OLD | NEW |
| (Empty) |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "core/frame/csp/CSPSourceList.h" | |
6 | |
7 #include "core/dom/Document.h" | |
8 #include "core/frame/csp/CSPSource.h" | |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | |
10 #include "platform/network/ResourceRequest.h" | |
11 #include "platform/weborigin/KURL.h" | |
12 #include "platform/weborigin/SchemeRegistry.h" | |
13 #include "platform/weborigin/SecurityOrigin.h" | |
14 #include "testing/gtest/include/gtest/gtest.h" | |
15 | |
16 namespace blink { | |
17 | |
18 class CSPSourceListTest : public ::testing::Test { | |
19 public: | |
20 CSPSourceListTest() : csp(ContentSecurityPolicy::create()) {} | |
21 | |
22 protected: | |
23 virtual void SetUp() { | |
24 KURL secureURL(ParsedURLString, "https://example.test/image.png"); | |
25 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | |
26 document = Document::create(); | |
27 document->setSecurityOrigin(secureOrigin); | |
28 csp->bindToExecutionContext(document.get()); | |
29 } | |
30 | |
31 Persistent<ContentSecurityPolicy> csp; | |
32 Persistent<Document> document; | |
33 }; | |
34 | |
35 static void parseSourceList(CSPSourceList& sourceList, String& sources) { | |
36 Vector<UChar> characters; | |
37 sources.appendTo(characters); | |
38 sourceList.parse(characters.data(), characters.data() + characters.size()); | |
39 } | |
40 | |
41 TEST_F(CSPSourceListTest, BasicMatchingNone) { | |
42 KURL base; | |
43 String sources = "'none'"; | |
44 CSPSourceList sourceList(csp.get(), "script-src"); | |
45 parseSourceList(sourceList, sources); | |
46 | |
47 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/"))); | |
48 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/"))); | |
49 } | |
50 | |
51 TEST_F(CSPSourceListTest, BasicMatchingStrictDynamic) { | |
52 String sources = "'strict-dynamic'"; | |
53 CSPSourceList sourceList(csp.get(), "script-src"); | |
54 parseSourceList(sourceList, sources); | |
55 | |
56 EXPECT_TRUE(sourceList.allowDynamic()); | |
57 } | |
58 | |
59 TEST_F(CSPSourceListTest, BasicMatchingUnsafeHashedAttributes) { | |
60 String sources = "'unsafe-hashed-attributes'"; | |
61 CSPSourceList sourceList(csp.get(), "script-src"); | |
62 parseSourceList(sourceList, sources); | |
63 | |
64 EXPECT_TRUE(sourceList.allowHashedAttributes()); | |
65 } | |
66 | |
67 TEST_F(CSPSourceListTest, BasicMatchingStar) { | |
68 KURL base; | |
69 String sources = "*"; | |
70 CSPSourceList sourceList(csp.get(), "script-src"); | |
71 parseSourceList(sourceList, sources); | |
72 | |
73 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/"))); | |
74 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.com/"))); | |
75 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/bar"))); | |
76 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/"))); | |
77 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar"))); | |
78 EXPECT_TRUE(sourceList.matches(KURL(base, "ftp://example.com/"))); | |
79 | |
80 EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/"))); | |
81 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/"))); | |
82 EXPECT_FALSE( | |
83 sourceList.matches(KURL(base, "filesystem:https://example.test/"))); | |
84 EXPECT_FALSE(sourceList.matches(KURL(base, "file:///etc/hosts"))); | |
85 EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/"))); | |
86 } | |
87 | |
88 TEST_F(CSPSourceListTest, StarMatchesSelf) { | |
89 KURL base; | |
90 String sources = "*"; | |
91 CSPSourceList sourceList(csp.get(), "script-src"); | |
92 parseSourceList(sourceList, sources); | |
93 | |
94 // With a protocol of 'file', '*' matches 'file:': | |
95 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0); | |
96 csp->setupSelf(*origin); | |
97 EXPECT_TRUE(sourceList.matches(KURL(base, "file:///etc/hosts"))); | |
98 | |
99 // The other results are the same as above: | |
100 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/"))); | |
101 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.com/"))); | |
102 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/bar"))); | |
103 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/"))); | |
104 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar"))); | |
105 | |
106 EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/"))); | |
107 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/"))); | |
108 EXPECT_FALSE( | |
109 sourceList.matches(KURL(base, "filesystem:https://example.test/"))); | |
110 EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/"))); | |
111 } | |
112 | |
113 TEST_F(CSPSourceListTest, BasicMatchingSelf) { | |
114 KURL base; | |
115 String sources = "'self'"; | |
116 CSPSourceList sourceList(csp.get(), "script-src"); | |
117 parseSourceList(sourceList, sources); | |
118 | |
119 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/"))); | |
120 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/"))); | |
121 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); | |
122 } | |
123 | |
124 TEST_F(CSPSourceListTest, BlobMatchingSelf) { | |
125 KURL base; | |
126 String sources = "'self'"; | |
127 CSPSourceList sourceList(csp.get(), "script-src"); | |
128 parseSourceList(sourceList, sources); | |
129 | |
130 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); | |
131 EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/"))); | |
132 | |
133 // Register "https" as bypassing CSP, which should trigger the innerURL | |
134 // behavior. | |
135 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); | |
136 | |
137 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); | |
138 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); | |
139 | |
140 // Unregister the scheme to clean up after ourselves. | |
141 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( | |
142 "https"); | |
143 } | |
144 | |
145 TEST_F(CSPSourceListTest, BlobMatchingBlob) { | |
146 KURL base; | |
147 String sources = "blob:"; | |
148 CSPSourceList sourceList(csp.get(), "script-src"); | |
149 parseSourceList(sourceList, sources); | |
150 | |
151 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/"))); | |
152 EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); | |
153 } | |
154 | |
155 TEST_F(CSPSourceListTest, BasicMatching) { | |
156 KURL base; | |
157 String sources = "http://example1.com:8000/foo/ https://example2.com/"; | |
158 CSPSourceList sourceList(csp.get(), "script-src"); | |
159 parseSourceList(sourceList, sources); | |
160 | |
161 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/"))); | |
162 EXPECT_TRUE( | |
163 sourceList.matches(KURL(base, "http://example1.com:8000/foo/bar"))); | |
164 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/"))); | |
165 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example2.com/foo/"))); | |
166 | |
167 EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/"))); | |
168 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com/"))); | |
169 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com/foo"))); | |
170 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com:9000/foo/"))); | |
171 EXPECT_FALSE(sourceList.matches(KURL(base, "http://example1.com:8000/FOO/"))); | |
172 } | |
173 | |
174 TEST_F(CSPSourceListTest, WildcardMatching) { | |
175 KURL base; | |
176 String sources = | |
177 "http://example1.com:*/foo/ https://*.example2.com/bar/ http://*.test/"; | |
178 CSPSourceList sourceList(csp.get(), "script-src"); | |
179 parseSourceList(sourceList, sources); | |
180 | |
181 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/foo/"))); | |
182 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:8000/foo/"))); | |
183 EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com:9000/foo/"))); | |
184 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.example2.com/bar/"))); | |
185 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.test/"))); | |
186 EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.bar.test/"))); | |
187 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com/foo/"))); | |
188 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com:8000/foo/"))); | |
189 EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com:9000/foo/"))); | |
190 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.test/"))); | |
191 EXPECT_TRUE(sourceList.matches(KURL(base, "https://foo.bar.test/"))); | |
192 | |
193 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example1.com:8000/foo"))); | |
194 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.com:8000/bar"))); | |
195 EXPECT_FALSE( | |
196 sourceList.matches(KURL(base, "https://foo.example2.com:8000/bar"))); | |
197 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.foo.com/bar"))); | |
198 EXPECT_FALSE(sourceList.matches(KURL(base, "http://foo.test.bar/"))); | |
199 EXPECT_FALSE(sourceList.matches(KURL(base, "https://example2.com/bar/"))); | |
200 EXPECT_FALSE(sourceList.matches(KURL(base, "http://test/"))); | |
201 } | |
202 | |
203 TEST_F(CSPSourceListTest, RedirectMatching) { | |
204 KURL base; | |
205 String sources = "http://example1.com/foo/ http://example2.com/bar/"; | |
206 CSPSourceList sourceList(csp.get(), "script-src"); | |
207 parseSourceList(sourceList, sources); | |
208 | |
209 EXPECT_TRUE( | |
210 sourceList.matches(KURL(base, "http://example1.com/foo/"), | |
211 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
212 EXPECT_TRUE( | |
213 sourceList.matches(KURL(base, "http://example1.com/bar/"), | |
214 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
215 EXPECT_TRUE( | |
216 sourceList.matches(KURL(base, "http://example2.com/bar/"), | |
217 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
218 EXPECT_TRUE( | |
219 sourceList.matches(KURL(base, "http://example2.com/foo/"), | |
220 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
221 EXPECT_TRUE( | |
222 sourceList.matches(KURL(base, "https://example1.com/foo/"), | |
223 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
224 EXPECT_TRUE( | |
225 sourceList.matches(KURL(base, "https://example1.com/bar/"), | |
226 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
227 | |
228 EXPECT_FALSE( | |
229 sourceList.matches(KURL(base, "http://example3.com/foo/"), | |
230 ResourceRequest::RedirectStatus::FollowedRedirect)); | |
231 } | |
232 | |
233 } // namespace blink | |
OLD | NEW |