| import { describe, expect, it } from "vitest"; | |
| import { buildControlUiCspHeader } from "./control-ui-csp.js"; | |
| describe("buildControlUiCspHeader", () => { | |
| it("blocks inline scripts while allowing inline styles", () => { | |
| const csp = buildControlUiCspHeader(); | |
| expect(csp).toContain("frame-ancestors 'none'"); | |
| expect(csp).toContain("script-src 'self'"); | |
| expect(csp).not.toContain("script-src 'self' 'unsafe-inline'"); | |
| expect(csp).toContain("style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"); | |
| }); | |
| it("allows Google Fonts for style and font loading", () => { | |
| const csp = buildControlUiCspHeader(); | |
| expect(csp).toContain("https://fonts.googleapis.com"); | |
| expect(csp).toContain("font-src 'self' https://fonts.gstatic.com"); | |
| }); | |
| }); | |