OLD | NEW |
(Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "core/frame/csp/SourceListDirective.h" |
| 6 |
| 7 #include "core/dom/Document.h" |
| 8 #include "core/frame/csp/CSPSource.h" |
| 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 10 #include "platform/network/ResourceRequest.h" |
| 11 #include "platform/weborigin/KURL.h" |
| 12 #include "platform/weborigin/SchemeRegistry.h" |
| 13 #include "platform/weborigin/SecurityOrigin.h" |
| 14 #include "testing/gtest/include/gtest/gtest.h" |
| 15 |
| 16 namespace blink { |
| 17 |
| 18 class SourceListDirectiveTest : public ::testing::Test { |
| 19 public: |
| 20 SourceListDirectiveTest() : csp(ContentSecurityPolicy::create()) {} |
| 21 |
| 22 protected: |
| 23 virtual void SetUp() { |
| 24 KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
| 25 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
| 26 document = Document::create(); |
| 27 document->setSecurityOrigin(secureOrigin); |
| 28 csp->bindToExecutionContext(document.get()); |
| 29 } |
| 30 |
| 31 Persistent<ContentSecurityPolicy> csp; |
| 32 Persistent<Document> document; |
| 33 }; |
| 34 |
| 35 TEST_F(SourceListDirectiveTest, BasicMatchingNone) { |
| 36 KURL base; |
| 37 String sources = "'none'"; |
| 38 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 39 |
| 40 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); |
| 41 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 42 } |
| 43 |
| 44 TEST_F(SourceListDirectiveTest, BasicMatchingStrictDynamic) { |
| 45 String sources = "'strict-dynamic'"; |
| 46 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 47 |
| 48 EXPECT_TRUE(sourceList.allowDynamic()); |
| 49 } |
| 50 |
| 51 TEST_F(SourceListDirectiveTest, BasicMatchingUnsafeHashedAttributes) { |
| 52 String sources = "'unsafe-hashed-attributes'"; |
| 53 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 54 |
| 55 EXPECT_TRUE(sourceList.allowHashedAttributes()); |
| 56 } |
| 57 |
| 58 TEST_F(SourceListDirectiveTest, BasicMatchingStar) { |
| 59 KURL base; |
| 60 String sources = "*"; |
| 61 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 62 |
| 63 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/"))); |
| 64 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/"))); |
| 65 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar"))); |
| 66 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/"))); |
| 67 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar"))); |
| 68 EXPECT_TRUE(sourceList.allows(KURL(base, "ftp://example.com/"))); |
| 69 |
| 70 EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/"))); |
| 71 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
| 72 EXPECT_FALSE( |
| 73 sourceList.allows(KURL(base, "filesystem:https://example.test/"))); |
| 74 EXPECT_FALSE(sourceList.allows(KURL(base, "file:///etc/hosts"))); |
| 75 EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/"))); |
| 76 } |
| 77 |
| 78 TEST_F(SourceListDirectiveTest, StarallowsSelf) { |
| 79 KURL base; |
| 80 String sources = "*"; |
| 81 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 82 |
| 83 // With a protocol of 'file', '*' allows 'file:': |
| 84 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0); |
| 85 csp->setupSelf(*origin); |
| 86 EXPECT_TRUE(sourceList.allows(KURL(base, "file:///etc/hosts"))); |
| 87 |
| 88 // The other results are the same as above: |
| 89 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/"))); |
| 90 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/"))); |
| 91 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar"))); |
| 92 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/"))); |
| 93 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar"))); |
| 94 |
| 95 EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/"))); |
| 96 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
| 97 EXPECT_FALSE( |
| 98 sourceList.allows(KURL(base, "filesystem:https://example.test/"))); |
| 99 EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/"))); |
| 100 } |
| 101 |
| 102 TEST_F(SourceListDirectiveTest, BasicMatchingSelf) { |
| 103 KURL base; |
| 104 String sources = "'self'"; |
| 105 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 106 |
| 107 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); |
| 108 EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/"))); |
| 109 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 110 } |
| 111 |
| 112 TEST_F(SourceListDirectiveTest, BlobMatchingSelf) { |
| 113 KURL base; |
| 114 String sources = "'self'"; |
| 115 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 116 |
| 117 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 118 EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
| 119 |
| 120 // Register "https" as bypassing CSP, which should trigger the innerURL |
| 121 // behavior. |
| 122 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
| 123 |
| 124 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 125 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
| 126 |
| 127 // Unregister the scheme to clean up after ourselves. |
| 128 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
| 129 "https"); |
| 130 } |
| 131 |
| 132 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) { |
| 133 KURL base; |
| 134 String sources = "blob:"; |
| 135 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 136 |
| 137 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 138 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
| 139 } |
| 140 |
| 141 TEST_F(SourceListDirectiveTest, BasicMatching) { |
| 142 KURL base; |
| 143 String sources = "http://example1.com:8000/foo/ https://example2.com/"; |
| 144 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 145 |
| 146 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/"))); |
| 147 EXPECT_TRUE( |
| 148 sourceList.allows(KURL(base, "http://example1.com:8000/foo/bar"))); |
| 149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/"))); |
| 150 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/foo/"))); |
| 151 |
| 152 EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/"))); |
| 153 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com/"))); |
| 154 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com/foo"))); |
| 155 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/"))); |
| 156 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:8000/FOO/"))); |
| 157 } |
| 158 |
| 159 TEST_F(SourceListDirectiveTest, WildcardMatching) { |
| 160 KURL base; |
| 161 String sources = |
| 162 "http://example1.com:*/foo/ https://*.example2.com/bar/ http://*.test/"; |
| 163 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 164 |
| 165 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com/foo/"))); |
| 166 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/"))); |
| 167 EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/"))); |
| 168 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.example2.com/bar/"))); |
| 169 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.test/"))); |
| 170 EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.bar.test/"))); |
| 171 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com/foo/"))); |
| 172 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:8000/foo/"))); |
| 173 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:9000/foo/"))); |
| 174 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.test/"))); |
| 175 EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.bar.test/"))); |
| 176 |
| 177 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com:8000/foo"))); |
| 178 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com:8000/bar"))); |
| 179 EXPECT_FALSE( |
| 180 sourceList.allows(KURL(base, "https://foo.example2.com:8000/bar"))); |
| 181 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.foo.com/bar"))); |
| 182 EXPECT_FALSE(sourceList.allows(KURL(base, "http://foo.test.bar/"))); |
| 183 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com/bar/"))); |
| 184 EXPECT_FALSE(sourceList.allows(KURL(base, "http://test/"))); |
| 185 } |
| 186 |
| 187 TEST_F(SourceListDirectiveTest, RedirectMatching) { |
| 188 KURL base; |
| 189 String sources = "http://example1.com/foo/ http://example2.com/bar/"; |
| 190 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 191 |
| 192 EXPECT_TRUE( |
| 193 sourceList.allows(KURL(base, "http://example1.com/foo/"), |
| 194 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 195 EXPECT_TRUE( |
| 196 sourceList.allows(KURL(base, "http://example1.com/bar/"), |
| 197 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 198 EXPECT_TRUE( |
| 199 sourceList.allows(KURL(base, "http://example2.com/bar/"), |
| 200 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 201 EXPECT_TRUE( |
| 202 sourceList.allows(KURL(base, "http://example2.com/foo/"), |
| 203 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 204 EXPECT_TRUE( |
| 205 sourceList.allows(KURL(base, "https://example1.com/foo/"), |
| 206 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 207 EXPECT_TRUE( |
| 208 sourceList.allows(KURL(base, "https://example1.com/bar/"), |
| 209 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 210 |
| 211 EXPECT_FALSE( |
| 212 sourceList.allows(KURL(base, "http://example3.com/foo/"), |
| 213 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 214 } |
| 215 |
| 216 } // namespace blink |
OLD | NEW |