| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "testing/gtest/include/gtest/gtest.h" |
| 8 |
| 9 namespace content { |
| 10 |
| 11 namespace { |
| 12 |
| 13 class CSPContextTest : public CSPContext { |
| 14 public: |
| 15 const std::string& LastConsoleMessage() { return console_message_; } |
| 16 |
| 17 void AddSchemeToBypassCSP(const std::string& scheme) { |
| 18 scheme_to_bypass_.push_back(scheme); |
| 19 } |
| 20 |
| 21 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
| 22 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
| 23 scheme) != scheme_to_bypass_.end(); |
| 24 } |
| 25 |
| 26 private: |
| 27 void LogToConsole(const std::string& message) override { |
| 28 console_message_ = message; |
| 29 } |
| 30 std::string console_message_; |
| 31 std::vector<std::string> scheme_to_bypass_; |
| 32 }; |
| 33 |
| 34 // Build a new policy made of only one directive and no report endpoints. |
| 35 ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name, |
| 36 std::vector<CSPSource> sources) { |
| 37 return ContentSecurityPolicy( |
| 38 blink::WebContentSecurityPolicyTypeEnforce, |
| 39 blink::WebContentSecurityPolicySourceHTTP, |
| 40 {CSPDirective(directive_name, CSPSourceList(false, false, sources))}, |
| 41 std::vector<std::string>()); // report_end_points |
| 42 } |
| 43 |
| 44 } // namespace; |
| 45 |
| 46 TEST(CSPContextTest, SchemeShouldBypassCSP) { |
| 47 CSPContextTest context; |
| 48 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 49 ContentSecurityPolicy policy = |
| 50 BuildPolicy(CSPDirective::DefaultSrc, {source}); |
| 51 EXPECT_FALSE(context.Allow({policy}, CSPDirective::FrameSrc, |
| 52 GURL("data:text/html,<html></html>"))); |
| 53 context.AddSchemeToBypassCSP("data"); |
| 54 EXPECT_TRUE(context.Allow({policy}, CSPDirective::FrameSrc, |
| 55 GURL("data:text/html,<html></html>"))); |
| 56 } |
| 57 |
| 58 TEST(CSPContextTest, MultiplePolicies) { |
| 59 CSPContextTest context; |
| 60 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 61 |
| 62 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 63 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 64 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 65 |
| 66 ContentSecurityPolicy policy1 = |
| 67 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b}); |
| 68 ContentSecurityPolicy policy2 = |
| 69 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c}); |
| 70 |
| 71 std::vector<ContentSecurityPolicy> policies = {policy1, policy2}; |
| 72 |
| 73 EXPECT_TRUE( |
| 74 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://a.com"))); |
| 75 EXPECT_FALSE( |
| 76 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://b.com"))); |
| 77 EXPECT_FALSE( |
| 78 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://c.com"))); |
| 79 EXPECT_FALSE( |
| 80 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://d.com"))); |
| 81 } |
| 82 |
| 83 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
