Spaces:
Running
Running
| import { describe, it, expect } from 'vitest'; | |
| import { Window } from 'happy-dom'; | |
| import fs from 'fs'; | |
| import path from 'path'; | |
| import { fileURLToPath } from 'url'; | |
| const __filename = fileURLToPath(import.meta.url); | |
| const __dirname = path.dirname(__filename); | |
| describe('Content Security Policy', () => { | |
| it('should be present in index.html', () => { | |
| const htmlPath = path.resolve(__dirname, '../index.html'); | |
| const html = fs.readFileSync(htmlPath, 'utf-8'); | |
| const window = new Window(); | |
| const document = window.document; | |
| document.write(html); | |
| const meta = document.querySelector('meta[http-equiv="Content-Security-Policy"]'); | |
| expect(meta).not.toBeNull(); | |
| const content = meta?.getAttribute('content') || ''; | |
| // Check for critical directives | |
| expect(content).toContain("default-src 'self'"); | |
| expect(content).toContain("script-src 'self'"); | |
| expect(content).toContain("object-src 'none'"); | |
| // Check specific allowances | |
| expect(content).toContain('https://huggingface.co'); | |
| expect(content).toContain('https://*.hf.co'); | |
| expect(content).toContain('blob:'); // For workers | |
| expect(content).toContain("worker-src 'self' blob:"); | |
| }); | |
| }); | |