content/common/content_security_policy/csp_source_list_unittest.cc - Issue 2612793002: Implement ContentSecurityPolicy on the browser-side.

Side by Side Diff: content/common/content_security_policy/csp_source_list_unittest.cc

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)

Patch Set: Rename SchemeShouldBypass => SchemeShouldBypassCSP. Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« content/common/content_security_policy/csp_source.h ('K') | « content/common/content_security_policy/csp_source_list.cc ('k') | content/common/content_security_policy/csp_source_unittest.cc » ('j') | content/common/content_security_policy/csp_source_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "content/common/content_security_policy/csp_source_list.h"

	6 #include "content/common/content_security_policy/csp_context.h"

	7 #include "testing/gtest/include/gtest/gtest.h"

	8

	9 namespace content {

	10

	11 namespace {

	12

	13 class CSPContextTest : public CSPContext {

	14 public:

	15 void AddSchemeToBypassCSP(const std::string& scheme) {

	16 scheme_to_bypass_.push_back(scheme);

	17 }

	18

	19 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {

	20 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),

	21 scheme) != scheme_to_bypass_.end();

	22 }

	23

	24 private:

	25 std::vector<std::string> scheme_to_bypass_;

	26 };

	27 }

	28

	29 TEST(CSPSourceListTest, MultipleSource) {

	30 CSPContextTest context;

	31 context.SetSelf(url::Origin(GURL("http://example.com")));

	32 CSPSourceList source_list(

	33 false, // allow_self

	34 false, // allow_star:

	35 {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""),

	36 CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")});

	37 EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com")));

	38 EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com")));

	39 EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com")));

	40 }

	41

	42 TEST(CSPSourceList, AllowStar) {

	43 CSPContextTest context;

	44 context.SetSelf(url::Origin(GURL("http://example.com")));

	45 CSPSourceList source_list(false, // allow_self

	46 true, // allow_star:

	47 std::vector<CSPSource>()); // source_list

	48 EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com")));

	49 EXPECT_TRUE(source_list.Allow(&context, GURL("https://no-example.com")));
	Mike West 2017/02/13 14:10:51 Nit: Please use `not-example.com` throughout. Nit: Please use `not-example.com` throughout. arthursonzogni 2017/02/14 17:07:03 Done. Show quoted text On 2017/02/13 14:10:51, Mike West (sloooooow) wrote: > Nit: Please use `not-example.com` throughout. Done.
	50 EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://no-example.com")));

	51 EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://no-example.com")));

	52 EXPECT_TRUE(source_list.Allow(&context, GURL("ws://no-example.com")));

	53 EXPECT_TRUE(source_list.Allow(&context, GURL("wss://no-example.com")));

	54 EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://no-example.com")));

	55

	56 EXPECT_FALSE(source_list.Allow(&context, GURL("file://no-example.com")));

	57 EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));

	58

	59 // With a protocol of 'file', '*' allow 'file:'

	60 context.SetSelf(url::Origin(GURL("file://example.com")));

	61 EXPECT_TRUE(source_list.Allow(&context, GURL("file://no-example.com")));

	62 EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));

	63 }

	64

	65 TEST(CSPSourceList, AllowSelf) {

	66 CSPContextTest context;

	67 context.SetSelf(url::Origin(GURL("http://example.com")));

	68 CSPSourceList source_list(true, // allow_self

	69 false, // allow_star:

	70 std::vector<CSPSource>()); // source_list

	71 EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com")));

	72 EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com")));

	73 EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com")));

	74 EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com")));

	75 }

	76

	77 TEST(CSPSourceList, AllowSelfWithFilesystem) {

	78 CSPContextTest context;

	79 context.SetSelf(url::Origin(GURL("https://a.test")));

	80 CSPSourceList source_list(true, // allow_self

	81 false, // allow_star:

	82 std::vector<CSPSource>()); // source_list

	83

	84 GURL filesystem_url("filesystem:https://a.test/file.txt");

	85

	86 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));

	87 EXPECT_FALSE(source_list.Allow(&context, filesystem_url));

	88

	89 context.AddSchemeToBypassCSP("https");

	90

	91 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));

	92 EXPECT_TRUE(source_list.Allow(&context, filesystem_url));

	93 }

	94

	95 TEST(CSPSourceList, AllowSelfWithBlob) {

	96 CSPContextTest context;

	97 context.SetSelf(url::Origin(GURL("https://a.test")));

	98 CSPSourceList source_list(true, // allow_self
	Mike West 2017/02/13 14:10:51 Please add a test verifying `'self' blob:` and `'s Please add a test verifying `'self' blob:` and `'self' filesystem:`. arthursonzogni 2017/02/14 17:07:03 I am not sure to understand what is the purpose. C Show quoted text On 2017/02/13 14:10:51, Mike West (sloooooow) wrote: > Please add a test verifying `'self' blob:` and `'self' filesystem:`. I am not sure to understand what is the purpose. Can you explain what do you want to test? I will add a test I think is useful, I hope it will be what you were thinking of. Please see: https://codereview.chromium.org/2691063003/
	99 false, // allow_star:

	100 std::vector<CSPSource>()); // source_list

	101

	102 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));

	103 EXPECT_FALSE(source_list.Allow(&context, GURL("blob:https://a.test/")));

	104

	105 context.AddSchemeToBypassCSP("https");

	106

	107 EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));

	108 EXPECT_TRUE(source_list.Allow(&context, GURL("blob:https://a.test/")));

	109 }

	110

	111 TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) {

	112 CSPContext context;

	113 context.SetSelf(url::Origin(GURL("chrome://print")));

	114 CSPSourceList source_list(true, // allow_self

	115 false, // allow_star:

	116 std::vector<CSPSource>()); // source_list

	117

	118 EXPECT_TRUE(source_list.Allow(

	119 &context,

	120 GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf")));

	121 }

	122

	123 TEST(CSPSourceList, AllowNone) {

	124 CSPContextTest context;

	125 context.SetSelf(url::Origin(GURL("http://example.com")));

	126 CSPSourceList source_list(false, // allow_self

	127 false, // allow_star:

	128 std::vector<CSPSource>()); // source_list

	129 EXPECT_FALSE(source_list.Allow(&context, GURL("http://example.com")));

	130 EXPECT_FALSE(source_list.Allow(&context, GURL("https://example.test/")));

	131 }

	132

	133 } // namespace content

OLD	NEW