app.security.csp as Record<string, string>
expect(csp['object-src']).toContain('asset:')
expect(csp['object-src']).toContain('http://asset.localhost')
})
it('allows audio and video media previews from scoped Tauri asset URLs', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const csp = config.app.security.csp as Record<string, string>
expect(csp['media-src']).toContain('asset:')
expect(csp['media-src']).toContain('http://asset.localhost')
})
it('allows bundled tldraw translation JSON fetched from inlined data URLs', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const csp = config.app.security.csp as Record<string, string>
expect(csp['connect-src']).toContain('data:')
})
it('uses a dev-only CSP that permits Vite React Refresh without weakening production script policy', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const productionCsp = config.app.security.csp as Record<string, string>
const devCsp = config.app.security.devCsp as string
expect(productionCsp['script-src']).not.toContain("'unsafe-inline'")
expect(productionCsp['script-src']).not.toContain("'unsafe-eval'")
expect(devCsp).toContain("'unsafe-inline'")
expect(devCsp).toContain("'unsafe-eval'")
expect(devCsp).toContain('ws://localhost:5202')
})
})