| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" |
| 7 |
| 8 namespace content { |
| 9 |
| 10 TEST(CSPSourceTest, ParseScheme) { |
| 11 // Empty scheme. |
| 12 EXPECT_FALSE(CSPSource::Parse(":")); |
| 13 |
| 14 // First character is alpha/non-alpha. |
| 15 EXPECT_TRUE(CSPSource::Parse("a:")); |
| 16 EXPECT_FALSE(CSPSource::Parse("1ab:")); |
| 17 EXPECT_FALSE(CSPSource::Parse("-:")); |
| 18 |
| 19 // Remaining characters. |
| 20 EXPECT_TRUE(CSPSource::Parse("abcd:")); |
| 21 EXPECT_TRUE(CSPSource::Parse("a123:")); |
| 22 EXPECT_TRUE(CSPSource::Parse("a+-:")); |
| 23 EXPECT_TRUE(CSPSource::Parse("a1+-:")); |
| 24 |
| 25 // Case sensitivity. |
| 26 EXPECT_TRUE(CSPSource::Parse("HTTP:")); |
| 27 EXPECT_TRUE(CSPSource::Parse("a-a:")); |
| 28 EXPECT_TRUE(CSPSource::Parse("A-B:")); |
| 29 } |
| 30 |
| 31 TEST(CSPSourceTest, ParseHost) { |
| 32 // Wildcards. |
| 33 EXPECT_TRUE(CSPSource::Parse("*")); |
| 34 EXPECT_FALSE(CSPSource::Parse("*.")); |
| 35 EXPECT_TRUE(CSPSource::Parse("*.a")); |
| 36 EXPECT_FALSE(CSPSource::Parse("a.*")); |
| 37 EXPECT_FALSE(CSPSource::Parse("a.*.b")); |
| 38 |
| 39 // Dot-separation. |
| 40 EXPECT_TRUE(CSPSource::Parse("a")); |
| 41 EXPECT_TRUE(CSPSource::Parse("a.b.c")); |
| 42 EXPECT_FALSE(CSPSource::Parse("a.b.")); |
| 43 EXPECT_FALSE(CSPSource::Parse(".b.c")); |
| 44 EXPECT_FALSE(CSPSource::Parse("a..c")); |
| 45 |
| 46 // Valid/Invalid characters. |
| 47 EXPECT_TRUE(CSPSource::Parse("az09-")); |
| 48 EXPECT_FALSE(CSPSource::Parse("+")); |
| 49 |
| 50 // Strange host. |
| 51 // REVIEW(arthursonzogni): Is that correct? |
| 52 EXPECT_TRUE(CSPSource::Parse("---.com")); |
| 53 } |
| 54 |
| 55 TEST(CSPSourceTest, ParsePort) { |
| 56 // Common case. |
| 57 EXPECT_TRUE(CSPSource::Parse("a:80")); |
| 58 EXPECT_EQ(CSPSource::Parse("a:80")->port, 80); |
| 59 EXPECT_EQ(CSPSource::Parse("a:80")->is_port_wildcard, false); |
| 60 |
| 61 // Empty port. |
| 62 EXPECT_TRUE(CSPSource::Parse("a")); |
| 63 EXPECT_EQ(CSPSource::Parse("a")->port, url::PORT_UNSPECIFIED); |
| 64 EXPECT_EQ(CSPSource::Parse("a")->is_port_wildcard, false); |
| 65 |
| 66 // Wildcard port. |
| 67 EXPECT_TRUE(CSPSource::Parse("a:*")); |
| 68 EXPECT_EQ(CSPSource::Parse("a:*")->port, url::PORT_UNSPECIFIED); |
| 69 EXPECT_EQ(CSPSource::Parse("a:*")->is_port_wildcard, true); |
| 70 |
| 71 // Leading zeroes. |
| 72 EXPECT_TRUE(CSPSource::Parse("a:000")); |
| 73 EXPECT_TRUE(CSPSource::Parse("a:0")); |
| 74 |
| 75 // Invalid chars. |
| 76 EXPECT_FALSE(CSPSource::Parse("a:-1")); |
| 77 EXPECT_FALSE(CSPSource::Parse("a:+1")); |
| 78 EXPECT_FALSE(CSPSource::Parse("a: 1")); |
| 79 } |
| 80 |
| 81 TEST(CSPSourceTest, ParsePath) { |
| 82 EXPECT_TRUE(CSPSource::Parse("a.com/path")); |
| 83 EXPECT_TRUE(CSPSource::Parse("a.com/path/")); |
| 84 EXPECT_TRUE(CSPSource::Parse("*/path")); |
| 85 |
| 86 EXPECT_EQ(CSPSource::Parse("a.com/path/to/file")->path, "/path/to/file"); |
| 87 EXPECT_EQ(CSPSource::Parse("a.com/path/to/dir/")->path, "/path/to/dir/"); |
| 88 |
| 89 EXPECT_EQ(CSPSource::Parse("host/query?url=9999")->path, "/query"); |
| 90 EXPECT_EQ(CSPSource::Parse("host/query#fragment")->path, "/query"); |
| 91 EXPECT_EQ(CSPSource::Parse("host/Hello%20G%C3%BCnter")->path, |
| 92 "/Hello Günter"); |
| 93 } |
| 94 |
| 95 TEST(CSPSourceTest, Parse) { |
| 96 // host |
| 97 EXPECT_TRUE(CSPSource::Parse("host.com")); |
| 98 |
| 99 // host/path |
| 100 EXPECT_TRUE(CSPSource::Parse("host.com/path")); |
| 101 |
| 102 // scheme: |
| 103 EXPECT_TRUE(CSPSource::Parse("http:")); |
| 104 EXPECT_FALSE(CSPSource::Parse("0000:")); |
| 105 |
| 106 // scheme://(.*) |
| 107 EXPECT_TRUE(CSPSource::Parse("http://host.com")); |
| 108 EXPECT_FALSE(CSPSource::Parse("http:/host.com")); |
| 109 EXPECT_FALSE(CSPSource::Parse("http://")); |
| 110 |
| 111 // scheme://host/path |
| 112 EXPECT_TRUE(CSPSource::Parse("http://host.com/path")); |
| 113 |
| 114 // host:port/path |
| 115 EXPECT_TRUE(CSPSource::Parse("http://host.com:80/path")); |
| 116 EXPECT_FALSE(CSPSource::Parse("http://host.com:xx/path")); |
| 117 |
| 118 // host:port |
| 119 EXPECT_TRUE(CSPSource::Parse("http://host.com:80")); |
| 120 EXPECT_FALSE(CSPSource::Parse("http://host.com:xx")); |
| 121 |
| 122 // Special URL: |
| 123 EXPECT_FALSE(CSPSource::Parse("about:blank")); |
| 124 } |
| 125 |
| 126 TEST(CSPSourceTest, AllowScheme) { |
| 127 CSPContext context; |
| 128 |
| 129 // http -> { http, https}. |
| 130 { |
| 131 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 132 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 133 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 134 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); |
| 135 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com"))); |
| 136 EXPECT_FALSE(source.Allow(&context, GURL("wss://a.com"))); |
| 137 } |
| 138 |
| 139 // ws -> { ws, wss}. |
| 140 { |
| 141 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 142 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 143 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com"))); |
| 144 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); |
| 145 EXPECT_TRUE(source.Allow(&context, GURL("ws://a.com"))); |
| 146 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com"))); |
| 147 } |
| 148 |
| 149 // Exact matches required (ftp) |
| 150 { |
| 151 CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 152 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com"))); |
| 153 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 154 } |
| 155 |
| 156 // Exact matches required (https) |
| 157 { |
| 158 CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 159 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 160 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 161 } |
| 162 |
| 163 // Exact matches required (wss) |
| 164 { |
| 165 CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 166 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com"))); |
| 167 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com"))); |
| 168 } |
| 169 |
| 170 // Scheme is empty (ProtocolMatchesSelf). |
| 171 { |
| 172 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 173 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 174 |
| 175 // Self's scheme is http. |
| 176 context.SetSelf(url::Origin(GURL("http://a.com"))); |
| 177 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 178 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 179 EXPECT_TRUE(source.Allow(&context, GURL("http-so://a.com"))); |
| 180 EXPECT_TRUE(source.Allow(&context, GURL("https-so://a.com"))); |
| 181 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); |
| 182 |
| 183 // Self's is https. |
| 184 context.SetSelf(url::Origin(GURL("https://a.com"))); |
| 185 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 186 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 187 EXPECT_FALSE(source.Allow(&context, GURL("http-so://a.com"))); |
| 188 // REVIEW(): Is it the correct behavior? |
| 189 EXPECT_FALSE(source.Allow(&context, GURL("https-so://a.com"))); |
| 190 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); |
| 191 |
| 192 // Self's scheme is not in the http familly. |
| 193 context.SetSelf(url::Origin(GURL("ftp://a.com/"))); |
| 194 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 195 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com"))); |
| 196 |
| 197 // Self's scheme is unique. |
| 198 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); |
| 199 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 200 EXPECT_FALSE(source.Allow(&context, GURL("non-standard-scheme://a.com"))); |
| 201 } |
| 202 } |
| 203 |
| 204 TEST(CSPSourceTest, AllowHost) { |
| 205 CSPContext context; |
| 206 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 207 |
| 208 // Host is * (source-expression = "http://*") |
| 209 { |
| 210 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 211 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 212 EXPECT_TRUE(source.Allow(&context, GURL("http://."))); |
| 213 } |
| 214 |
| 215 // Host is *.foo.bar |
| 216 { |
| 217 CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, ""); |
| 218 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); |
| 219 EXPECT_FALSE(source.Allow(&context, GURL("http://bar"))); |
| 220 EXPECT_FALSE(source.Allow(&context, GURL("http://foo.bar"))); |
| 221 EXPECT_FALSE(source.Allow(&context, GURL("http://o.bar"))); |
| 222 EXPECT_TRUE(source.Allow(&context, GURL("http://*.foo.bar"))); |
| 223 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.foo.bar"))); |
| 224 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.sub.foo.bar"))); |
| 225 // FOR-REVIEWER: strange case? |
| 226 EXPECT_TRUE(source.Allow(&context, GURL("http://.foo.bar"))); |
| 227 } |
| 228 |
| 229 // Host is exact. |
| 230 { |
| 231 CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, ""); |
| 232 EXPECT_TRUE(source.Allow(&context, GURL("http://foo.bar"))); |
| 233 EXPECT_FALSE(source.Allow(&context, GURL("http://sub.foo.bar"))); |
| 234 EXPECT_FALSE(source.Allow(&context, GURL("http://bar"))); |
| 235 EXPECT_FALSE(source.Allow(&context, GURL("http://.foo.bar"))); |
| 236 } |
| 237 } |
| 238 |
| 239 TEST(CSPSourceTest, AllowPort) { |
| 240 CSPContext context; |
| 241 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 242 |
| 243 // Source's port unspecified. |
| 244 { |
| 245 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 246 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); |
| 247 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080"))); |
| 248 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:443"))); |
| 249 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:80"))); |
| 250 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:8080"))); |
| 251 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443"))); |
| 252 EXPECT_FALSE(source.Allow(&context, GURL("unknown://a.com:80"))); |
| 253 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 254 } |
| 255 |
| 256 // Source's port is "*". |
| 257 { |
| 258 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 259 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 260 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); |
| 261 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8080"))); |
| 262 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8080"))); |
| 263 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:0"))); |
| 264 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 265 } |
| 266 |
| 267 // Source has a port. |
| 268 { |
| 269 CSPSource source("", "a.com", false, 80, false, ""); |
| 270 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); |
| 271 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 272 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080"))); |
| 273 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); |
| 274 } |
| 275 |
| 276 // Allow upgrade from :80 to :443 |
| 277 { |
| 278 CSPSource source("", "a.com", false, 80, false, ""); |
| 279 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443"))); |
| 280 // REVIEW(arthursonzogni): Is it expected? |
| 281 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:443"))); |
| 282 } |
| 283 |
| 284 // Host is * but port is specified |
| 285 { |
| 286 CSPSource source("http", "", true, 111, false, ""); |
| 287 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:111"))); |
| 288 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:222"))); |
| 289 } |
| 290 } |
| 291 |
| 292 TEST(CSPSourceTest, AllowPath) { |
| 293 CSPContext context; |
| 294 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 295 |
| 296 // Path to a file |
| 297 { |
| 298 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 299 "/path/to/file"); |
| 300 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); |
| 301 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to/"))); |
| 302 EXPECT_FALSE( |
| 303 source.Allow(&context, GURL("http://a.com/path/to/something"))); |
| 304 } |
| 305 |
| 306 // Path to a directory |
| 307 { |
| 308 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 309 "/path/to/"); |
| 310 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); |
| 311 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); |
| 312 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/"))); |
| 313 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to"))); |
| 314 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to"))); |
| 315 } |
| 316 |
| 317 // Empty path |
| 318 { |
| 319 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 320 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); |
| 321 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); |
| 322 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/"))); |
| 323 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 324 } |
| 325 |
| 326 // Almost empty path |
| 327 { |
| 328 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/"); |
| 329 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); |
| 330 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); |
| 331 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/"))); |
| 332 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); |
| 333 } |
| 334 |
| 335 // Path encoded. |
| 336 { |
| 337 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 338 "/Hello Günter"); |
| 339 EXPECT_TRUE( |
| 340 source.Allow(&context, GURL("http://a.com/Hello%20G%C3%BCnter"))); |
| 341 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/Hello Günter"))); |
| 342 } |
| 343 |
| 344 // Host is * but path is specified. |
| 345 { |
| 346 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, |
| 347 "/allowed-path"); |
| 348 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/allowed-path"))); |
| 349 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/disallowed-path"))); |
| 350 } |
| 351 } |
| 352 |
| 353 TEST(CSPSourceTest, ToString) { |
| 354 { |
| 355 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 356 EXPECT_EQ("http", source.ToString()); |
| 357 } |
| 358 { |
| 359 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 360 EXPECT_EQ("http://a.com", source.ToString()); |
| 361 } |
| 362 { |
| 363 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 364 EXPECT_EQ("a.com", source.ToString()); |
| 365 } |
| 366 { |
| 367 CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, ""); |
| 368 EXPECT_EQ("*.a.com", source.ToString()); |
| 369 } |
| 370 { |
| 371 CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 372 EXPECT_EQ("*", source.ToString()); |
| 373 } |
| 374 { |
| 375 CSPSource source("", "a.com", false, 80, false, ""); |
| 376 EXPECT_EQ("a.com:80", source.ToString()); |
| 377 } |
| 378 { |
| 379 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 380 EXPECT_EQ("a.com:*", source.ToString()); |
| 381 } |
| 382 { |
| 383 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); |
| 384 EXPECT_EQ("a.com/path", source.ToString()); |
| 385 } |
| 386 } |
| 387 |
| 388 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
