| Index: content/common/content_security_policy/csp_source_list_unittest.cc
|
| diff --git a/content/common/content_security_policy/csp_source_list_unittest.cc b/content/common/content_security_policy/csp_source_list_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..6566661c1995056b5ab26c12736ef09eb41c90d9
|
| --- /dev/null
|
| +++ b/content/common/content_security_policy/csp_source_list_unittest.cc
|
| @@ -0,0 +1,169 @@
|
| +// Copyright 2017 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "content/common/content_security_policy/csp_source_list.h"
|
| +#include "content/common/content_security_policy/csp_context.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +namespace content {
|
| +
|
| +namespace {
|
| +
|
| +class CSPContextTest : public CSPContext {
|
| + public:
|
| + void AddSchemeToBypassCSP(const std::string& scheme) {
|
| + scheme_to_bypass_.push_back(scheme);
|
| + }
|
| +
|
| + bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
|
| + return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
|
| + scheme) != scheme_to_bypass_.end();
|
| + }
|
| +
|
| + private:
|
| + std::vector<std::string> scheme_to_bypass_;
|
| +};
|
| +}
|
| +
|
| +TEST(CSPSourceListTest, MultipleSource) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| + CSPSourceList source_list(
|
| + false, // allow_self
|
| + false, // allow_star:
|
| + {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""),
|
| + CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")});
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com")));
|
| +}
|
| +
|
| +TEST(CSPSourceList, AllowStar) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| + CSPSourceList source_list(false, // allow_self
|
| + true, // allow_star:
|
| + std::vector<CSPSource>()); // source_list
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("https://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("ws://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("wss://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://not-example.com")));
|
| +
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("file://not-example.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));
|
| +
|
| + // With a protocol of 'file', '*' allow 'file:'
|
| + context.SetSelf(url::Origin(GURL("file://example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("file://not-example.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));
|
| +}
|
| +
|
| +TEST(CSPSourceList, AllowSelf) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| + CSPSourceList source_list(true, // allow_self
|
| + false, // allow_star:
|
| + std::vector<CSPSource>()); // source_list
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com")));
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com")));
|
| +}
|
| +
|
| +TEST(CSPSourceList, AllowSelfWithFilesystem) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("https://a.test")));
|
| + CSPSourceList source_list(true, // allow_self
|
| + false, // allow_star:
|
| + std::vector<CSPSource>()); // source_list
|
| +
|
| + GURL filesystem_url("filesystem:https://a.test/file.txt");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
|
| + EXPECT_FALSE(source_list.Allow(&context, filesystem_url));
|
| +
|
| + // Register 'https' as bypassing CSP, which should trigger the inner URL
|
| + // behavior.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
|
| + EXPECT_TRUE(source_list.Allow(&context, filesystem_url));
|
| +}
|
| +
|
| +TEST(CSPSourceList, BlobDisallowedWhenBypassingSelfScheme) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("https://a.test")));
|
| + CSPSource blob(
|
| + CSPSource("blob", "", false, url::PORT_UNSPECIFIED, false, ""));
|
| + CSPSourceList source_list(true, // allow_self
|
| + false, // allow_star:
|
| + {blob}); // source_list
|
| +
|
| + GURL blob_url_self("blob:https://a.test/1be95204-93d6-4GUID");
|
| + GURL blob_url_not_self("blob:https://b.test/1be95204-93d6-4GUID");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, blob_url_self));
|
| + EXPECT_TRUE(source_list.Allow(&context, blob_url_not_self));
|
| +
|
| + // Register 'https' as bypassing CSP, which should trigger the inner URL
|
| + // behavior.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, blob_url_self));
|
| + // TODO(arthursonzogni, mkwst): This should be true
|
| + // see http://crbug.com/692046
|
| + EXPECT_FALSE(source_list.Allow(&context, blob_url_not_self));
|
| +}
|
| +
|
| +TEST(CSPSourceList, FilesystemDisallowedWhenBypassingSelfScheme) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("https://a.test")));
|
| + CSPSource filesystem(
|
| + CSPSource("filesystem", "", false, url::PORT_UNSPECIFIED, false, ""));
|
| + CSPSourceList source_list(true, // allow_self
|
| + false, // allow_star:
|
| + {filesystem}); // source_list
|
| +
|
| + GURL filesystem_url_self("filesystem:https://a.test/file.txt");
|
| + GURL filesystem_url_not_self("filesystem:https://b.test/file.txt");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, filesystem_url_self));
|
| + EXPECT_TRUE(source_list.Allow(&context, filesystem_url_not_self));
|
| +
|
| + // Register 'https' as bypassing CSP, which should trigger the inner URL
|
| + // behavior.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(source_list.Allow(&context, filesystem_url_self));
|
| + // TODO(arthursonzogni, mkwst): This should be true
|
| + // see http://crbug.com/692046
|
| + EXPECT_FALSE(source_list.Allow(&context, filesystem_url_not_self));
|
| +}
|
| +
|
| +TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) {
|
| + CSPContext context;
|
| + context.SetSelf(url::Origin(GURL("chrome://print")));
|
| + CSPSourceList source_list(true, // allow_self
|
| + false, // allow_star:
|
| + std::vector<CSPSource>()); // source_list
|
| +
|
| + EXPECT_TRUE(source_list.Allow(
|
| + &context,
|
| + GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf")));
|
| +}
|
| +
|
| +TEST(CSPSourceList, AllowNone) {
|
| + CSPContextTest context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| + CSPSourceList source_list(false, // allow_self
|
| + false, // allow_star:
|
| + std::vector<CSPSource>()); // source_list
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("http://example.com")));
|
| + EXPECT_FALSE(source_list.Allow(&context, GURL("https://example.test/")));
|
| +}
|
| +
|
| +} // namespace content
|
|
|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
