OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPSourceList.h" | 6 #include "core/frame/csp/CSPSourceList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/csp/CSPSource.h" | 9 #include "core/frame/csp/CSPSource.h" |
10 #include "core/frame/csp/ContentSecurityPolicy.h" | 10 #include "core/frame/csp/ContentSecurityPolicy.h" |
11 #include "platform/weborigin/KURL.h" | 11 #include "platform/weborigin/KURL.h" |
| 12 #include "platform/weborigin/SchemeRegistry.h" |
12 #include "platform/weborigin/SecurityOrigin.h" | 13 #include "platform/weborigin/SecurityOrigin.h" |
13 #include <gtest/gtest.h> | 14 #include <gtest/gtest.h> |
14 | 15 |
15 namespace blink { | 16 namespace blink { |
16 | 17 |
17 class CSPSourceListTest : public ::testing::Test { | 18 class CSPSourceListTest : public ::testing::Test { |
18 public: | 19 public: |
19 CSPSourceListTest() | 20 CSPSourceListTest() |
20 : csp(ContentSecurityPolicy::create()) | 21 : csp(ContentSecurityPolicy::create()) |
21 { | 22 { |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
58 KURL base; | 59 KURL base; |
59 String sources = "'self'"; | 60 String sources = "'self'"; |
60 CSPSourceList sourceList(csp.get(), "script-src"); | 61 CSPSourceList sourceList(csp.get(), "script-src"); |
61 parseSourceList(sourceList, sources); | 62 parseSourceList(sourceList, sources); |
62 | 63 |
63 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/"))); | 64 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/"))); |
64 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/"))); | 65 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/"))); |
65 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); | 66 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
66 } | 67 } |
67 | 68 |
| 69 TEST_F(CSPSourceListTest, BlobMatchingSelf) |
| 70 { |
| 71 KURL base; |
| 72 String sources = "'self'"; |
| 73 CSPSourceList sourceList(csp.get(), "script-src"); |
| 74 parseSourceList(sourceList, sources); |
| 75 |
| 76 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
| 77 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
| 78 |
| 79 // Register "https" as bypassing CSP, which should trigger the innerURL beha
vior. |
| 80 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
| 81 |
| 82 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
| 83 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
| 84 |
| 85 // Unregister the scheme to clean up after ourselves. |
| 86 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy("h
ttps"); |
| 87 } |
| 88 |
| 89 TEST_F(CSPSourceListTest, BlobMatchingBlob) |
| 90 { |
| 91 KURL base; |
| 92 String sources = "blob:"; |
| 93 CSPSourceList sourceList(csp.get(), "script-src"); |
| 94 parseSourceList(sourceList, sources); |
| 95 |
| 96 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/"))); |
| 97 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
| 98 } |
| 99 |
68 TEST_F(CSPSourceListTest, BasicMatching) | 100 TEST_F(CSPSourceListTest, BasicMatching) |
69 { | 101 { |
70 KURL base; | 102 KURL base; |
71 String sources = "http://example1.com:8000/foo/ https://example2.com/"; | 103 String sources = "http://example1.com:8000/foo/ https://example2.com/"; |
72 CSPSourceList sourceList(csp.get(), "script-src"); | 104 CSPSourceList sourceList(csp.get(), "script-src"); |
73 parseSourceList(sourceList, sources); | 105 parseSourceList(sourceList, sources); |
74 | 106 |
75 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/")))
; | 107 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/")))
; |
76 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/bar"
))); | 108 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/bar"
))); |
77 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/"))); | 109 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/"))); |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
116 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/foo/"), Conte
ntSecurityPolicy::DidRedirect)); | 148 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/foo/"), Conte
ntSecurityPolicy::DidRedirect)); |
117 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/bar/"), Conte
ntSecurityPolicy::DidRedirect)); | 149 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/bar/"), Conte
ntSecurityPolicy::DidRedirect)); |
118 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/bar/"), Conte
ntSecurityPolicy::DidRedirect)); | 150 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/bar/"), Conte
ntSecurityPolicy::DidRedirect)); |
119 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/foo/"), Conte
ntSecurityPolicy::DidRedirect)); | 151 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/foo/"), Conte
ntSecurityPolicy::DidRedirect)); |
120 | 152 |
121 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example3.com/foo/"), Cont
entSecurityPolicy::DidRedirect)); | 153 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example3.com/foo/"), Cont
entSecurityPolicy::DidRedirect)); |
122 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com/foo/"), Con
tentSecurityPolicy::DidRedirect)); | 154 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com/foo/"), Con
tentSecurityPolicy::DidRedirect)); |
123 } | 155 } |
124 | 156 |
125 } // namespace | 157 } // namespace |
OLD | NEW |