Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(303)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2449873004: Removing CSPSourceList level up to SourceListDirective. (Closed)
Patch Set: Exporting CSPDirective Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "core/frame/csp/SourceListDirective.h"
6
7 #include "core/dom/Document.h"
8 #include "core/frame/csp/CSPSource.h"
9 #include "core/frame/csp/ContentSecurityPolicy.h"
10 #include "platform/network/ResourceRequest.h"
11 #include "platform/weborigin/KURL.h"
12 #include "platform/weborigin/SchemeRegistry.h"
13 #include "platform/weborigin/SecurityOrigin.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15
16 namespace blink {
17
18 class SourceListDirectiveTest : public ::testing::Test {
19 public:
20 SourceListDirectiveTest() : csp(ContentSecurityPolicy::create()) {}
21
22 protected:
23 virtual void SetUp() {
24 KURL secureURL(ParsedURLString, "https://example.test/image.png");
25 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
26 document = Document::create();
27 document->setSecurityOrigin(secureOrigin);
28 csp->bindToExecutionContext(document.get());
29 }
30
31 Persistent<ContentSecurityPolicy> csp;
32 Persistent<Document> document;
33 };
34
35 TEST_F(SourceListDirectiveTest, BasicMatchingNone) {
36 KURL base;
37 String sources = "'none'";
38 SourceListDirective sourceList("script-src", sources, csp.get());
39
40 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/")));
41 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/")));
42 }
43
44 TEST_F(SourceListDirectiveTest, BasicMatchingStrictDynamic) {
45 String sources = "'strict-dynamic'";
46 SourceListDirective sourceList("script-src", sources, csp.get());
47
48 EXPECT_TRUE(sourceList.allowDynamic());
49 }
50
51 TEST_F(SourceListDirectiveTest, BasicMatchingUnsafeHashedAttributes) {
52 String sources = "'unsafe-hashed-attributes'";
53 SourceListDirective sourceList("script-src", sources, csp.get());
54
55 EXPECT_TRUE(sourceList.allowHashedAttributes());
56 }
57
58 TEST_F(SourceListDirectiveTest, BasicMatchingStar) {
59 KURL base;
60 String sources = "*";
61 SourceListDirective sourceList("script-src", sources, csp.get());
62
63 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/")));
64 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/")));
65 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar")));
66 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/")));
67 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar")));
68 EXPECT_TRUE(sourceList.allows(KURL(base, "ftp://example.com/")));
69
70 EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/")));
71 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/")));
72 EXPECT_FALSE(
73 sourceList.allows(KURL(base, "filesystem:https://example.test/")));
74 EXPECT_FALSE(sourceList.allows(KURL(base, "file:///etc/hosts")));
75 EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/")));
76 }
77
78 TEST_F(SourceListDirectiveTest, StarallowsSelf) {
79 KURL base;
80 String sources = "*";
81 SourceListDirective sourceList("script-src", sources, csp.get());
82
83 // With a protocol of 'file', '*' allows 'file:':
84 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0);
85 csp->setupSelf(*origin);
86 EXPECT_TRUE(sourceList.allows(KURL(base, "file:///etc/hosts")));
87
88 // The other results are the same as above:
89 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/")));
90 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/")));
91 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar")));
92 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/")));
93 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar")));
94
95 EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/")));
96 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/")));
97 EXPECT_FALSE(
98 sourceList.allows(KURL(base, "filesystem:https://example.test/")));
99 EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/")));
100 }
101
102 TEST_F(SourceListDirectiveTest, BasicMatchingSelf) {
103 KURL base;
104 String sources = "'self'";
105 SourceListDirective sourceList("script-src", sources, csp.get());
106
107 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/")));
108 EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/")));
109 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
110 }
111
112 TEST_F(SourceListDirectiveTest, BlobMatchingSelf) {
113 KURL base;
114 String sources = "'self'";
115 SourceListDirective sourceList("script-src", sources, csp.get());
116
117 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
118 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/")));
119
120 // Register "https" as bypassing CSP, which should trigger the innerURL
121 // behavior.
122 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
123
124 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
125 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/")));
126
127 // Unregister the scheme to clean up after ourselves.
128 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
129 "https");
130 }
131
132 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) {
133 KURL base;
134 String sources = "blob:";
135 SourceListDirective sourceList("script-src", sources, csp.get());
136
137 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/")));
138 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/")));
139 }
140
141 TEST_F(SourceListDirectiveTest, BasicMatching) {
142 KURL base;
143 String sources = "http://example1.com:8000/foo/ https://example2.com/";
144 SourceListDirective sourceList("script-src", sources, csp.get());
145
146 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/")));
147 EXPECT_TRUE(
148 sourceList.allows(KURL(base, "http://example1.com:8000/foo/bar")));
149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/")));
150 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/foo/")));
151
152 EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/")));
153 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com/")));
154 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com/foo")));
155 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/")));
156 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:8000/FOO/")));
157 }
158
159 TEST_F(SourceListDirectiveTest, WildcardMatching) {
160 KURL base;
161 String sources =
162 "http://example1.com:*/foo/ https://*.example2.com/bar/ http://*.test/";
163 SourceListDirective sourceList("script-src", sources, csp.get());
164
165 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com/foo/")));
166 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/")));
167 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/")));
168 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.example2.com/bar/")));
169 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.test/")));
170 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.bar.test/")));
171 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com/foo/")));
172 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:8000/foo/")));
173 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:9000/foo/")));
174 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.test/")));
175 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.bar.test/")));
176
177 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com:8000/foo")));
178 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com:8000/bar")));
179 EXPECT_FALSE(
180 sourceList.allows(KURL(base, "https://foo.example2.com:8000/bar")));
181 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.foo.com/bar")));
182 EXPECT_FALSE(sourceList.allows(KURL(base, "http://foo.test.bar/")));
183 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com/bar/")));
184 EXPECT_FALSE(sourceList.allows(KURL(base, "http://test/")));
185 }
186
187 TEST_F(SourceListDirectiveTest, RedirectMatching) {
188 KURL base;
189 String sources = "http://example1.com/foo/ http://example2.com/bar/";
190 SourceListDirective sourceList("script-src", sources, csp.get());
191
192 EXPECT_TRUE(
193 sourceList.allows(KURL(base, "http://example1.com/foo/"),
194 ResourceRequest::RedirectStatus::FollowedRedirect));
195 EXPECT_TRUE(
196 sourceList.allows(KURL(base, "http://example1.com/bar/"),
197 ResourceRequest::RedirectStatus::FollowedRedirect));
198 EXPECT_TRUE(
199 sourceList.allows(KURL(base, "http://example2.com/bar/"),
200 ResourceRequest::RedirectStatus::FollowedRedirect));
201 EXPECT_TRUE(
202 sourceList.allows(KURL(base, "http://example2.com/foo/"),
203 ResourceRequest::RedirectStatus::FollowedRedirect));
204 EXPECT_TRUE(
205 sourceList.allows(KURL(base, "https://example1.com/foo/"),
206 ResourceRequest::RedirectStatus::FollowedRedirect));
207 EXPECT_TRUE(
208 sourceList.allows(KURL(base, "https://example1.com/bar/"),
209 ResourceRequest::RedirectStatus::FollowedRedirect));
210
211 EXPECT_FALSE(
212 sourceList.allows(KURL(base, "http://example3.com/foo/"),
213 ResourceRequest::RedirectStatus::FollowedRedirect));
214 }
215
216 } // namespace blink
OLDNEW
« third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698