"""Security headers: COEP choice must allow typical catalog image embedding.""" from __future__ import annotations import importlib import sys from pathlib import Path import pytest from fastapi.testclient import TestClient from backend.core import Backend def test_cross_origin_embedder_policy_is_credentialless(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None: """Credentialless avoids blocking cross-origin from HTTPS CDNs under COEP (see api middleware).""" db = tmp_path / "coep_header.db" monkeypatch.setenv("KINK_STORE_PATH", str(db)) monkeypatch.setenv("KINK_SKIP_HEAVY_WARM", "1") monkeypatch.setenv("KINK_HF_REQUIRE_FULL_CATALOG", "0") Backend(db) sys.modules.pop("api", None) api_mod = importlib.import_module("api") api_mod._backend_impl = None client = TestClient(api_mod.app) r = client.get("/health") assert r.status_code == 200 assert r.headers.get("Cross-Origin-Embedder-Policy") == "credentialless"