| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_source_list.h" |
| 6 #include "content/common/content_security_policy/csp_context.h" |
| 7 #include "testing/gtest/include/gtest/gtest.h" |
| 8 |
| 9 namespace content { |
| 10 |
| 11 namespace { |
| 12 |
| 13 class CSPContextTest : public CSPContext { |
| 14 public: |
| 15 void AddSchemeToBypassCSP(const std::string& scheme) { |
| 16 scheme_to_bypass_.push_back(scheme); |
| 17 } |
| 18 |
| 19 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
| 20 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
| 21 scheme) != scheme_to_bypass_.end(); |
| 22 } |
| 23 |
| 24 private: |
| 25 std::vector<std::string> scheme_to_bypass_; |
| 26 }; |
| 27 |
| 28 // Allow() is an abbreviation of CSPSourceList::Allow(). Useful for writting |
| 29 // test expectations on one line. |
| 30 bool Allow(const CSPSourceList& source_list, |
| 31 const GURL& url, |
| 32 CSPContext* context, |
| 33 bool is_redirect = false) { |
| 34 return CSPSourceList::Allow(source_list, url, context, is_redirect); |
| 35 } |
| 36 |
| 37 } // namespace |
| 38 |
| 39 TEST(CSPSourceListTest, MultipleSource) { |
| 40 CSPContextTest context; |
| 41 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 42 CSPSourceList source_list( |
| 43 false, // allow_self |
| 44 false, // allow_star: |
| 45 {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""), |
| 46 CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")}); |
| 47 EXPECT_TRUE(Allow(source_list, GURL("http://a.com"), &context)); |
| 48 EXPECT_TRUE(Allow(source_list, GURL("http://b.com"), &context)); |
| 49 EXPECT_FALSE(Allow(source_list, GURL("http://c.com"), &context)); |
| 50 } |
| 51 |
| 52 TEST(CSPSourceList, AllowStar) { |
| 53 CSPContextTest context; |
| 54 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 55 CSPSourceList source_list(false, // allow_self |
| 56 true, // allow_star: |
| 57 std::vector<CSPSource>()); // source_list |
| 58 EXPECT_TRUE(Allow(source_list, GURL("http://not-example.com"), &context)); |
| 59 EXPECT_TRUE(Allow(source_list, GURL("https://not-example.com"), &context)); |
| 60 EXPECT_TRUE(Allow(source_list, GURL("http-so://not-example.com"), &context)); |
| 61 EXPECT_TRUE(Allow(source_list, GURL("https-so://not-example.com"), &context)); |
| 62 EXPECT_TRUE(Allow(source_list, GURL("ws://not-example.com"), &context)); |
| 63 EXPECT_TRUE(Allow(source_list, GURL("wss://not-example.com"), &context)); |
| 64 EXPECT_TRUE(Allow(source_list, GURL("ftp://not-example.com"), &context)); |
| 65 |
| 66 EXPECT_FALSE(Allow(source_list, GURL("file://not-example.com"), &context)); |
| 67 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context)); |
| 68 |
| 69 // With a protocol of 'file', '*' allow 'file:' |
| 70 context.SetSelf(url::Origin(GURL("file://example.com"))); |
| 71 EXPECT_TRUE(Allow(source_list, GURL("file://not-example.com"), &context)); |
| 72 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context)); |
| 73 } |
| 74 |
| 75 TEST(CSPSourceList, AllowSelf) { |
| 76 CSPContextTest context; |
| 77 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 78 CSPSourceList source_list(true, // allow_self |
| 79 false, // allow_star: |
| 80 std::vector<CSPSource>()); // source_list |
| 81 EXPECT_TRUE(Allow(source_list, GURL("http://example.com"), &context)); |
| 82 EXPECT_FALSE(Allow(source_list, GURL("http://not-example.com"), &context)); |
| 83 EXPECT_TRUE(Allow(source_list, GURL("https://example.com"), &context)); |
| 84 EXPECT_FALSE(Allow(source_list, GURL("ws://example.com"), &context)); |
| 85 } |
| 86 |
| 87 TEST(CSPSourceList, AllowSelfWithFilesystem) { |
| 88 CSPContextTest context; |
| 89 context.SetSelf(url::Origin(GURL("https://a.test"))); |
| 90 CSPSourceList source_list(true, // allow_self |
| 91 false, // allow_star: |
| 92 std::vector<CSPSource>()); // source_list |
| 93 |
| 94 GURL filesystem_url("filesystem:https://a.test/file.txt"); |
| 95 |
| 96 EXPECT_TRUE(Allow(source_list, GURL("https://a.test/"), &context)); |
| 97 EXPECT_FALSE(Allow(source_list, filesystem_url, &context)); |
| 98 |
| 99 // Register 'https' as bypassing CSP, which should trigger the inner URL |
| 100 // behavior. |
| 101 context.AddSchemeToBypassCSP("https"); |
| 102 |
| 103 EXPECT_TRUE(Allow(source_list, GURL("https://a.test/"), &context)); |
| 104 EXPECT_TRUE(Allow(source_list, filesystem_url, &context)); |
| 105 } |
| 106 |
| 107 TEST(CSPSourceList, BlobDisallowedWhenBypassingSelfScheme) { |
| 108 CSPContextTest context; |
| 109 context.SetSelf(url::Origin(GURL("https://a.test"))); |
| 110 CSPSource blob( |
| 111 CSPSource("blob", "", false, url::PORT_UNSPECIFIED, false, "")); |
| 112 CSPSourceList source_list(true, // allow_self |
| 113 false, // allow_star: |
| 114 {blob}); // source_list |
| 115 |
| 116 GURL blob_url_self("blob:https://a.test/1be95204-93d6-4GUID"); |
| 117 GURL blob_url_not_self("blob:https://b.test/1be95204-93d6-4GUID"); |
| 118 |
| 119 EXPECT_TRUE(Allow(source_list, blob_url_self, &context)); |
| 120 EXPECT_TRUE(Allow(source_list, blob_url_not_self, &context)); |
| 121 |
| 122 // Register 'https' as bypassing CSP, which should trigger the inner URL |
| 123 // behavior. |
| 124 context.AddSchemeToBypassCSP("https"); |
| 125 |
| 126 EXPECT_TRUE(Allow(source_list, blob_url_self, &context)); |
| 127 // TODO(arthursonzogni, mkwst): This should be true |
| 128 // see http://crbug.com/692046 |
| 129 EXPECT_FALSE(Allow(source_list, blob_url_not_self, &context)); |
| 130 } |
| 131 |
| 132 TEST(CSPSourceList, FilesystemDisallowedWhenBypassingSelfScheme) { |
| 133 CSPContextTest context; |
| 134 context.SetSelf(url::Origin(GURL("https://a.test"))); |
| 135 CSPSource filesystem( |
| 136 CSPSource("filesystem", "", false, url::PORT_UNSPECIFIED, false, "")); |
| 137 CSPSourceList source_list(true, // allow_self |
| 138 false, // allow_star: |
| 139 {filesystem}); // source_list |
| 140 |
| 141 GURL filesystem_url_self("filesystem:https://a.test/file.txt"); |
| 142 GURL filesystem_url_not_self("filesystem:https://b.test/file.txt"); |
| 143 |
| 144 EXPECT_TRUE(Allow(source_list, filesystem_url_self, &context)); |
| 145 EXPECT_TRUE(Allow(source_list, filesystem_url_not_self, &context)); |
| 146 |
| 147 // Register 'https' as bypassing CSP, which should trigger the inner URL |
| 148 // behavior. |
| 149 context.AddSchemeToBypassCSP("https"); |
| 150 |
| 151 EXPECT_TRUE(Allow(source_list, filesystem_url_self, &context)); |
| 152 // TODO(arthursonzogni, mkwst): This should be true |
| 153 // see http://crbug.com/692046 |
| 154 EXPECT_FALSE(Allow(source_list, filesystem_url_not_self, &context)); |
| 155 } |
| 156 |
| 157 TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) { |
| 158 CSPContext context; |
| 159 context.SetSelf(url::Origin(GURL("chrome://print"))); |
| 160 CSPSourceList source_list(true, // allow_self |
| 161 false, // allow_star: |
| 162 std::vector<CSPSource>()); // source_list |
| 163 |
| 164 EXPECT_TRUE(Allow( |
| 165 source_list, |
| 166 GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf"), |
| 167 &context)); |
| 168 } |
| 169 |
| 170 TEST(CSPSourceList, AllowNone) { |
| 171 CSPContextTest context; |
| 172 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 173 CSPSourceList source_list(false, // allow_self |
| 174 false, // allow_star: |
| 175 std::vector<CSPSource>()); // source_list |
| 176 EXPECT_FALSE(Allow(source_list, GURL("http://example.com"), &context)); |
| 177 EXPECT_FALSE(Allow(source_list, GURL("https://example.test/"), &context)); |
| 178 } |
| 179 |
| 180 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
