Index: content/common/content_security_policy/csp_source_list_unittest.cc |
diff --git a/content/common/content_security_policy/csp_source_list_unittest.cc b/content/common/content_security_policy/csp_source_list_unittest.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..3edba23f8efce5c30e808ed654bd40dffe14a6e0 |
--- /dev/null |
+++ b/content/common/content_security_policy/csp_source_list_unittest.cc |
@@ -0,0 +1,133 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/common/content_security_policy/csp_source_list.h" |
+#include "content/common/content_security_policy/csp_context.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace content { |
+ |
+namespace { |
+ |
+class CSPContextTest : public CSPContext { |
+ public: |
+ void AddSchemeToBypassCSP(const std::string& scheme) { |
+ scheme_to_bypass_.push_back(scheme); |
+ } |
+ |
+ bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
+ return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
+ scheme) != scheme_to_bypass_.end(); |
+ } |
+ |
+ private: |
+ std::vector<std::string> scheme_to_bypass_; |
+}; |
+} |
+ |
+TEST(CSPSourceListTest, MultipleSource) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ CSPSourceList source_list( |
+ false, // allow_self |
+ false, // allow_star: |
+ {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""), |
+ CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")}); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com"))); |
+} |
+ |
+TEST(CSPSourceList, AllowStar) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ CSPSourceList source_list(false, // allow_self |
+ true, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://no-example.com"))); |
Mike West
2017/02/13 14:10:51
Nit: Please use `not-example.com` throughout.
arthursonzogni
2017/02/14 17:07:03
Done.
|
+ EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://no-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://no-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("ws://no-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("wss://no-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://no-example.com"))); |
+ |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("file://no-example.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test"))); |
+ |
+ // With a protocol of 'file', '*' allow 'file:' |
+ context.SetSelf(url::Origin(GURL("file://example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("file://no-example.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test"))); |
+} |
+ |
+TEST(CSPSourceList, AllowSelf) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ CSPSourceList source_list(true, // allow_self |
+ false, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com"))); |
+} |
+ |
+TEST(CSPSourceList, AllowSelfWithFilesystem) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("https://a.test"))); |
+ CSPSourceList source_list(true, // allow_self |
+ false, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ |
+ GURL filesystem_url("filesystem:https://a.test/file.txt"); |
+ |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); |
+ EXPECT_FALSE(source_list.Allow(&context, filesystem_url)); |
+ |
+ context.AddSchemeToBypassCSP("https"); |
+ |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); |
+ EXPECT_TRUE(source_list.Allow(&context, filesystem_url)); |
+} |
+ |
+TEST(CSPSourceList, AllowSelfWithBlob) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("https://a.test"))); |
+ CSPSourceList source_list(true, // allow_self |
Mike West
2017/02/13 14:10:51
Please add a test verifying `'self' blob:` and `'s
arthursonzogni
2017/02/14 17:07:03
I am not sure to understand what is the purpose. C
|
+ false, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("blob:https://a.test/"))); |
+ |
+ context.AddSchemeToBypassCSP("https"); |
+ |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/"))); |
+ EXPECT_TRUE(source_list.Allow(&context, GURL("blob:https://a.test/"))); |
+} |
+ |
+TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) { |
+ CSPContext context; |
+ context.SetSelf(url::Origin(GURL("chrome://print"))); |
+ CSPSourceList source_list(true, // allow_self |
+ false, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ |
+ EXPECT_TRUE(source_list.Allow( |
+ &context, |
+ GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf"))); |
+} |
+ |
+TEST(CSPSourceList, AllowNone) { |
+ CSPContextTest context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ CSPSourceList source_list(false, // allow_self |
+ false, // allow_star: |
+ std::vector<CSPSource>()); // source_list |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("http://example.com"))); |
+ EXPECT_FALSE(source_list.Allow(&context, GURL("https://example.test/"))); |
+} |
+ |
+} // namespace content |