Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp

Issue 2449873004: Removing CSPSourceList level up to SourceListDirective. (Closed)
Patch Set: Exporting CSPDirective Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "core/frame/csp/CSPSourceList.h"
6
7 #include "core/dom/Document.h"
8 #include "core/frame/csp/CSPSource.h"
9 #include "core/frame/csp/ContentSecurityPolicy.h"
10 #include "platform/network/ResourceRequest.h"
11 #include "platform/weborigin/KURL.h"
12 #include "platform/weborigin/SchemeRegistry.h"
13 #include "platform/weborigin/SecurityOrigin.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15
16 namespace blink {
17
18 class CSPSourceListTest : public ::testing::Test {
19 public:
20 CSPSourceListTest() : csp(ContentSecurityPolicy::create()) {}
21
22 protected:
23 virtual void SetUp() {
24 KURL secureURL(ParsedURLString, "https://example.test/image.png");
25 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
26 document = Document::create();
27 document->setSecurityOrigin(secureOrigin);
28 csp->bindToExecutionContext(document.get());
29 }
30
31 Persistent<ContentSecurityPolicy> csp;
32 Persistent<Document> document;
33 };
34
35 static void parseSourceList(CSPSourceList& sourceList, String& sources) {
36 Vector<UChar> characters;
37 sources.appendTo(characters);
38 sourceList.parse(characters.data(), characters.data() + characters.size());
39 }
40
41 TEST_F(CSPSourceListTest, BasicMatchingNone) {
42 KURL base;
43 String sources = "'none'";
44 CSPSourceList sourceList(csp.get(), "script-src");
45 parseSourceList(sourceList, sources);
46
47 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/")));
48 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/")));
49 }
50
51 TEST_F(CSPSourceListTest, BasicMatchingStrictDynamic) {
52 String sources = "'strict-dynamic'";
53 CSPSourceList sourceList(csp.get(), "script-src");
54 parseSourceList(sourceList, sources);
55
56 EXPECT_TRUE(sourceList.allowDynamic());
57 }
58
59 TEST_F(CSPSourceListTest, BasicMatchingUnsafeHashedAttributes) {
60 String sources = "'unsafe-hashed-attributes'";
61 CSPSourceList sourceList(csp.get(), "script-src");
62 parseSourceList(sourceList, sources);
63
64 EXPECT_TRUE(sourceList.allowHashedAttributes());
65 }
66
67 TEST_F(CSPSourceListTest, BasicMatchingStar) {
68 KURL base;
69 String sources = "*";
70 CSPSourceList sourceList(csp.get(), "script-src");
71 parseSourceList(sourceList, sources);
72
73 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/")));
74 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.com/")));
75 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/bar")));
76 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/")));
77 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar")));
78 EXPECT_TRUE(sourceList.matches(KURL(base, "ftp://example.com/")));
79
80 EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/")));
81 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/")));
82 EXPECT_FALSE(
83 sourceList.matches(KURL(base, "filesystem:https://example.test/")));
84 EXPECT_FALSE(sourceList.matches(KURL(base, "file:///etc/hosts")));
85 EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/")));
86 }
87
88 TEST_F(CSPSourceListTest, StarMatchesSelf) {
89 KURL base;
90 String sources = "*";
91 CSPSourceList sourceList(csp.get(), "script-src");
92 parseSourceList(sourceList, sources);
93
94 // With a protocol of 'file', '*' matches 'file:':
95 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0);
96 csp->setupSelf(*origin);
97 EXPECT_TRUE(sourceList.matches(KURL(base, "file:///etc/hosts")));
98
99 // The other results are the same as above:
100 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/")));
101 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.com/")));
102 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/bar")));
103 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/")));
104 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar")));
105
106 EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/")));
107 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/")));
108 EXPECT_FALSE(
109 sourceList.matches(KURL(base, "filesystem:https://example.test/")));
110 EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/")));
111 }
112
113 TEST_F(CSPSourceListTest, BasicMatchingSelf) {
114 KURL base;
115 String sources = "'self'";
116 CSPSourceList sourceList(csp.get(), "script-src");
117 parseSourceList(sourceList, sources);
118
119 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/")));
120 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/")));
121 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/")));
122 }
123
124 TEST_F(CSPSourceListTest, BlobMatchingSelf) {
125 KURL base;
126 String sources = "'self'";
127 CSPSourceList sourceList(csp.get(), "script-src");
128 parseSourceList(sourceList, sources);
129
130 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/")));
131 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/")));
132
133 // Register "https" as bypassing CSP, which should trigger the innerURL
134 // behavior.
135 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
136
137 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/")));
138 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/")));
139
140 // Unregister the scheme to clean up after ourselves.
141 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
142 "https");
143 }
144
145 TEST_F(CSPSourceListTest, BlobMatchingBlob) {
146 KURL base;
147 String sources = "blob:";
148 CSPSourceList sourceList(csp.get(), "script-src");
149 parseSourceList(sourceList, sources);
150
151 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/")));
152 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/")));
153 }
154
155 TEST_F(CSPSourceListTest, BasicMatching) {
156 KURL base;
157 String sources = "http://example1.com:8000/foo/ https://example2.com/";
158 CSPSourceList sourceList(csp.get(), "script-src");
159 parseSourceList(sourceList, sources);
160
161 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/")));
162 EXPECT_TRUE(
163 sourceList.matches(KURL(base, "http://example1.com:8000/foo/bar")));
164 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/")));
165 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/foo/")));
166
167 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/")));
168 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com/")));
169 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com/foo")));
170 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com:9000/foo/")));
171 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com:8000/FOO/")));
172 }
173
174 TEST_F(CSPSourceListTest, WildcardMatching) {
175 KURL base;
176 String sources =
177 "http://example1.com:*/foo/ https://*.example2.com/bar/ http://*.test/";
178 CSPSourceList sourceList(csp.get(), "script-src");
179 parseSourceList(sourceList, sources);
180
181 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/foo/")));
182 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/")));
183 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:9000/foo/")));
184 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.example2.com/bar/")));
185 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.test/")));
186 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.bar.test/")));
187 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com/foo/")));
188 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com:8000/foo/")));
189 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com:9000/foo/")));
190 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.test/")));
191 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.bar.test/")));
192
193 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com:8000/foo")));
194 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.com:8000/bar")));
195 EXPECT_FALSE(
196 sourceList.matches(KURL(base, "https://foo.example2.com:8000/bar")));
197 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.foo.com/bar")));
198 EXPECT_FALSE(sourceList.matches(KURL(base, "http://foo.test.bar/")));
199 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.com/bar/")));
200 EXPECT_FALSE(sourceList.matches(KURL(base, "http://test/")));
201 }
202
203 TEST_F(CSPSourceListTest, RedirectMatching) {
204 KURL base;
205 String sources = "http://example1.com/foo/ http://example2.com/bar/";
206 CSPSourceList sourceList(csp.get(), "script-src");
207 parseSourceList(sourceList, sources);
208
209 EXPECT_TRUE(
210 sourceList.matches(KURL(base, "http://example1.com/foo/"),
211 ResourceRequest::RedirectStatus::FollowedRedirect));
212 EXPECT_TRUE(
213 sourceList.matches(KURL(base, "http://example1.com/bar/"),
214 ResourceRequest::RedirectStatus::FollowedRedirect));
215 EXPECT_TRUE(
216 sourceList.matches(KURL(base, "http://example2.com/bar/"),
217 ResourceRequest::RedirectStatus::FollowedRedirect));
218 EXPECT_TRUE(
219 sourceList.matches(KURL(base, "http://example2.com/foo/"),
220 ResourceRequest::RedirectStatus::FollowedRedirect));
221 EXPECT_TRUE(
222 sourceList.matches(KURL(base, "https://example1.com/foo/"),
223 ResourceRequest::RedirectStatus::FollowedRedirect));
224 EXPECT_TRUE(
225 sourceList.matches(KURL(base, "https://example1.com/bar/"),
226 ResourceRequest::RedirectStatus::FollowedRedirect));
227
228 EXPECT_FALSE(
229 sourceList.matches(KURL(base, "http://example3.com/foo/"),
230 ResourceRequest::RedirectStatus::FollowedRedirect));
231 }
232
233 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698