| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" |
| 7 |
| 8 namespace content { |
| 9 |
| 10 namespace { |
| 11 |
| 12 // Allow() is an abbreviation of CSPSource::Allow(). Useful for writting test |
| 13 // expectations on one line. |
| 14 bool Allow(const CSPSource& source, |
| 15 const GURL& url, |
| 16 CSPContext* context, |
| 17 bool is_redirect = false) { |
| 18 return CSPSource::Allow(source, url, context, is_redirect); |
| 19 } |
| 20 |
| 21 } // namespace |
| 22 |
| 23 TEST(CSPSourceTest, BasicMatching) { |
| 24 CSPContext context; |
| 25 |
| 26 CSPSource source("http", "example.com", false, 8000, false, "/foo/"); |
| 27 |
| 28 EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/"), &context)); |
| 29 EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/bar"), &context)); |
| 30 EXPECT_TRUE(Allow(source, GURL("HTTP://EXAMPLE.com:8000/foo/BAR"), &context)); |
| 31 |
| 32 EXPECT_FALSE(Allow(source, GURL("http://example.com:8000/bar/"), &context)); |
| 33 EXPECT_FALSE(Allow(source, GURL("https://example.com:8000/bar/"), &context)); |
| 34 EXPECT_FALSE(Allow(source, GURL("http://example.com:9000/bar/"), &context)); |
| 35 EXPECT_FALSE( |
| 36 Allow(source, GURL("HTTP://example.com:8000/FOO/bar"), &context)); |
| 37 EXPECT_FALSE( |
| 38 Allow(source, GURL("HTTP://example.com:8000/FOO/BAR"), &context)); |
| 39 } |
| 40 |
| 41 TEST(CSPSourceTest, AllowScheme) { |
| 42 CSPContext context; |
| 43 |
| 44 // http -> {http, https}. |
| 45 { |
| 46 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 47 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 48 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 49 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 50 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
| 51 EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context)); |
| 52 } |
| 53 |
| 54 // ws -> {ws, wss}. |
| 55 { |
| 56 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 57 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 58 EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context)); |
| 59 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 60 EXPECT_TRUE(Allow(source, GURL("ws://a.com"), &context)); |
| 61 EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
| 62 } |
| 63 |
| 64 // Exact matches required (ftp) |
| 65 { |
| 66 CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 67 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
| 68 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 69 } |
| 70 |
| 71 // Exact matches required (https) |
| 72 { |
| 73 CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 74 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 75 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 76 } |
| 77 |
| 78 // Exact matches required (wss) |
| 79 { |
| 80 CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 81 EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
| 82 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
| 83 } |
| 84 |
| 85 // Scheme is empty (ProtocolMatchesSelf). |
| 86 { |
| 87 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 88 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 89 |
| 90 // Self's scheme is http. |
| 91 context.SetSelf(url::Origin(GURL("http://a.com"))); |
| 92 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 93 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 94 EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context)); |
| 95 EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context)); |
| 96 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 97 |
| 98 // Self's is https. |
| 99 context.SetSelf(url::Origin(GURL("https://a.com"))); |
| 100 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 101 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 102 EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context)); |
| 103 // REVIEW(): Is it the correct behavior? |
| 104 EXPECT_FALSE(Allow(source, GURL("https-so://a.com"), &context)); |
| 105 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 106 |
| 107 // Self's scheme is not in the http familly. |
| 108 context.SetSelf(url::Origin(GURL("ftp://a.com/"))); |
| 109 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 110 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
| 111 |
| 112 // Self's scheme is unique. |
| 113 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); |
| 114 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 115 EXPECT_FALSE(Allow(source, GURL("non-standard-scheme://a.com"), &context)); |
| 116 } |
| 117 } |
| 118 |
| 119 TEST(CSPSourceTest, AllowHost) { |
| 120 CSPContext context; |
| 121 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 122 |
| 123 // Host is * (source-expression = "http://*") |
| 124 { |
| 125 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 126 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 127 EXPECT_TRUE(Allow(source, GURL("http://."), &context)); |
| 128 } |
| 129 |
| 130 // Host is *.foo.bar |
| 131 { |
| 132 CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, ""); |
| 133 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 134 EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
| 135 EXPECT_FALSE(Allow(source, GURL("http://foo.bar"), &context)); |
| 136 EXPECT_FALSE(Allow(source, GURL("http://o.bar"), &context)); |
| 137 EXPECT_TRUE(Allow(source, GURL("http://*.foo.bar"), &context)); |
| 138 EXPECT_TRUE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
| 139 EXPECT_TRUE(Allow(source, GURL("http://sub.sub.foo.bar"), &context)); |
| 140 EXPECT_TRUE(Allow(source, GURL("http://.foo.bar"), &context)); |
| 141 } |
| 142 |
| 143 // Host is exact. |
| 144 { |
| 145 CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, ""); |
| 146 EXPECT_TRUE(Allow(source, GURL("http://foo.bar"), &context)); |
| 147 EXPECT_FALSE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
| 148 EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
| 149 EXPECT_FALSE(Allow(source, GURL("http://.foo.bar"), &context)); |
| 150 } |
| 151 } |
| 152 |
| 153 TEST(CSPSourceTest, AllowPort) { |
| 154 CSPContext context; |
| 155 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 156 |
| 157 // Source's port unspecified. |
| 158 { |
| 159 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 160 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 161 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 162 EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context)); |
| 163 EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context)); |
| 164 EXPECT_FALSE(Allow(source, GURL("https://a.com:8080"), &context)); |
| 165 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
| 166 EXPECT_FALSE(Allow(source, GURL("unknown://a.com:80"), &context)); |
| 167 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 168 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 169 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 170 } |
| 171 |
| 172 // Source's port is "*". |
| 173 { |
| 174 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 175 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 176 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 177 EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 178 EXPECT_TRUE(Allow(source, GURL("https://a.com:8080"), &context)); |
| 179 EXPECT_TRUE(Allow(source, GURL("https://a.com:0"), &context)); |
| 180 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 181 } |
| 182 |
| 183 // Source has a port. |
| 184 { |
| 185 CSPSource source("", "a.com", false, 80, false, ""); |
| 186 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 187 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 188 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 189 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 190 } |
| 191 |
| 192 // Allow upgrade from :80 to :443 |
| 193 { |
| 194 CSPSource source("", "a.com", false, 80, false, ""); |
| 195 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
| 196 // REVIEW(arthursonzogni): Is it expected? |
| 197 EXPECT_TRUE(Allow(source, GURL("http://a.com:443"), &context)); |
| 198 } |
| 199 |
| 200 // Host is * but port is specified |
| 201 { |
| 202 CSPSource source("http", "", true, 111, false, ""); |
| 203 EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context)); |
| 204 EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context)); |
| 205 } |
| 206 } |
| 207 |
| 208 TEST(CSPSourceTest, AllowPath) { |
| 209 CSPContext context; |
| 210 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 211 |
| 212 // Path to a file |
| 213 { |
| 214 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 215 "/path/to/file"); |
| 216 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 217 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 218 EXPECT_FALSE( |
| 219 Allow(source, GURL("http://a.com/path/to/file/subpath"), &context)); |
| 220 EXPECT_FALSE( |
| 221 Allow(source, GURL("http://a.com/path/to/something"), &context)); |
| 222 } |
| 223 |
| 224 // Path to a directory |
| 225 { |
| 226 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 227 "/path/to/"); |
| 228 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 229 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 230 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/"), &context)); |
| 231 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
| 232 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
| 233 } |
| 234 |
| 235 // Empty path |
| 236 { |
| 237 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 238 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 239 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 240 EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
| 241 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 242 } |
| 243 |
| 244 // Almost empty path |
| 245 { |
| 246 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/"); |
| 247 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 248 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 249 EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
| 250 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 251 } |
| 252 |
| 253 // Path encoded. |
| 254 { |
| 255 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 256 "/Hello Günter"); |
| 257 EXPECT_TRUE( |
| 258 Allow(source, GURL("http://a.com/Hello%20G%C3%BCnter"), &context)); |
| 259 EXPECT_TRUE(Allow(source, GURL("http://a.com/Hello Günter"), &context)); |
| 260 } |
| 261 |
| 262 // Host is * but path is specified. |
| 263 { |
| 264 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, |
| 265 "/allowed-path"); |
| 266 EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context)); |
| 267 EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context)); |
| 268 } |
| 269 } |
| 270 |
| 271 TEST(CSPSourceTest, RedirectMatching) { |
| 272 CSPContext context; |
| 273 CSPSource source("http", "a.com", false, 8000, false, "/bar/"); |
| 274 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true)); |
| 275 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true)); |
| 276 EXPECT_TRUE(Allow(source, GURL("https://a.com:8000/foo"), &context, true)); |
| 277 EXPECT_FALSE( |
| 278 Allow(source, GURL("http://not-a.com:8000/foo"), &context, true)); |
| 279 EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false)); |
| 280 } |
| 281 |
| 282 TEST(CSPSourceTest, ToString) { |
| 283 { |
| 284 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 285 EXPECT_EQ("http:", source.ToString()); |
| 286 } |
| 287 { |
| 288 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 289 EXPECT_EQ("http://a.com", source.ToString()); |
| 290 } |
| 291 { |
| 292 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 293 EXPECT_EQ("a.com", source.ToString()); |
| 294 } |
| 295 { |
| 296 CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, ""); |
| 297 EXPECT_EQ("*.a.com", source.ToString()); |
| 298 } |
| 299 { |
| 300 CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 301 EXPECT_EQ("*", source.ToString()); |
| 302 } |
| 303 { |
| 304 CSPSource source("", "a.com", false, 80, false, ""); |
| 305 EXPECT_EQ("a.com:80", source.ToString()); |
| 306 } |
| 307 { |
| 308 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 309 EXPECT_EQ("a.com:*", source.ToString()); |
| 310 } |
| 311 { |
| 312 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); |
| 313 EXPECT_EQ("a.com/path", source.ToString()); |
| 314 } |
| 315 } |
| 316 |
| 317 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
