content/common/content_security_policy/csp_source_list_unittest.cc - Issue 2612793002: Implement ContentSecurityPolicy on the browser-side.

Unified Diff: content/common/content_security_policy/csp_source_list_unittest.cc

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)

Patch Set: Temporary re-add the parser + transmit parsed CSP over IPC. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « content/common/content_security_policy/csp_source_list.cc ('k') | content/common/content_security_policy/csp_source_unittest.cc » ('j') | content/renderer/render_frame_impl.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/common/content_security_policy/csp_source_list_unittest.cc

diff --git a/content/common/content_security_policy/csp_source_list_unittest.cc b/content/common/content_security_policy/csp_source_list_unittest.cc

new file mode 100644

index 0000000000000000000000000000000000000000..1bac2f5aa355b62dc8ee0a3648df8a539a9aa427

--- /dev/null

+++ b/content/common/content_security_policy/csp_source_list_unittest.cc

@@ -0,0 +1,95 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "content/common/content_security_policy/csp_context.h"

+#include "content/common/content_security_policy/csp_source_list.h"

+#include "testing/gtest/include/gtest/gtest.h"

+namespace content {

+namespace {

+class CSPContextTest : public CSPContext {

+ public:

+ const std::string& LastConsoleMessage() { return console_message_; }

+ private:

+ void LogToConsole(const std::string& message) override {

+ console_message_ = message;

+ }

+ std::string console_message_;

+};

+TEST(CSPSourceListTest, MultipleSource) {

+ CSPContextTest context;

+ context.SetSelf(url::Origin(GURL("http://example.com")));

+ CSPSourceList source_list(

+ false, // allow_self

+ false, // allow_star:

+ {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""),

+ CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")});

+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com")));

+ EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com")));

+TEST(CSPSourceList, ReportInvalidSourceExpression) {

+ const char console_message[] =

+ "The source list for Content Security Policy directive 'default-src' "

+ "contains an invalid source: ''invalid''. It will be ignored.";

+ CSPContextTest context;

+ CSPSourceList::Parse(&context, "default-src", "'invalid'");

+ EXPECT_EQ(console_message, context.LastConsoleMessage());

+TEST(CSPSourceList, ReportInvalidSourceExpressionNone) {

+ const char console_message[] =

+ "The source list for Content Security Policy directive 'default-src' "

+ "contains an invalid source: ''none''. It will be ignored. Note that "

+ "'none' has no effect unless it is the only expression in the source "

+ "list.";

+ {

+ CSPContextTest context;

+ CSPSourceList::Parse(&context, "default-src", "'none' 'none'");

+ EXPECT_EQ(console_message, context.LastConsoleMessage());

+ }

+ {

+ CSPContextTest context;

+ CSPSourceList::Parse(&context, "default-src", "'none' 'self'");

+ EXPECT_EQ(console_message, context.LastConsoleMessage());

+ }

+TEST(CSPSourceList, AllowStar) {

+ CSPContextTest context;

+ context.SetSelf(url::Origin(GURL("http://example.com")));

+ CSPSourceList source_list(false, // allow_self

+ true, // allow_star:

+ std::vector<CSPSource>()); // source_list

+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://no-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://no-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://no-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("ws://no-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("wss://no-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://no-example.com")));

+ EXPECT_FALSE(source_list.Allow(&context, GURL("file://no-example.com")));

+ context.SetSelf(url::Origin(GURL("file://example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("file://no-example.com")));

+TEST(CSPSourceList, AllowSelf) {

+ CSPContextTest context;

+ context.SetSelf(url::Origin(GURL("http://example.com")));

+ CSPSourceList source_list(true, // allow_self

+ false, // allow_star:

+ std::vector<CSPSource>()); // source_list

+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com")));

+ EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com")));

+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com")));

+ EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com")));

+} // namespace content