OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/loader/DocumentLoader.h" | 8 #include "core/loader/DocumentLoader.h" |
9 #include "platform/RuntimeEnabledFeatures.h" | 9 #include "platform/RuntimeEnabledFeatures.h" |
10 #include "platform/network/ContentSecurityPolicyParsers.h" | 10 #include "platform/network/ContentSecurityPolicyParsers.h" |
11 #include "platform/network/ResourceRequest.h" | 11 #include "platform/network/ResourceRequest.h" |
12 #include "platform/weborigin/KURL.h" | 12 #include "platform/weborigin/KURL.h" |
13 #include "platform/weborigin/SecurityOrigin.h" | 13 #include "platform/weborigin/SecurityOrigin.h" |
| 14 #include "public/platform/WebURLRequest.h" |
14 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
15 | 16 |
16 namespace blink { | 17 namespace blink { |
17 | 18 |
18 class ContentSecurityPolicyTest : public ::testing::Test { | 19 class ContentSecurityPolicyTest : public ::testing::Test { |
19 public: | 20 public: |
20 ContentSecurityPolicyTest() | 21 ContentSecurityPolicyTest() |
21 : csp(ContentSecurityPolicy::create()) | 22 : csp(ContentSecurityPolicy::create()) |
22 , secureURL(ParsedURLString, "https://example.test/image.png") | 23 , secureURL(ParsedURLString, "https://example.test/image.png") |
23 , secureOrigin(SecurityOrigin::create(secureURL)) | 24 , secureOrigin(SecurityOrigin::create(secureURL)) |
(...skipping 26 matching lines...) Expand all Loading... |
50 TEST_F(ContentSecurityPolicyTest, ParseMonitorInsecureRequestsEnabled) | 51 TEST_F(ContentSecurityPolicyTest, ParseMonitorInsecureRequestsEnabled) |
51 { | 52 { |
52 csp->didReceiveHeader("upgrade-insecure-requests", ContentSecurityPolicyHead
erTypeReport, ContentSecurityPolicyHeaderSourceHTTP); | 53 csp->didReceiveHeader("upgrade-insecure-requests", ContentSecurityPolicyHead
erTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
53 EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, csp->getInsecureReq
uestsPolicy()); | 54 EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, csp->getInsecureReq
uestsPolicy()); |
54 | 55 |
55 csp->bindToExecutionContext(document.get()); | 56 csp->bindToExecutionContext(document.get()); |
56 EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, document->getInsecu
reRequestsPolicy()); | 57 EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, document->getInsecu
reRequestsPolicy()); |
57 EXPECT_FALSE(document->insecureNavigationsToUpgrade()->contains(secureOrigin
->host().impl()->hash())); | 58 EXPECT_FALSE(document->insecureNavigationsToUpgrade()->contains(secureOrigin
->host().impl()->hash())); |
58 } | 59 } |
59 | 60 |
| 61 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled) |
| 62 { |
| 63 RuntimeEnabledFeatures::setCorsRFC1918Enabled(false); |
| 64 document->setHostedInReservedIPRange(true); |
| 65 EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace()); |
| 66 |
| 67 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader
TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
| 68 csp->bindToExecutionContext(document.get()); |
| 69 EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace()); |
| 70 } |
| 71 |
| 72 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled) |
| 73 { |
| 74 RuntimeEnabledFeatures::setCorsRFC1918Enabled(true); |
| 75 document->setHostedInReservedIPRange(true); |
| 76 EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace()); |
| 77 |
| 78 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader
TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
| 79 csp->bindToExecutionContext(document.get()); |
| 80 EXPECT_EQ(WebURLRequest::AddressSpacePublic, document->addressSpace()); |
| 81 } |
| 82 |
60 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) | 83 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) |
61 { | 84 { |
62 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1"
, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP)
; | 85 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1"
, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP)
; |
63 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea
derTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | 86 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea
derTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
64 | 87 |
65 KURL exampleUrl(KURL(), "http://example.com"); | 88 KURL exampleUrl(KURL(), "http://example.com"); |
66 KURL notExampleUrl(KURL(), "http://not-example.com"); | 89 KURL notExampleUrl(KURL(), "http://not-example.com"); |
67 | 90 |
68 RefPtrWillBeRawPtr<ContentSecurityPolicy> csp2 = ContentSecurityPolicy::crea
te(); | 91 RefPtrWillBeRawPtr<ContentSecurityPolicy> csp2 = ContentSecurityPolicy::crea
te(); |
69 csp2->copyStateFrom(csp.get()); | 92 csp2->copyStateFrom(csp.get()); |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
130 } | 153 } |
131 | 154 |
132 TEST_F(ContentSecurityPolicyTest, EmptyReferrerDirective) | 155 TEST_F(ContentSecurityPolicyTest, EmptyReferrerDirective) |
133 { | 156 { |
134 csp->didReceiveHeader("referrer;", ContentSecurityPolicyHeaderTypeEnforce, C
ontentSecurityPolicyHeaderSourceHTTP); | 157 csp->didReceiveHeader("referrer;", ContentSecurityPolicyHeaderTypeEnforce, C
ontentSecurityPolicyHeaderSourceHTTP); |
135 csp->bindToExecutionContext(document.get()); | 158 csp->bindToExecutionContext(document.get()); |
136 EXPECT_EQ(ReferrerPolicyNever, document->getReferrerPolicy()); | 159 EXPECT_EQ(ReferrerPolicyNever, document->getReferrerPolicy()); |
137 } | 160 } |
138 | 161 |
139 } // namespace blink | 162 } // namespace blink |
OLD | NEW |