2 files changed, 42 insertions, 1 deletions

diff --git a/service/test/functional/features/steps/mail_view.py b/service/test/functional/features/steps/mail_view.py
index 82fc28af..c0e9e22b 100644
--- a/service/test/functional/features/steps/mail_view.py
+++ b/service/test/functional/features/steps/mail_view.py
@@ -25,8 +25,11 @@ def impl(context, subject):
 
 @then('I see that the body reads \'{expected_body}\'')
 def impl(context, expected_body):
-    e = find_element_by_css_selector(context, '#mail-view .bodyArea')
+    find_element_by_css_selector(context, '#read-sandbox')
+    context.browser.switch_to_frame('read-sandbox')
+    e = find_element_by_css_selector(context, 'body')
     assert e.text == expected_body
+    context.browser.switch_to_default_content()
 
 
 @then('that email has the \'{tag}\' tag')
diff --git a/service/test/unit/resources/test_sandbox_resource.py b/service/test/unit/resources/test_sandbox_resource.py
new file mode 100644
index 00000000..3db43e12
--- /dev/null
+++ b/service/test/unit/resources/test_sandbox_resource.py
@@ -0,0 +1,38 @@
+import os
+import unittest
+
+from twisted.internet import defer
+from twisted.web.test.requesthelper import DummyRequest
+
+from pixelated.resources.sandbox_resource import SandboxResource
+from test.unit.resources import DummySite
+
+
+class TestSandBoxResource(unittest.TestCase):
+    def setUp(self):
+        static_folder = os.path.dirname(os.path.abspath(__file__))
+        self.resource = SandboxResource(static_folder)
+        self.resource.isLeaf = True
+        self.web = DummySite(self.resource)
+
+    @defer.inlineCallbacks
+    def test_render_GET_should_set_sandbox_csp_header(self):
+        request = DummyRequest(['/sandbox'])
+        request.method = 'GET'
+        request.isSecure = lambda: True
+        request.redirect = lambda _: 'irrelevant'
+
+        expected_csp_headers = "sandbox allow-popups allow-scripts;" \
+                               "default-src 'self';" \
+                               "style-src *;" \
+                               "script-src  *;" \
+                               "font-src *;" \
+                               "img-src *;" \
+                               "object-src 'none';" \
+                               "connect-src 'none';"
+
+        yield self.web.get(request)
+
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Content-Security-Policy'.lower()))
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('Content-Security-Policy'.lower()))
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Webkit-CSP'.lower()))