Add E2E test for CSP violation

oroztocil · oroztocil · commit 8588c0d13dac · 2025-02-13T20:07:31.000+01:00
diff --git a/src/Components/test/E2ETest/ServerExecutionTests/ServerReconnectionCustomUITest.cs b/src/Components/test/E2ETest/ServerExecutionTests/ServerReconnectionCustomUITest.cs
@@ -2,21 +2,23 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using BasicTestApp.Reconnection;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Components.E2ETest.Infrastructure;
 using Microsoft.AspNetCore.Components.E2ETest.Infrastructure.ServerFixtures;
 using Microsoft.AspNetCore.Components.E2ETest.ServerExecutionTests;
 using Microsoft.AspNetCore.E2ETesting;
+using Microsoft.AspNetCore.Hosting;
 using OpenQA.Selenium;
 using TestServer;
 using Xunit.Abstractions;
 
 namespace Microsoft.AspNetCore.Components.E2ETest.ServerExecutionTests;
 
-public class ServerReconnectionCustomUITest : ServerReconnectionTest
+public class ServerReconnectionCustomUITest : ServerTestBase<BasicTestAppServerSiteFixture<ServerStartupWithCsp>>
 {
     public ServerReconnectionCustomUITest(
         BrowserFixture browserFixture,
-        BasicTestAppServerSiteFixture<ServerStartup> serverFixture,
+        BasicTestAppServerSiteFixture<ServerStartupWithCsp> serverFixture,
         ITestOutputHelper output)
         : base(browserFixture, serverFixture, output)
     {
@@ -30,24 +32,44 @@ protected override void InitializeAsyncCore()
     }
 
     [Fact]
-    public void CustomReconnectUI()
+    public void CustomReconnectUIIsDisplayed()
     {
         Browser.Exists(By.Id("increment")).Click();
 
-        Browser.Equal("dialog", () => Browser.Exists(By.Id("components-reconnect-modal")).TagName);
-
-        var javascript = (IJavaScriptExecutor)Browser;
-        javascript.ExecuteScript("Blazor._internal.forceCloseConnection()");
+        var js = (IJavaScriptExecutor)Browser;
+        js.ExecuteScript("Blazor._internal.forceCloseConnection()");
 
         // We should see the 'reconnecting' UI appear
+        Browser.Equal("block", () => Browser.Exists(By.Id("components-reconnect-modal")).GetCssValue("display"));
         Browser.NotEqual(null, () => Browser.Exists(By.Id("components-reconnect-modal")).GetAttribute("open"));
 
+        // The reconnect modal should not be a 'div' element created by the fallback JS code
+        Browser.Equal("dialog", () => Browser.Exists(By.Id("components-reconnect-modal")).TagName);
+
         // Then it should disappear
+        Browser.Equal("none", () => Browser.Exists(By.Id("components-reconnect-modal")).GetCssValue("display"));
         Browser.Equal(null, () => Browser.Exists(By.Id("components-reconnect-modal")).GetAttribute("open"));
 
         Browser.Exists(By.Id("increment")).Click();
 
         // Can dispatch events after reconnect
         Browser.Equal("2", () => Browser.Exists(By.Id("count")).Text);
     }
+
+    [Fact]
+    public void StyleSrcCSPIsNotViolated()
+    {
+        var js = (IJavaScriptExecutor)Browser;
+        js.ExecuteScript("Blazor._internal.forceCloseConnection()");
+
+        // We should see the 'reconnecting' UI appear
+        Browser.Equal("block", () => Browser.Exists(By.Id("components-reconnect-modal")).GetCssValue("display"));
+
+        // Check that there is no CSP-related error in the browser console
+        var logs = Browser.Manage().Logs.GetLog(LogType.Browser);
+        var styleErrors = logs.Where(
+            log => log.Message.Contains("Refused to apply inline style because it violates the following Content Security Policy directive"));
+
+        Assert.Empty(styleErrors);
+    }
 }
diff --git a/src/Components/test/testassets/Components.TestServer/ServerStartupWithCsp.cs b/src/Components/test/testassets/Components.TestServer/ServerStartupWithCsp.cs
@@ -0,0 +1,22 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace TestServer;
+
+public class ServerStartupWithCsp : ServerStartup
+{
+    public ServerStartupWithCsp(IConfiguration configuration) : base(configuration)
+    {
+    }
+
+    public override void Configure(IApplicationBuilder app, IWebHostEnvironment env, ResourceRequestLog resourceRequestLog)
+    {
+        app.Use(async (context, next) =>
+        {
+            context.Response.Headers.ContentSecurityPolicy = "style-src 'self';";
+            await next();
+        });
+
+        base.Configure(app, env, resourceRequestLog);
+    }
+}
