OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/common/content_security_policy/csp_source_list.h" | |
6 #include "content/common/content_security_policy/csp_context.h" | |
7 #include "testing/gtest/include/gtest/gtest.h" | |
8 | |
9 namespace content { | |
10 | |
11 namespace { | |
12 | |
13 class CSPContextTest : public CSPContext { | |
14 public: | |
15 void AddSchemeToBypassCSP(const std::string& scheme) { | |
16 scheme_to_bypass_.push_back(scheme); | |
17 } | |
18 | |
19 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { | |
20 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), | |
21 scheme) != scheme_to_bypass_.end(); | |
22 } | |
23 | |
24 private: | |
25 std::vector<std::string> scheme_to_bypass_; | |
26 }; | |
27 } | |
28 | |
29 TEST(CSPSourceListTest, MultipleSource) { | |
30 CSPContextTest context; | |
31 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
32 CSPSourceList source_list( | |
33 false, // allow_self | |
34 false, // allow_star: | |
35 {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""), | |
36 CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")}); | |
37 EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com"))); | |
38 EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com"))); | |
39 EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com"))); | |
40 } | |
41 | |
42 TEST(CSPSourceList, AllowStar) { | |
43 CSPContextTest context; | |
44 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
45 CSPSourceList source_list(false, // allow_self | |
46 true, // allow_star: | |
47 std::vector<CSPSource>()); // source_list | |
48 EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com"))); | |
49 EXPECT_TRUE(source_list.Allow(&context, GURL("https://no-example.com"))); | |
Mike West
2017/02/13 14:10:51
Nit: Please use `not-example.com` throughout.
arthursonzogni
2017/02/14 17:07:03
Done.
| |
50 EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://no-example.com"))); | |
51 EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://no-example.com"))); | |
52 EXPECT_TRUE(source_list.Allow(&context, GURL("ws://no-example.com"))); | |
53 EXPECT_TRUE(source_list.Allow(&context, GURL("wss://no-example.com"))); | |
54 EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://no-example.com"))); | |
55 | |
56 EXPECT_FALSE(source_list.Allow(&context, GURL("file://no-example.com"))); | |
57 EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test"))); | |
58 | |
59 // With a protocol of 'file', '*' allow 'file:' | |
60 context.SetSelf(url::Origin(GURL("file://example.com"))); | |
61 EXPECT_TRUE(source_list.Allow(&context, GURL("file://no-example.com"))); | |
62 EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test"))); | |
63 } | |
64 | |
65 TEST(CSPSourceList, AllowSelf) { | |
66 CSPContextTest context; | |
67 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
68 CSPSourceList source_list(true, // allow_self | |
69 false, // allow_star: | |
70 std::vector<CSPSource>()); // source_list | |
71 EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com"))); | |
72 EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com"))); | |
73 EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com"))); | |
74 EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com"))); | |
75 } | |
76 | |
77 TEST(CSPSourceList, AllowSelfWithFilesystem) { | |
78 CSPContextTest context; | |
79 context.SetSelf(url::Origin(GURL("https://a.test"))); | |
80 CSPSourceList source_list(true, // allow_self | |
81 false, // allow_star: | |
82 std::vector<CSPSource>()); // source_list | |
83 | |
84 GURL filesystem_url("filesystem:https://a.test/file.txt"); | |
85 | |
86 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); | |
87 EXPECT_FALSE(source_list.Allow(&context, filesystem_url)); | |
88 | |
89 context.AddSchemeToBypassCSP("https"); | |
90 | |
91 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); | |
92 EXPECT_TRUE(source_list.Allow(&context, filesystem_url)); | |
93 } | |
94 | |
95 TEST(CSPSourceList, AllowSelfWithBlob) { | |
96 CSPContextTest context; | |
97 context.SetSelf(url::Origin(GURL("https://a.test"))); | |
98 CSPSourceList source_list(true, // allow_self | |
Mike West
2017/02/13 14:10:51
Please add a test verifying `'self' blob:` and `'s
arthursonzogni
2017/02/14 17:07:03
I am not sure to understand what is the purpose. C
| |
99 false, // allow_star: | |
100 std::vector<CSPSource>()); // source_list | |
101 | |
102 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); | |
103 EXPECT_FALSE(source_list.Allow(&context, GURL("blob:https://a.test/"))); | |
104 | |
105 context.AddSchemeToBypassCSP("https"); | |
106 | |
107 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); | |
108 EXPECT_TRUE(source_list.Allow(&context, GURL("blob:https://a.test/"))); | |
109 } | |
110 | |
111 TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) { | |
112 CSPContext context; | |
113 context.SetSelf(url::Origin(GURL("chrome://print"))); | |
114 CSPSourceList source_list(true, // allow_self | |
115 false, // allow_star: | |
116 std::vector<CSPSource>()); // source_list | |
117 | |
118 EXPECT_TRUE(source_list.Allow( | |
119 &context, | |
120 GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf"))); | |
121 } | |
122 | |
123 TEST(CSPSourceList, AllowNone) { | |
124 CSPContextTest context; | |
125 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
126 CSPSourceList source_list(false, // allow_self | |
127 false, // allow_star: | |
128 std::vector<CSPSource>()); // source_list | |
129 EXPECT_FALSE(source_list.Allow(&context, GURL("http://example.com"))); | |
130 EXPECT_FALSE(source_list.Allow(&context, GURL("https://example.test/"))); | |
131 } | |
132 | |
133 } // namespace content | |
OLD | NEW |