1 files changed, 70 insertions, 0 deletions

diff --git a/src/chttpd/test/eunit/chttpd_db_test.erl b/src/chttpd/test/eunit/chttpd_db_test.erl
index d844aa5b6..1674341fc 100644
--- a/src/chttpd/test/eunit/chttpd_db_test.erl
+++ b/src/chttpd/test/eunit/chttpd_db_test.erl
@@ -69,6 +69,9 @@ all_test_() ->
                     fun should_return_404_for_delete_att_on_notadoc/1,
                     fun should_return_409_for_del_att_without_rev/1,
                     fun should_return_200_for_del_att_with_rev/1,
+                    fun should_not_send_csp_header_with_att_by_default/1,
+                    fun should_send_csp_header_with_att_when_configured/1,
+                    fun should_send_not_csp_header_with_att_when_no_config/1,
                     fun should_return_409_for_put_att_nonexistent_rev/1,
                     fun should_return_update_seq_when_set_on_all_docs/1,
                     fun should_not_return_update_seq_when_unset_on_all_docs/1,
@@ -209,6 +212,73 @@ should_return_200_for_del_att_with_rev(Url) ->
     end)}.
 
 
+should_not_send_csp_header_with_att_by_default(Url) ->
+  {timeout, ?TIMEOUT, ?_test(begin
+      {ok, RC, _, _} = test_request:put(
+          Url ++ "/testdoc5",
+          [?CONTENT_JSON, ?AUTH],
+          jiffy:encode(attachment_doc())
+      ),
+      ?assertEqual(201, RC),
+
+      {ok, _, Headers, _} = test_request:get(
+          Url ++ "/testdoc5/file.erl",
+          [?AUTH],
+          []
+      ),
+      CSPHeader = couch_util:get_value("Content-Security-Policy", Headers),
+      ?assertEqual(undefined, CSPHeader)
+    end)}.
+
+
+should_send_csp_header_with_att_when_configured(Url) ->
+  {timeout, ?TIMEOUT, ?_test(begin
+      {ok, RC, _, _} = test_request:put(
+          Url ++ "/testdoc51",
+          [?CONTENT_JSON, ?AUTH],
+          jiffy:encode(attachment_doc())
+      ),
+      ?assertEqual(201, RC),
+
+      config:set_boolean("csp", "attachments_enable", true, _Persist=false),
+
+      {ok, _, Headers, _} = test_request:get(
+          Url ++ "/testdoc51/file.erl",
+          [?AUTH],
+          []
+      ),
+      CSPHeader = couch_util:get_value("Content-Security-Policy", Headers),
+      ?assertEqual("sandbox", CSPHeader),
+
+      config:delete("csp", "attachments_enable", _Persist=false)
+
+    end)}.
+
+
+should_send_not_csp_header_with_att_when_no_config(Url) ->
+  {timeout, ?TIMEOUT, ?_test(begin
+      {ok, RC, _, _} = test_request:put(
+          Url ++ "/testdoc6",
+          [?CONTENT_JSON, ?AUTH],
+          jiffy:encode(attachment_doc())
+      ),
+      ?assertEqual(201, RC),
+
+      config:set_boolean("csp", "attachments_enable", false, _Persist=false),
+
+      {ok, _, Headers, _} = test_request:get(
+          Url ++ "/testdoc6/file.erl",
+          [?AUTH],
+          []
+      ),
+      CSPHeader = couch_util:get_value("Content-Security-Policy", Headers),
+      ?assertEqual(undefined, CSPHeader),
+
+      config:delete("csp", "attachments_enable", _Persist=false)
+
+    end)}.
+
+
 should_return_409_for_put_att_nonexistent_rev(Url) ->
     {timeout, ?TIMEOUT, ?_test(begin
         {ok, RC, _Headers, RespBody} = test_request:put(