From 20fac252c6c772d9cc86178e501339f6798da828 Mon Sep 17 00:00:00 2001 From: awais786 Date: Fri, 5 Jun 2026 14:07:50 +0500 Subject: [PATCH] test(headers): mark portal CSP/COOP/CORP as test.fixme pending bundle#80 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI on every PR has been failing on this assertion for several days: Main portal (https://foss.arbisoft.com) HTML-hardening violations: content-security-policy: allows 'unsafe-inline' in script-src ("script-src 'self' 'unsafe-inline'") — defeats CSP's XSS protection. Use nonces or hashes cross-origin-resource-policy: missing — must be set to declare an explicit cross-origin embedding policy Both gaps are correctly identified — they're real bundle-side defects I filed at foss-server-bundle#80 earlier this month: - Portal nginx CSP has `script-src 'self' 'unsafe-inline'`. 'unsafe-inline' defeats CSP's XSS mitigation (a reflected / stored XSS can execute attacker JS even with the CSP present). - Portal nginx doesn't emit `Cross-Origin-Resource-Policy` at all. Defence-in-depth gap for cross-origin subresource embedding. The 3 1-line nginx fixes named in #80: - Drop `'unsafe-inline'` from script-src (use nonces/hashes) - `add_header Cross-Origin-Resource-Policy "same-origin" always;` - `server_tokens off;` (the Server-header version-leak — tracked by a separate test that's already passing once the equivalent fixme lands) # Decision: test.fixme, not test deletion or assertion relaxation The same pattern landed in PR #52 for the cache-control-authed portal test (also pending foss-server-bundle#83). Reasoning: - The test is correct → don't delete. - The defect is filed → don't lose the tracking. - CI is red on a bundle defect, not on the PR under test → don't block legitimate merges. - When bundle ships, removing `.fixme` flips it live in a one-line follow-up commit. # Audit 88 covered/deferred/missing total unchanged (this PR doesn't add or remove requirements; the @spec tag on the test still points at `security-hardening#portal-html-responses-shall-emit-csp-coop-corp`). --- tests/security/headers.spec.ts | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tests/security/headers.spec.ts b/tests/security/headers.spec.ts index de9667b..e5a1017 100644 --- a/tests/security/headers.spec.ts +++ b/tests/security/headers.spec.ts @@ -193,7 +193,19 @@ test.describe("HTML hardening headers (CSP, COOP, CORP) — portal only", () => const HTML_TARGETS = [{ name: "Main portal", url: MAIN_URL }]; for (const target of HTML_TARGETS) { - test(`${target.name} serves CSP + COOP + CORP on HTML responses`, async () => { + // KNOWN-RED until bundle ships foss-server-bundle#80 (portal nginx + // 1-line config additions). As of 2026-06-05 the portal returns + // `script-src 'self' 'unsafe-inline'` (defeats CSP's XSS defence + // — `unsafe-inline` lets a reflected/stored XSS execute attacker + // JS) AND has no `Cross-Origin-Resource-Policy` header at all + // (defence-in-depth gap for cross-origin subresource embedding). + // The 3 nginx changes named in foss-server-bundle#80: + // - Drop `'unsafe-inline'` from script-src (use nonces/hashes) + // - Add `add_header Cross-Origin-Resource-Policy "same-origin" always;` + // - Add `server_tokens off;` (separate test, same root cause) + // This assertion documents the contract but is dormant in CI. + // Remove `.fixme` once the bundle patch lands. + test.fixme(`${target.name} serves CSP + COOP + CORP on HTML responses`, async () => { const headers = await fetchHeaders(target.url); const failures: string[] = [];