fix(security): add nonce-uniqueness test and fix caller indentation

This commit is contained in:
2026-07-08 13:57:28 +02:00
parent 284e685ed3
commit 1a807cfeb4
2 changed files with 14 additions and 1 deletions
+1 -1
View File
@@ -600,7 +600,7 @@
localStorage.setItem('secret_phrase', data.secret_phrase);
localStorage.setItem('secret_last_fetch', Date.now().toString());
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
} else {
// Clear cached secret if user is no longer authorized
localStorage.removeItem('secret_phrase');
+13
View File
@@ -51,6 +51,19 @@ def test_root_serves_csp_with_nonce():
nonce = match.group(1)
assert f'nonce="{nonce}"' in body
def test_root_csp_nonce_is_unique_per_request():
"""Test that each GET / response gets a fresh CSP nonce (not module-level/static)."""
import re
n1 = re.search(
r"nonce-([A-Za-z0-9_-]+)",
client.get("/").headers.get("content-security-policy", ""),
).group(1)
n2 = re.search(
r"nonce-([A-Za-z0-9_-]+)",
client.get("/").headers.get("content-security-policy", ""),
).group(1)
assert n1 != n2
@patch('main.verify_token')
def test_validate_token_success(mock_verify_token):
"""Test successful token validation."""