Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
new file mode 100644 |
index 0000000000000000000000000000000000000000..d73634abe119d2c8c737a73df7f79a16509aa358 |
--- /dev/null |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
@@ -0,0 +1,216 @@ |
+// Copyright 2015 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "core/frame/csp/SourceListDirective.h" |
+ |
+#include "core/dom/Document.h" |
+#include "core/frame/csp/CSPSource.h" |
+#include "core/frame/csp/ContentSecurityPolicy.h" |
+#include "platform/network/ResourceRequest.h" |
+#include "platform/weborigin/KURL.h" |
+#include "platform/weborigin/SchemeRegistry.h" |
+#include "platform/weborigin/SecurityOrigin.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace blink { |
+ |
+class SourceListDirectiveTest : public ::testing::Test { |
+ public: |
+ SourceListDirectiveTest() : csp(ContentSecurityPolicy::create()) {} |
+ |
+ protected: |
+ virtual void SetUp() { |
+ KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
+ RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
+ document = Document::create(); |
+ document->setSecurityOrigin(secureOrigin); |
+ csp->bindToExecutionContext(document.get()); |
+ } |
+ |
+ Persistent<ContentSecurityPolicy> csp; |
+ Persistent<Document> document; |
+}; |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatchingNone) { |
+ KURL base; |
+ String sources = "'none'"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatchingStrictDynamic) { |
+ String sources = "'strict-dynamic'"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allowDynamic()); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatchingUnsafeHashedAttributes) { |
+ String sources = "'unsafe-hashed-attributes'"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allowHashedAttributes()); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatchingStar) { |
+ KURL base; |
+ String sources = "*"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "ftp://example.com/"))); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
+ EXPECT_FALSE( |
+ sourceList.allows(KURL(base, "filesystem:https://example.test/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "file:///etc/hosts"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, StarallowsSelf) { |
+ KURL base; |
+ String sources = "*"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ // With a protocol of 'file', '*' allows 'file:': |
+ RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0); |
+ csp->setupSelf(*origin); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "file:///etc/hosts"))); |
+ |
+ // The other results are the same as above: |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example.com/bar"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.example.com/bar"))); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "data:https://example.test/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
+ EXPECT_FALSE( |
+ sourceList.allows(KURL(base, "filesystem:https://example.test/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "applewebdata://example.test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatchingSelf) { |
+ KURL base; |
+ String sources = "'self'"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BlobMatchingSelf) { |
+ KURL base; |
+ String sources = "'self'"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
+ |
+ // Register "https" as bypassing CSP, which should trigger the innerURL |
+ // behavior. |
+ SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
+ |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
+ |
+ // Unregister the scheme to clean up after ourselves. |
+ SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
+ "https"); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BlobMatchingBlob) { |
+ KURL base; |
+ String sources = "blob:"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, BasicMatching) { |
+ KURL base; |
+ String sources = "http://example1.com:8000/foo/ https://example2.com/"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/"))); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "http://example1.com:8000/foo/bar"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example2.com/foo/"))); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://not-example.com/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com/foo"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://example1.com:8000/FOO/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, WildcardMatching) { |
+ KURL base; |
+ String sources = |
+ "http://example1.com:*/foo/ https://*.example2.com/bar/ http://*.test/"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:8000/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://example1.com:9000/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.example2.com/bar/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.test/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "http://foo.bar.test/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:8000/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://example1.com:9000/foo/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.test/"))); |
+ EXPECT_TRUE(sourceList.allows(KURL(base, "https://foo.bar.test/"))); |
+ |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example1.com:8000/foo"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com:8000/bar"))); |
+ EXPECT_FALSE( |
+ sourceList.allows(KURL(base, "https://foo.example2.com:8000/bar"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.foo.com/bar"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://foo.test.bar/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "https://example2.com/bar/"))); |
+ EXPECT_FALSE(sourceList.allows(KURL(base, "http://test/"))); |
+} |
+ |
+TEST_F(SourceListDirectiveTest, RedirectMatching) { |
+ KURL base; |
+ String sources = "http://example1.com/foo/ http://example2.com/bar/"; |
+ SourceListDirective sourceList("script-src", sources, csp.get()); |
+ |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "http://example1.com/foo/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "http://example1.com/bar/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "http://example2.com/bar/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "http://example2.com/foo/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "https://example1.com/foo/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ EXPECT_TRUE( |
+ sourceList.allows(KURL(base, "https://example1.com/bar/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+ |
+ EXPECT_FALSE( |
+ sourceList.allows(KURL(base, "http://example3.com/foo/"), |
+ ResourceRequest::RedirectStatus::FollowedRedirect)); |
+} |
+ |
+} // namespace blink |