content/common/content_security_policy/csp_source_unittest.cc - Issue 2612793002: Implement ContentSecurityPolicy on the browser-side.

Side by Side Diff: content/common/content_security_policy/csp_source_unittest.cc

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)

Patch Set: Nit. Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« content/common/content_security_policy/csp_source.h ('K') | « content/common/content_security_policy/csp_source_list_unittest.cc ('k') | content/common/content_security_policy_header.h » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "content/common/content_security_policy/csp_context.h"

	6 #include "testing/gtest/include/gtest/gtest.h"

	7

	8 namespace content {

	9

	10 TEST(CSPSourceTest, BasicMatching) {

	11 CSPContext context;

	12

	13 CSPSource source("http", "example.com", false, 8000, false, "/foo/");

	14

	15 EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/")));

	16 EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/bar")));

	17 EXPECT_TRUE(source.Allow(&context, GURL("HTTP://EXAMPLE.com:8000/foo/BAR")));

	18

	19 EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:8000/bar/")));

	20 EXPECT_FALSE(source.Allow(&context, GURL("https://example.com:8000/bar/")));

	21 EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:9000/bar/")));

	22 EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/bar")));

	23 EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/BAR")));

	24 }

	25

	26 TEST(CSPSourceTest, AllowScheme) {

	27 CSPContext context;

	28

	29 // http -> {http, https}.

	30 {

	31 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");

	32 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	33 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	34 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));

	35 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));

	36 EXPECT_FALSE(source.Allow(&context, GURL("wss://a.com")));

	37 }

	38

	39 // ws -> {ws, wss}.

	40 {

	41 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, "");

	42 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	43 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com")));

	44 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));

	45 EXPECT_TRUE(source.Allow(&context, GURL("ws://a.com")));

	46 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));

	47 }

	48

	49 // Exact matches required (ftp)

	50 {

	51 CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, "");

	52 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));

	53 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	54 }

	55

	56 // Exact matches required (https)

	57 {

	58 CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, "");

	59 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	60 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	61 }

	62

	63 // Exact matches required (wss)

	64 {

	65 CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, "");

	66 EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));

	67 EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));

	68 }

	69

	70 // Scheme is empty (ProtocolMatchesSelf).

	71 {

	72 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");

	73 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	74

	75 // Self's scheme is http.

	76 context.SetSelf(url::Origin(GURL("http://a.com")));

	77 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	78 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	79 EXPECT_TRUE(source.Allow(&context, GURL("http-so://a.com")));

	80 EXPECT_TRUE(source.Allow(&context, GURL("https-so://a.com")));

	81 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));

	82

	83 // Self's is https.

	84 context.SetSelf(url::Origin(GURL("https://a.com")));

	85 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	86 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	87 EXPECT_FALSE(source.Allow(&context, GURL("http-so://a.com")));

	88 // REVIEW(): Is it the correct behavior?

	89 EXPECT_FALSE(source.Allow(&context, GURL("https-so://a.com")));

	90 EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));

	91

	92 // Self's scheme is not in the http familly.

	93 context.SetSelf(url::Origin(GURL("ftp://a.com/")));

	94 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	95 EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));

	96

	97 // Self's scheme is unique.

	98 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com")));

	99 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	100 EXPECT_FALSE(source.Allow(&context, GURL("non-standard-scheme://a.com")));

	101 }

	102 }

	103

	104 TEST(CSPSourceTest, AllowHost) {

	105 CSPContext context;

	106 context.SetSelf(url::Origin(GURL("http://example.com")));

	107

	108 // Host is * (source-expression = "http://*")

	109 {

	110 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, "");

	111 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	112 EXPECT_TRUE(source.Allow(&context, GURL("http://.")));

	113 }

	114

	115 // Host is *.foo.bar

	116 {

	117 CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, "");

	118 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));

	119 EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));

	120 EXPECT_FALSE(source.Allow(&context, GURL("http://foo.bar")));

	121 EXPECT_FALSE(source.Allow(&context, GURL("http://o.bar")));

	122 EXPECT_TRUE(source.Allow(&context, GURL("http://*.foo.bar")));

	123 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.foo.bar")));

	124 EXPECT_TRUE(source.Allow(&context, GURL("http://sub.sub.foo.bar")));

	125 EXPECT_TRUE(source.Allow(&context, GURL("http://.foo.bar")));

	126 }

	127

	128 // Host is exact.

	129 {

	130 CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, "");

	131 EXPECT_TRUE(source.Allow(&context, GURL("http://foo.bar")));

	132 EXPECT_FALSE(source.Allow(&context, GURL("http://sub.foo.bar")));

	133 EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));

	134 EXPECT_FALSE(source.Allow(&context, GURL("http://.foo.bar")));

	135 }

	136 }

	137

	138 TEST(CSPSourceTest, AllowPort) {

	139 CSPContext context;

	140 context.SetSelf(url::Origin(GURL("http://example.com")));

	141

	142 // Source's port unspecified.

	143 {

	144 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");

	145 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));

	146 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));

	147 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:443")));

	148 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:80")));

	149 EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:8080")));

	150 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));

	151 EXPECT_FALSE(source.Allow(&context, GURL("unknown://a.com:80")));

	152 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	153 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	154 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	155 }

	156

	157 // Source's port is "*".

	158 {

	159 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");

	160 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	161 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));

	162 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8080")));

	163 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8080")));

	164 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:0")));

	165 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	166 }

	167

	168 // Source has a port.

	169 {

	170 CSPSource source("", "a.com", false, 80, false, "");

	171 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));

	172 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	173 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));

	174 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));

	175 }

	176

	177 // Allow upgrade from :80 to :443

	178 {

	179 CSPSource source("", "a.com", false, 80, false, "");

	180 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));

	181 // REVIEW(arthursonzogni): Is it expected?

	182 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:443")));

	183 }

	184

	185 // Host is * but port is specified

	186 {

	187 CSPSource source("http", "", true, 111, false, "");

	188 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:111")));

	189 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:222")));

	190 }

	191 }

	192

	193 TEST(CSPSourceTest, AllowPath) {

	194 CSPContext context;

	195 context.SetSelf(url::Origin(GURL("http://example.com")));

	196

	197 // Path to a file

	198 {

	199 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,

	200 "/path/to/file");

	201 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));

	202 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to/")));

	203 EXPECT_FALSE(

	204 source.Allow(&context, GURL("http://a.com/path/to/file/subpath")));

	205 EXPECT_FALSE(

	206 source.Allow(&context, GURL("http://a.com/path/to/something")));

	207 }

	208

	209 // Path to a directory

	210 {

	211 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,

	212 "/path/to/");

	213 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));

	214 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));

	215 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/")));

	216 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));

	217 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));

	218 }

	219

	220 // Empty path

	221 {

	222 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");

	223 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));

	224 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));

	225 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));

	226 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	227 }

	228

	229 // Almost empty path

	230 {

	231 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/");

	232 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));

	233 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));

	234 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));

	235 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

	236 }

	237

	238 // Path encoded.

	239 {

	240 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false,

	241 "/Hello Günter");

	242 EXPECT_TRUE(

	243 source.Allow(&context, GURL("http://a.com/Hello%20G%C3%BCnter")));

	244 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/Hello Günter")));

	245 }

	246

	247 // Host is * but path is specified.

	248 {

	249 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false,

	250 "/allowed-path");

	251 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/allowed-path")));

	252 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/disallowed-path")));

	253 }

	254 }

	255

	256 TEST(CSPSourceTest, RedirectMatching) {

	257 CSPContext context;

	258 CSPSource source("http", "a.com", false, 8000, false, "/bar/");

	259 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/"), true));

	260 EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/foo"), true));

	261 EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8000/foo"), true));

	262 EXPECT_FALSE(source.Allow(&context, GURL("http://not-a.com:8000/foo"), true));

	263 EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:9000/foo/"), false));

	264 }

	265

	266 TEST(CSPSourceTest, ToString) {

	267 {

	268 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");

	269 EXPECT_EQ("http:", source.ToString());

	270 }

	271 {

	272 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, "");

	273 EXPECT_EQ("http://a.com", source.ToString());

	274 }

	275 {

	276 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");

	277 EXPECT_EQ("a.com", source.ToString());

	278 }

	279 {

	280 CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, "");

	281 EXPECT_EQ("*.a.com", source.ToString());

	282 }

	283 {

	284 CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, "");

	285 EXPECT_EQ("*", source.ToString());

	286 }

	287 {

	288 CSPSource source("", "a.com", false, 80, false, "");

	289 EXPECT_EQ("a.com:80", source.ToString());

	290 }

	291 {

	292 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");

	293 EXPECT_EQ("a.com:*", source.ToString());

	294 }

	295 {

	296 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path");

	297 EXPECT_EQ("a.com/path", source.ToString());

	298 }

	299 }

	300

	301 } // namespace content

OLD	NEW