Only allow iframes to be loaded from our domain

pkg/api/dashboard_test.go

@@ -1,9 +1,12 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"testing"
 
+	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -52,3 +55,70 @@ func Test_safePrefix(t *testing.T) {
 		})
 	}
 }
+
+func Test_ContentSecurityPolicy(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		handler  DashboardHandler
+		expected int
+	}{
+		{
+			desc: "OK",
+			handler: DashboardHandler{
+				Assets: &assetfs.AssetFS{
+					Asset: func(path string) ([]byte, error) {
+						return []byte{}, nil
+					},
+					AssetDir: func(path string) ([]string, error) {
+						return []string{}, nil
+					},
+				},
+			},
+			expected: http.StatusOK,
+		},
+		{
+			desc: "Not found",
+			handler: DashboardHandler{
+				Assets: &assetfs.AssetFS{
+					Asset: func(path string) ([]byte, error) {
+						return []byte{}, fmt.Errorf("not found")
+					},
+					AssetDir: func(path string) ([]string, error) {
+						return []string{}, fmt.Errorf("not found")
+					},
+				},
+			},
+			expected: http.StatusNotFound,
+		},
+		{
+			desc: "Internal server error",
+			handler: DashboardHandler{
+				Assets: &assetfs.AssetFS{
+					Asset: func(path string) ([]byte, error) {
+						return []byte{}, fmt.Errorf("oops")
+					},
+					AssetDir: func(path string) ([]string, error) {
+						return []string{}, fmt.Errorf("oops")
+					},
+				},
+			},
+			expected: http.StatusInternalServerError,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			req := httptest.NewRequest(http.MethodGet, "/foobar.html", nil)
+
+			rw := httptest.NewRecorder()
+
+			test.handler.ServeHTTP(rw, req)
+
+			assert.Equal(t, test.expected, rw.Code)
+			assert.Equal(t, "frame-src 'self' https://traefik.io https://*.traefik.io;", rw.Result().Header.Get("Content-Security-Policy"))
+		})
+	}
+}