| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" |
| 7 |
| 8 namespace content { |
| 9 |
| 10 namespace { |
| 11 |
| 12 // Allow() is an abbreviation of CSPSource::Allow(). Useful for writting test |
| 13 // expectations on one line. |
| 14 bool Allow(const CSPSource& source, |
| 15 const GURL& url, |
| 16 CSPContext* context, |
| 17 bool is_redirect = false) { |
| 18 return CSPSource::Allow(source, url, context, is_redirect); |
| 19 } |
| 20 |
| 21 } // namespace |
| 22 |
| 23 TEST(CSPSourceTest, BasicMatching) { |
| 24 CSPContext context; |
| 25 |
| 26 CSPSource source("http", "example.com", false, 8000, false, "/foo/"); |
| 27 |
| 28 EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/"), &context)); |
| 29 EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/bar"), &context)); |
| 30 EXPECT_TRUE(Allow(source, GURL("HTTP://EXAMPLE.com:8000/foo/BAR"), &context)); |
| 31 |
| 32 EXPECT_FALSE(Allow(source, GURL("http://example.com:8000/bar/"), &context)); |
| 33 EXPECT_FALSE(Allow(source, GURL("https://example.com:8000/bar/"), &context)); |
| 34 EXPECT_FALSE(Allow(source, GURL("http://example.com:9000/bar/"), &context)); |
| 35 EXPECT_FALSE( |
| 36 Allow(source, GURL("HTTP://example.com:8000/FOO/bar"), &context)); |
| 37 EXPECT_FALSE( |
| 38 Allow(source, GURL("HTTP://example.com:8000/FOO/BAR"), &context)); |
| 39 } |
| 40 |
| 41 TEST(CSPSourceTest, AllowScheme) { |
| 42 CSPContext context; |
| 43 |
| 44 // http -> {http, https}. |
| 45 { |
| 46 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 47 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 48 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 49 // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without |
| 50 // the port. See http://crbug.com/692499 |
| 51 EXPECT_TRUE(Allow(source, GURL("https://a.com:80"), &context)); |
| 52 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 53 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
| 54 EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context)); |
| 55 } |
| 56 |
| 57 // ws -> {ws, wss}. |
| 58 { |
| 59 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 60 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 61 EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context)); |
| 62 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 63 EXPECT_TRUE(Allow(source, GURL("ws://a.com"), &context)); |
| 64 EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
| 65 } |
| 66 |
| 67 // Exact matches required (ftp) |
| 68 { |
| 69 CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 70 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
| 71 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 72 } |
| 73 |
| 74 // Exact matches required (https) |
| 75 { |
| 76 CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 77 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 78 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 79 } |
| 80 |
| 81 // Exact matches required (wss) |
| 82 { |
| 83 CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 84 EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
| 85 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
| 86 } |
| 87 |
| 88 // Scheme is empty (ProtocolMatchesSelf). |
| 89 { |
| 90 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 91 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 92 |
| 93 // Self's scheme is http. |
| 94 context.SetSelf(url::Origin(GURL("http://a.com"))); |
| 95 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 96 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 97 EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context)); |
| 98 EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context)); |
| 99 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 100 |
| 101 // Self's is https. |
| 102 context.SetSelf(url::Origin(GURL("https://a.com"))); |
| 103 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 104 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 105 EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context)); |
| 106 // TODO(mkwst, arthursonzogni): Maybe it should return true. |
| 107 // See http://crbug.com/692442: |
| 108 EXPECT_FALSE(Allow(source, GURL("https-so://a.com"), &context)); |
| 109 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
| 110 |
| 111 // Self's scheme is not in the http familly. |
| 112 context.SetSelf(url::Origin(GURL("ftp://a.com/"))); |
| 113 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 114 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
| 115 |
| 116 // Self's scheme is unique. |
| 117 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); |
| 118 // TODO(mkwst, arthursonzogni): This result might be wrong. |
| 119 // See http://crbug.com/692449 |
| 120 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 121 // TODO(mkwst, arthursonzogni): This result might be wrong. |
| 122 // See http://crbug.com/692449 |
| 123 EXPECT_FALSE(Allow(source, GURL("non-standard-scheme://a.com"), &context)); |
| 124 } |
| 125 } |
| 126 |
| 127 TEST(CSPSourceTest, AllowHost) { |
| 128 CSPContext context; |
| 129 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 130 |
| 131 // Host is * (source-expression = "http://*") |
| 132 { |
| 133 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 134 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 135 EXPECT_TRUE(Allow(source, GURL("http://."), &context)); |
| 136 } |
| 137 |
| 138 // Host is *.foo.bar |
| 139 { |
| 140 CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, ""); |
| 141 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
| 142 EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
| 143 EXPECT_FALSE(Allow(source, GURL("http://foo.bar"), &context)); |
| 144 EXPECT_FALSE(Allow(source, GURL("http://o.bar"), &context)); |
| 145 EXPECT_TRUE(Allow(source, GURL("http://*.foo.bar"), &context)); |
| 146 EXPECT_TRUE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
| 147 EXPECT_TRUE(Allow(source, GURL("http://sub.sub.foo.bar"), &context)); |
| 148 // Please see http://crbug.com/692505 |
| 149 EXPECT_TRUE(Allow(source, GURL("http://.foo.bar"), &context)); |
| 150 } |
| 151 |
| 152 // Host is exact. |
| 153 { |
| 154 CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, ""); |
| 155 EXPECT_TRUE(Allow(source, GURL("http://foo.bar"), &context)); |
| 156 EXPECT_FALSE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
| 157 EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
| 158 // Please see http://crbug.com/692505 |
| 159 EXPECT_FALSE(Allow(source, GURL("http://.foo.bar"), &context)); |
| 160 } |
| 161 } |
| 162 |
| 163 TEST(CSPSourceTest, AllowPort) { |
| 164 CSPContext context; |
| 165 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 166 |
| 167 // Source's port unspecified. |
| 168 { |
| 169 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 170 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 171 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 172 EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context)); |
| 173 EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context)); |
| 174 EXPECT_FALSE(Allow(source, GURL("https://a.com:8080"), &context)); |
| 175 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
| 176 EXPECT_FALSE(Allow(source, GURL("unknown://a.com:80"), &context)); |
| 177 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 178 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 179 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 180 } |
| 181 |
| 182 // Source's port is "*". |
| 183 { |
| 184 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 185 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 186 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 187 EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 188 EXPECT_TRUE(Allow(source, GURL("https://a.com:8080"), &context)); |
| 189 EXPECT_TRUE(Allow(source, GURL("https://a.com:0"), &context)); |
| 190 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 191 } |
| 192 |
| 193 // Source has a port. |
| 194 { |
| 195 CSPSource source("", "a.com", false, 80, false, ""); |
| 196 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
| 197 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 198 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
| 199 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
| 200 } |
| 201 |
| 202 // Allow upgrade from :80 to :443 |
| 203 { |
| 204 CSPSource source("", "a.com", false, 80, false, ""); |
| 205 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
| 206 // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the |
| 207 // sheme. See http://crbug.com/692499 |
| 208 EXPECT_TRUE(Allow(source, GURL("http://a.com:443"), &context)); |
| 209 } |
| 210 |
| 211 // Host is * but port is specified |
| 212 { |
| 213 CSPSource source("http", "", true, 111, false, ""); |
| 214 EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context)); |
| 215 EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context)); |
| 216 } |
| 217 } |
| 218 |
| 219 TEST(CSPSourceTest, AllowPath) { |
| 220 CSPContext context; |
| 221 context.SetSelf(url::Origin(GURL("http://example.com"))); |
| 222 |
| 223 // Path to a file |
| 224 { |
| 225 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 226 "/path/to/file"); |
| 227 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 228 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 229 EXPECT_FALSE( |
| 230 Allow(source, GURL("http://a.com/path/to/file/subpath"), &context)); |
| 231 EXPECT_FALSE( |
| 232 Allow(source, GURL("http://a.com/path/to/something"), &context)); |
| 233 } |
| 234 |
| 235 // Path to a directory |
| 236 { |
| 237 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 238 "/path/to/"); |
| 239 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 240 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 241 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/"), &context)); |
| 242 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
| 243 EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
| 244 } |
| 245 |
| 246 // Empty path |
| 247 { |
| 248 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 249 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 250 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 251 EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
| 252 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 253 } |
| 254 |
| 255 // Almost empty path |
| 256 { |
| 257 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/"); |
| 258 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
| 259 EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
| 260 EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
| 261 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
| 262 } |
| 263 |
| 264 // Path encoded. |
| 265 { |
| 266 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, |
| 267 "/Hello Günter"); |
| 268 EXPECT_TRUE( |
| 269 Allow(source, GURL("http://a.com/Hello%20G%C3%BCnter"), &context)); |
| 270 EXPECT_TRUE(Allow(source, GURL("http://a.com/Hello Günter"), &context)); |
| 271 } |
| 272 |
| 273 // Host is * but path is specified. |
| 274 { |
| 275 CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, |
| 276 "/allowed-path"); |
| 277 EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context)); |
| 278 EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context)); |
| 279 } |
| 280 } |
| 281 |
| 282 TEST(CSPSourceTest, RedirectMatching) { |
| 283 CSPContext context; |
| 284 CSPSource source("http", "a.com", false, 8000, false, "/bar/"); |
| 285 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true)); |
| 286 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true)); |
| 287 EXPECT_TRUE(Allow(source, GURL("https://a.com:8000/foo"), &context, true)); |
| 288 EXPECT_FALSE( |
| 289 Allow(source, GURL("http://not-a.com:8000/foo"), &context, true)); |
| 290 EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false)); |
| 291 } |
| 292 |
| 293 TEST(CSPSourceTest, ToString) { |
| 294 { |
| 295 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
| 296 EXPECT_EQ("http:", source.ToString()); |
| 297 } |
| 298 { |
| 299 CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 300 EXPECT_EQ("http://a.com", source.ToString()); |
| 301 } |
| 302 { |
| 303 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 304 EXPECT_EQ("a.com", source.ToString()); |
| 305 } |
| 306 { |
| 307 CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, ""); |
| 308 EXPECT_EQ("*.a.com", source.ToString()); |
| 309 } |
| 310 { |
| 311 CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, ""); |
| 312 EXPECT_EQ("*", source.ToString()); |
| 313 } |
| 314 { |
| 315 CSPSource source("", "a.com", false, 80, false, ""); |
| 316 EXPECT_EQ("a.com:80", source.ToString()); |
| 317 } |
| 318 { |
| 319 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
| 320 EXPECT_EQ("a.com:*", source.ToString()); |
| 321 } |
| 322 { |
| 323 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); |
| 324 EXPECT_EQ("a.com/path", source.ToString()); |
| 325 } |
| 326 } |
| 327 |
| 328 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
