Hugging Face's logo

muthuk1
/
OpenMAIC-React

Model card Files
xet
 Community
OpenMAIC-React
File size: 3,030 Bytes
a0ebf39
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import { afterEach, describe, expect, it, vi } from 'vitest';
import type { NextConfig } from 'next';

async function loadConfig(): Promise<NextConfig> {
  vi.resetModules();
  const mod = await import('@/next.config');
  return mod.default;
}

describe('Security response headers', () => {
  afterEach(() => {
    delete process.env.ALLOWED_FRAME_ANCESTORS;
  });

  describe('default (no ALLOWED_FRAME_ANCESTORS)', () => {
    it('nextConfig.headers() is defined', async () => {
      const config = await loadConfig();
      expect(config.headers).toBeDefined();
      expect(typeof config.headers).toBe('function');
    });

    it('includes X-Frame-Options SAMEORIGIN on all routes', async () => {
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup).toBeDefined();
      expect(allRouteGroup.headers).toContainEqual({
        key: 'X-Frame-Options',
        value: 'SAMEORIGIN',
      });
    });

    it("includes Content-Security-Policy frame-ancestors 'self'", async () => {
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup).toBeDefined();
      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self'",
      });
    });
  });

  describe('with ALLOWED_FRAME_ANCESTORS', () => {
    it('appends allowed origins to frame-ancestors', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self' https://partner.example.com",
      });
    });

    it('omits X-Frame-Options when custom ancestors are set', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://partner.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      const xfo = allRouteGroup.headers.find((h) => h.key === 'X-Frame-Options');
      expect(xfo).toBeUndefined();
    });

    it('supports multiple space-separated origins', async () => {
      process.env.ALLOWED_FRAME_ANCESTORS = 'https://a.example.com https://b.example.com';
      const config = await loadConfig();
      const headerGroups = await config.headers!();
      const allRouteGroup = headerGroups.find((g) => g.source === '/(.*)')!;

      expect(allRouteGroup.headers).toContainEqual({
        key: 'Content-Security-Policy',
        value: "frame-ancestors 'self' https://a.example.com https://b.example.com",
      });
    });
  });
});