OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/common/content_security_policy/csp_context.h" | |
6 #include "testing/gtest/include/gtest/gtest.h" | |
7 | |
8 namespace content { | |
9 | |
10 TEST(CSPSourceTest, BasicMatching) { | |
11 CSPContext context; | |
12 | |
13 CSPSource source("http", "example.com", false, 8000, false, "/foo/"); | |
Mike West
2017/02/13 14:10:51
Can you add a check for a source without a trailin
arthursonzogni
2017/02/14 17:07:03
This is done in CSPSourceTest.AllowPath, section "
| |
14 | |
15 EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/"))); | |
16 EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/bar"))); | |
17 EXPECT_TRUE(source.Allow(&context, GURL("HTTP://EXAMPLE.com:8000/foo/BAR"))); | |
Mike West
2017/02/13 14:10:51
Can you add a check that `https://example.com:8000
arthursonzogni
2017/02/14 17:07:03
It is the same here, it is done in CSPSourceTest.A
| |
18 | |
19 EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:8000/bar/"))); | |
20 EXPECT_FALSE(source.Allow(&context, GURL("https://example.com:8000/bar/"))); | |
21 EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:9000/bar/"))); | |
22 EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/bar"))); | |
23 EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/BAR"))); | |
24 } | |
25 | |
26 TEST(CSPSourceTest, AllowScheme) { | |
27 CSPContext context; | |
28 | |
29 // http -> { http, https}. | |
30 { | |
31 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); | |
32 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
33 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
34 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); | |
35 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com"))); | |
36 EXPECT_FALSE(source.Allow(&context, GURL("wss://a.com"))); | |
37 } | |
38 | |
39 // ws -> { ws, wss}. | |
40 { | |
41 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); | |
42 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
43 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com"))); | |
44 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); | |
45 EXPECT_TRUE(source.Allow(&context, GURL("ws://a.com"))); | |
46 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com"))); | |
47 } | |
48 | |
49 // Exact matches required (ftp) | |
50 { | |
51 CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, ""); | |
52 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com"))); | |
53 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
54 } | |
55 | |
56 // Exact matches required (https) | |
57 { | |
58 CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, ""); | |
59 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
60 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
61 } | |
62 | |
63 // Exact matches required (wss) | |
64 { | |
65 CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, ""); | |
66 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com"))); | |
67 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com"))); | |
68 } | |
69 | |
70 // Scheme is empty (ProtocolMatchesSelf). | |
71 { | |
72 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | |
73 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
74 | |
75 // Self's scheme is http. | |
76 context.SetSelf(url::Origin(GURL("http://a.com"))); | |
77 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
78 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
79 EXPECT_TRUE(source.Allow(&context, GURL("http-so://a.com"))); | |
80 EXPECT_TRUE(source.Allow(&context, GURL("https-so://a.com"))); | |
81 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); | |
82 | |
83 // Self's is https. | |
84 context.SetSelf(url::Origin(GURL("https://a.com"))); | |
85 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
86 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
87 EXPECT_FALSE(source.Allow(&context, GURL("http-so://a.com"))); | |
88 // REVIEW(): Is it the correct behavior? | |
89 EXPECT_FALSE(source.Allow(&context, GURL("https-so://a.com"))); | |
Mike West
2017/02/13 14:10:51
This seems wrong. We should be treating `https-so`
arthursonzogni
2017/02/14 17:07:03
Same results on the renderer-side:
https://coderev
Mike West
2017/02/15 16:18:17
Actually, this makes sense now that I think about
| |
90 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com"))); | |
91 | |
92 // Self's scheme is not in the http familly. | |
93 context.SetSelf(url::Origin(GURL("ftp://a.com/"))); | |
94 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
95 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com"))); | |
96 | |
97 // Self's scheme is unique. | |
98 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); | |
99 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
100 EXPECT_FALSE(source.Allow(&context, GURL("non-standard-scheme://a.com"))); | |
Mike West
2017/02/13 14:10:51
This seems wrong too. This should match.
That sai
arthursonzogni
2017/02/14 17:07:03
Same results on the renderer-side.
https://coderev
| |
101 } | |
102 } | |
103 | |
104 TEST(CSPSourceTest, AllowHost) { | |
105 CSPContext context; | |
106 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
107 | |
108 // Host is * (source-expression = "http://*") | |
109 { | |
110 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, ""); | |
111 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
112 EXPECT_TRUE(source.Allow(&context, GURL("http://."))); | |
113 } | |
114 | |
115 // Host is *.foo.bar | |
116 { | |
117 CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, ""); | |
118 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com"))); | |
119 EXPECT_FALSE(source.Allow(&context, GURL("http://bar"))); | |
120 EXPECT_FALSE(source.Allow(&context, GURL("http://foo.bar"))); | |
121 EXPECT_FALSE(source.Allow(&context, GURL("http://o.bar"))); | |
122 EXPECT_TRUE(source.Allow(&context, GURL("http://*.foo.bar"))); | |
123 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.foo.bar"))); | |
124 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.sub.foo.bar"))); | |
125 // FOR-REVIEWER: strange case? | |
126 EXPECT_TRUE(source.Allow(&context, GURL("http://.foo.bar"))); | |
Mike West
2017/02/13 14:10:51
Doesn't the `.` get normalized away?
arthursonzogni
2017/02/14 17:07:03
No, I tried and got:
GURL("http://foo.bar") != GUR
| |
127 } | |
128 | |
129 // Host is exact. | |
130 { | |
131 CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, ""); | |
132 EXPECT_TRUE(source.Allow(&context, GURL("http://foo.bar"))); | |
133 EXPECT_FALSE(source.Allow(&context, GURL("http://sub.foo.bar"))); | |
134 EXPECT_FALSE(source.Allow(&context, GURL("http://bar"))); | |
135 EXPECT_FALSE(source.Allow(&context, GURL("http://.foo.bar"))); | |
Mike West
2017/02/13 14:10:51
This surprises me.
arthursonzogni
2017/02/14 17:07:03
Same result on the renderer-side:
https://coderevi
| |
136 } | |
137 } | |
138 | |
139 TEST(CSPSourceTest, AllowPort) { | |
140 CSPContext context; | |
141 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
142 | |
143 // Source's port unspecified. | |
144 { | |
145 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | |
146 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); | |
147 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080"))); | |
148 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:443"))); | |
149 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:80"))); | |
150 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:8080"))); | |
151 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443"))); | |
152 EXPECT_FALSE(source.Allow(&context, GURL("unknown://a.com:80"))); | |
153 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
Mike West
2017/02/13 14:10:51
Can you add `https://a.com` as well?
arthursonzogni
2017/02/14 17:07:03
Done.
| |
154 } | |
155 | |
156 // Source's port is "*". | |
157 { | |
158 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); | |
159 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
160 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); | |
161 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8080"))); | |
162 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8080"))); | |
163 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:0"))); | |
164 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
165 } | |
166 | |
167 // Source has a port. | |
168 { | |
169 CSPSource source("", "a.com", false, 80, false, ""); | |
170 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80"))); | |
171 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
172 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080"))); | |
173 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com"))); | |
174 } | |
175 | |
176 // Allow upgrade from :80 to :443 | |
177 { | |
178 CSPSource source("", "a.com", false, 80, false, ""); | |
179 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443"))); | |
180 // REVIEW(arthursonzogni): Is it expected? | |
181 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:443"))); | |
Mike West
2017/02/13 14:10:51
Seems weird. Does this work in Blink today?
arthursonzogni
2017/02/14 17:07:03
Yes it works on blink today.
Please see: https://c
| |
182 } | |
183 | |
184 // Host is * but port is specified | |
185 { | |
186 CSPSource source("http", "", true, 111, false, ""); | |
187 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:111"))); | |
188 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:222"))); | |
189 } | |
190 } | |
191 | |
192 TEST(CSPSourceTest, AllowPath) { | |
193 CSPContext context; | |
194 context.SetSelf(url::Origin(GURL("http://example.com"))); | |
195 | |
196 // Path to a file | |
197 { | |
198 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, | |
199 "/path/to/file"); | |
200 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); | |
Mike West
2017/02/13 14:10:51
Please add an expectation for `/path/to/file/with/
arthursonzogni
2017/02/14 17:07:03
Nice catch. Done!
| |
201 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to/"))); | |
202 EXPECT_FALSE( | |
203 source.Allow(&context, GURL("http://a.com/path/to/something"))); | |
204 } | |
205 | |
206 // Path to a directory | |
207 { | |
208 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, | |
209 "/path/to/"); | |
210 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); | |
211 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); | |
212 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/"))); | |
213 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to"))); | |
214 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to"))); | |
215 } | |
216 | |
217 // Empty path | |
218 { | |
219 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | |
220 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); | |
221 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); | |
222 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/"))); | |
223 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
224 } | |
225 | |
226 // Almost empty path | |
227 { | |
228 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/"); | |
229 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file"))); | |
230 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/"))); | |
231 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/"))); | |
232 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com"))); | |
233 } | |
234 | |
235 // Path encoded. | |
236 { | |
237 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, | |
238 "/Hello Günter"); | |
239 EXPECT_TRUE( | |
240 source.Allow(&context, GURL("http://a.com/Hello%20G%C3%BCnter"))); | |
241 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/Hello Günter"))); | |
242 } | |
243 | |
244 // Host is * but path is specified. | |
245 { | |
246 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, | |
247 "/allowed-path"); | |
248 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/allowed-path"))); | |
249 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/disallowed-path"))); | |
250 } | |
251 } | |
252 | |
253 TEST(CSPSourceTest, RedirectMatching) { | |
254 CSPContext context; | |
255 CSPSource source("http", "a.com", false, 8000, false, "/bar/"); | |
256 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/"), true)); | |
257 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/foo"), true)); | |
258 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8000/foo"), true)); | |
259 EXPECT_FALSE(source.Allow(&context, GURL("http://not-a.com:8000/foo"), true)); | |
260 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:9000/foo/"), false)); | |
261 } | |
262 | |
263 TEST(CSPSourceTest, ToString) { | |
264 { | |
265 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); | |
266 EXPECT_EQ("http:", source.ToString()); | |
267 } | |
268 { | |
269 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | |
270 EXPECT_EQ("http://a.com", source.ToString()); | |
271 } | |
272 { | |
273 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | |
274 EXPECT_EQ("a.com", source.ToString()); | |
275 } | |
276 { | |
277 CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, ""); | |
278 EXPECT_EQ("*.a.com", source.ToString()); | |
279 } | |
280 { | |
281 CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, ""); | |
282 EXPECT_EQ("*", source.ToString()); | |
283 } | |
284 { | |
285 CSPSource source("", "a.com", false, 80, false, ""); | |
286 EXPECT_EQ("a.com:80", source.ToString()); | |
287 } | |
288 { | |
289 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); | |
290 EXPECT_EQ("a.com:*", source.ToString()); | |
291 } | |
292 { | |
293 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); | |
294 EXPECT_EQ("a.com/path", source.ToString()); | |
295 } | |
296 } | |
297 | |
298 } // namespace content | |
OLD | NEW |