content/common/content_security_policy/csp_policy_unittest.cc - Issue 2612793002: Implement ContentSecurityPolicy on the browser-side.

Side by Side Diff: content/common/content_security_policy/csp_policy_unittest.cc

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)

Patch Set: Temporary re-add the parser + transmit parsed CSP over IPC. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « content/common/content_security_policy/csp_policy.cc ('k') | content/common/content_security_policy/csp_source.h » ('j') | content/renderer/render_frame_impl.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "content/common/content_security_policy/csp_context.h"

	6 #include "content/common/content_security_policy_header.h"

	7 #include "testing/gtest/include/gtest/gtest.h"

	8

	9 namespace content {

	10

	11 namespace {

	12 class CSPContextTest : public CSPContext {

	13 public:

	14 const std::string& LastConsoleMessage() { return console_message_; }

	15

	16 private:

	17 void LogToConsole(const std::string& message) override {

	18 console_message_ = message;

	19 }

	20 std::string console_message_;

	21 };

	22

	23 CSPPolicy ParsePolicy(CSPContext* context, const std::string& value) {

	24 return CSPPolicy::Parse(context,

	25 ContentSecurityPolicyHeader{

	26 value, blink::WebContentSecurityPolicyTypeEnforce,

	27 blink::WebContentSecurityPolicySourceHTTP});

	28 }

	29

	30 } // namespace

	31

	32 TEST(CSPPolicy, ReportDuplicateDirective) {

	33 {

	34 CSPContextTest context;

	35 CSPPolicy policy = ParsePolicy(&context,

	36 "default-src 'self';"

	37 "default-src 'self'");

	38 const char console_message[] =

	39 "Ignoring duplicate Content-Security-Policy directive 'default-src'.\n";

	40 EXPECT_EQ(console_message, context.LastConsoleMessage());

	41 }

	42 {

	43 CSPContextTest context;

	44 CSPPolicy policy = ParsePolicy(&context,

	45 "report-uri 'self';"

	46 "report-uri 'self'");

	47 const char console_message[] =

	48 "Ignoring duplicate Content-Security-Policy directive 'report-uri'.\n";

	49 EXPECT_EQ(console_message, context.LastConsoleMessage());

	50 }

	51 }

	52

	53 TEST(CSPPolicy, ReportInvalidDirectiveInMeta) {

	54 CSPContextTest context;

	55 CSPPolicy policy = CSPPolicy::Parse(

	56 &context,

	57 ContentSecurityPolicyHeader{"frame-ancestors 'self'",

	58 blink::WebContentSecurityPolicyTypeEnforce,

	59 blink::WebContentSecurityPolicySourceMeta});

	60 const char console_message[] =

	61 "Content Security Policies delivered via a <meta> element may not "

	62 "contain the frame-ancestors directive.";

	63 EXPECT_EQ(console_message, context.LastConsoleMessage());

	64 }

	65

	66 TEST(CSPPolicy, ReportViolation) {

	67 CSPContextTest context;

	68

	69 CSPPolicy policy = ParsePolicy(&context, "form-action www.example.com");

	70 EXPECT_FALSE(policy.Allow(&context, CSPDirective::FormAction,

	71 GURL("http://www.not-example.com")));

	72

	73 const char console_message[] =

	74 "Refused to send form data to 'http://www.not-example.com/' because it "

	75 "violates the following Content Security Policy directive: \"form-action "

	76 "www.example.com\"\n";

	77 EXPECT_EQ(console_message, context.LastConsoleMessage());

	78 }

	79

	80 TEST(CSPPolicy, DirectiveFallback) {

	81 {

	82 CSPContextTest context;

	83 CSPPolicy policy = ParsePolicy(&context, "default-src http://a.com");

	84 EXPECT_FALSE(

	85 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com")));

	86 const char console_message[] =

	87 "Refused to frame 'http://b.com/' because it violates "

	88 "the following Content Security Policy directive: \"default-src "

	89 "http://a.com\" Note that 'frame-src' was not explicitly "

	90 "set, so 'default-src' is used as a fallback.\n";

	91 EXPECT_EQ(console_message, context.LastConsoleMessage());

	92 EXPECT_TRUE(

	93 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com")));

	94 }

	95 {

	96 CSPContextTest context;

	97 CSPPolicy policy = ParsePolicy(&context, "child-src http://a.com");

	98 EXPECT_FALSE(

	99 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com")));

	100 const char console_message[] =

	101 "Refused to frame 'http://b.com/' because it violates "

	102 "the following Content Security Policy directive: \"child-src "

	103 "http://a.com\" Note that 'frame-src' was not explicitly "

	104 "set, so 'child-src' is used as a fallback.\n";

	105 EXPECT_EQ(console_message, context.LastConsoleMessage());

	106 EXPECT_TRUE(

	107 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com")));

	108 }

	109 {

	110 CSPContextTest context;

	111 CSPPolicy policy = ParsePolicy(&context,

	112 "frame-src http://a.com;"

	113 "child-src http://b.com;");

	114 EXPECT_TRUE(

	115 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com")));

	116 EXPECT_FALSE(

	117 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com")));

	118 const char console_message[] =

	119 "Refused to frame 'http://b.com/' because it violates "

	120 "the following Content Security Policy directive: \"frame-src "

	121 "http://a.com\"\n";

	122 EXPECT_EQ(console_message, context.LastConsoleMessage());

	123 }

	124 }

	125

	126 } // namespace content

OLD	NEW