test: ensure CSP header in stream response

0x221A · 0x221A · commit c8eb6825bdab · 2024-10-10T13:48:41.000+07:00
diff --git a/packages/kit/test/apps/options/source/pages/csp-with-stream/+page.server.js b/packages/kit/test/apps/options/source/pages/csp-with-stream/+page.server.js
@@ -0,0 +1,5 @@
+export function load() {
+	return {
+		lazy: new Promise((resolve) => setTimeout(() => resolve(), 1000)).then(() => 'Moo Deng!')
+	};
+}
diff --git a/packages/kit/test/apps/options/source/pages/csp-with-stream/+page.svelte b/packages/kit/test/apps/options/source/pages/csp-with-stream/+page.svelte
@@ -0,0 +1,9 @@
+<script>
+	export let data;
+</script>
+
+{#await data.lazy}
+	Loading...
+{:then value}
+	<h2>{value}</h2>
+{/await}
diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
@@ -130,6 +130,15 @@ test.describe('CSP', () => {
 		expect(await page.evaluate('window.pwned')).toBe(undefined);
 	});
 
+	test('ensure CSP header in stream response', async ({ page, javaScriptEnabled }) => {
+		if (!javaScriptEnabled) return;
+		const response = await page.goto('/path-base/csp-with-stream');
+		expect(response.headers()['content-security-policy']).toMatch(
+			/require-trusted-types-for 'script'/
+		);
+		expect(await page.textContent('h2')).toBe('Moo Deng!');
+	});
+
 	test("quotes 'script'", async ({ page }) => {
 		const response = await page.goto('/path-base');
 		expect(response.headers()['content-security-policy']).toMatch(
