OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "testing/gtest/include/gtest/gtest.h" |
| 8 |
| 9 namespace content { |
| 10 |
| 11 namespace { |
| 12 class CSPContextTest : public CSPContext { |
| 13 public: |
| 14 const std::string& LastConsoleMessage() { return console_message_; } |
| 15 |
| 16 private: |
| 17 void LogToConsole(const std::string& message) override { |
| 18 console_message_ = message; |
| 19 } |
| 20 std::string console_message_; |
| 21 }; |
| 22 |
| 23 } // namespace |
| 24 |
| 25 TEST(CSPPolicy, NoDirective) { |
| 26 CSPContextTest context; |
| 27 std::vector<std::string> report_end_points; // empty |
| 28 CSPPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
| 29 blink::WebContentSecurityPolicySourceHTTP, |
| 30 std::vector<CSPDirective>(), report_end_points); |
| 31 |
| 32 EXPECT_TRUE(policy.Allow(&context, CSPDirective::FormAction, |
| 33 GURL("http://www.example.com"))); |
| 34 EXPECT_EQ("", context.LastConsoleMessage()); |
| 35 } |
| 36 |
| 37 TEST(CSPPolicy, ReportViolation) { |
| 38 CSPContextTest context; |
| 39 |
| 40 // source = "www.example.com" |
| 41 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, |
| 42 ""); |
| 43 CSPSourceList source_list(false, false, {source}); |
| 44 CSPDirective directive(CSPDirective::FormAction, source_list); |
| 45 std::vector<std::string> report_end_points; // empty |
| 46 CSPPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
| 47 blink::WebContentSecurityPolicySourceHTTP, {directive}, |
| 48 report_end_points); |
| 49 |
| 50 EXPECT_FALSE(policy.Allow(&context, CSPDirective::FormAction, |
| 51 GURL("http://www.not-example.com"))); |
| 52 |
| 53 const char console_message[] = |
| 54 "Refused to send form data to 'http://www.not-example.com/' because it " |
| 55 "violates the following Content Security Policy directive: \"form-action " |
| 56 "www.example.com\".\n"; |
| 57 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 58 } |
| 59 |
| 60 TEST(CSPPolicy, DirectiveFallback) { |
| 61 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 62 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 63 CSPSourceList source_list_a(false, false, {source_a}); |
| 64 CSPSourceList source_list_b(false, false, {source_b}); |
| 65 |
| 66 std::vector<std::string> report_end_points; // Empty. |
| 67 |
| 68 { |
| 69 CSPContextTest context; |
| 70 CSPPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
| 71 blink::WebContentSecurityPolicySourceHTTP, |
| 72 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, |
| 73 report_end_points); |
| 74 EXPECT_FALSE( |
| 75 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com"))); |
| 76 const char console_message[] = |
| 77 "Refused to frame 'http://b.com/' because it violates " |
| 78 "the following Content Security Policy directive: \"default-src " |
| 79 "http://a.com\". Note that 'frame-src' was not explicitly " |
| 80 "set, so 'default-src' is used as a fallback.\n"; |
| 81 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 82 EXPECT_TRUE( |
| 83 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com"))); |
| 84 } |
| 85 { |
| 86 CSPContextTest context; |
| 87 CSPPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
| 88 blink::WebContentSecurityPolicySourceHTTP, |
| 89 {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, |
| 90 report_end_points); |
| 91 EXPECT_FALSE( |
| 92 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com"))); |
| 93 const char console_message[] = |
| 94 "Refused to frame 'http://b.com/' because it violates " |
| 95 "the following Content Security Policy directive: \"child-src " |
| 96 "http://a.com\". Note that 'frame-src' was not explicitly " |
| 97 "set, so 'child-src' is used as a fallback.\n"; |
| 98 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 99 EXPECT_TRUE( |
| 100 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com"))); |
| 101 } |
| 102 { |
| 103 CSPContextTest context; |
| 104 CSPSourceList source_list(false, false, {source_a, source_b}); |
| 105 CSPPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
| 106 blink::WebContentSecurityPolicySourceHTTP, |
| 107 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), |
| 108 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, |
| 109 report_end_points); |
| 110 EXPECT_TRUE( |
| 111 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://a.com"))); |
| 112 EXPECT_FALSE( |
| 113 policy.Allow(&context, CSPDirective::FrameSrc, GURL("http://b.com"))); |
| 114 const char console_message[] = |
| 115 "Refused to frame 'http://b.com/' because it violates " |
| 116 "the following Content Security Policy directive: \"frame-src " |
| 117 "http://a.com\".\n"; |
| 118 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 119 } |
| 120 } |
| 121 |
| 122 } // namespace content |
OLD | NEW |