Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(135)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/content_security_policy/csp_source_unittest.cc

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)
Patch Set: Nit. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/common/content_security_policy/csp_source.h ('K') | « content/common/content_security_policy/csp_source_list_unittest.cc ('k') | content/common/content_security_policy_header.h » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/content_security_policy/csp_source_unittest.cc
diff --git a/content/common/content_security_policy/csp_source_unittest.cc b/content/common/content_security_policy/csp_source_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..b898ce3e4c7d79d02a9e5ecbdbfda45848fd86d8
--- /dev/null
+++ b/content/common/content_security_policy/csp_source_unittest.cc
@@ -0,0 +1,301 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/content_security_policy/csp_context.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+
+TEST(CSPSourceTest, BasicMatching) {
+ CSPContext context;
+
+ CSPSource source("http", "example.com", false, 8000, false, "/foo/");
+
+ EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/bar")));
+ EXPECT_TRUE(source.Allow(&context, GURL("HTTP://EXAMPLE.com:8000/foo/BAR")));
+
+ EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:8000/bar/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("https://example.com:8000/bar/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:9000/bar/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/BAR")));
+}
+
+TEST(CSPSourceTest, AllowScheme) {
+ CSPContext context;
+
+ // http -> {http, https}.
+ {
+ CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("wss://a.com")));
+ }
+
+ // ws -> {ws, wss}.
+ {
+ CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("https://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("ws://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));
+ }
+
+ // Exact matches required (ftp)
+ {
+ CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ }
+
+ // Exact matches required (https)
+ {
+ CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ }
+
+ // Exact matches required (wss)
+ {
+ CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));
+ }
+
+ // Scheme is empty (ProtocolMatchesSelf).
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+
+ // Self's scheme is http.
+ context.SetSelf(url::Origin(GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http-so://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https-so://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+
+ // Self's is https.
+ context.SetSelf(url::Origin(GURL("https://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http-so://a.com")));
+ // REVIEW(): Is it the correct behavior?
+ EXPECT_FALSE(source.Allow(&context, GURL("https-so://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+
+ // Self's scheme is not in the http familly.
+ context.SetSelf(url::Origin(GURL("ftp://a.com/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));
+
+ // Self's scheme is unique.
+ context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("non-standard-scheme://a.com")));
+ }
+}
+
+TEST(CSPSourceTest, AllowHost) {
+ CSPContext context;
+ context.SetSelf(url::Origin(GURL("http://example.com")));
+
+ // Host is * (source-expression = "http://*")
+ {
+ CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://.")));
+ }
+
+ // Host is *.foo.bar
+ {
+ CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://foo.bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://o.bar")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://*.foo.bar")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://sub.foo.bar")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://sub.sub.foo.bar")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://.foo.bar")));
+ }
+
+ // Host is exact.
+ {
+ CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://foo.bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://sub.foo.bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://.foo.bar")));
+ }
+}
+
+TEST(CSPSourceTest, AllowPort) {
+ CSPContext context;
+ context.SetSelf(url::Origin(GURL("http://example.com")));
+
+ // Source's port unspecified.
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:443")));
+ EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:80")));
+ EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:8080")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));
+ EXPECT_FALSE(source.Allow(&context, GURL("unknown://a.com:80")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ }
+
+ // Source's port is "*".
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8080")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8080")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:0")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ }
+
+ // Source has a port.
+ {
+ CSPSource source("", "a.com", false, 80, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+ }
+
+ // Allow upgrade from :80 to :443
+ {
+ CSPSource source("", "a.com", false, 80, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));
+ // REVIEW(arthursonzogni): Is it expected?
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:443")));
+ }
+
+ // Host is * but port is specified
+ {
+ CSPSource source("http", "", true, 111, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:111")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:222")));
+ }
+}
+
+TEST(CSPSourceTest, AllowPath) {
+ CSPContext context;
+ context.SetSelf(url::Origin(GURL("http://example.com")));
+
+ // Path to a file
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
+ "/path/to/file");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to/")));
+ EXPECT_FALSE(
+ source.Allow(&context, GURL("http://a.com/path/to/file/subpath")));
+ EXPECT_FALSE(
+ source.Allow(&context, GURL("http://a.com/path/to/something")));
+ }
+
+ // Path to a directory
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
+ "/path/to/");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));
+ }
+
+ // Empty path
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ }
+
+ // Almost empty path
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+ }
+
+ // Path encoded.
+ {
+ CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false,
+ "/Hello Günter");
+ EXPECT_TRUE(
+ source.Allow(&context, GURL("http://a.com/Hello%20G%C3%BCnter")));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/Hello Günter")));
+ }
+
+ // Host is * but path is specified.
+ {
+ CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false,
+ "/allowed-path");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/allowed-path")));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/disallowed-path")));
+ }
+}
+
+TEST(CSPSourceTest, RedirectMatching) {
+ CSPContext context;
+ CSPSource source("http", "a.com", false, 8000, false, "/bar/");
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/"), true));
+ EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/foo"), true));
+ EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8000/foo"), true));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://not-a.com:8000/foo"), true));
+ EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:9000/foo/"), false));
+}
+
+TEST(CSPSourceTest, ToString) {
+ {
+ CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_EQ("http:", source.ToString());
+ }
+ {
+ CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_EQ("http://a.com", source.ToString());
+ }
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_EQ("a.com", source.ToString());
+ }
+ {
+ CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_EQ("*.a.com", source.ToString());
+ }
+ {
+ CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, "");
+ EXPECT_EQ("*", source.ToString());
+ }
+ {
+ CSPSource source("", "a.com", false, 80, false, "");
+ EXPECT_EQ("a.com:80", source.ToString());
+ }
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
+ EXPECT_EQ("a.com:*", source.ToString());
+ }
+ {
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path");
+ EXPECT_EQ("a.com/path", source.ToString());
+ }
+}
+
+} // namespace content
« content/common/content_security_policy/csp_source.h ('K') | « content/common/content_security_policy/csp_source_list_unittest.cc ('k') | content/common/content_security_policy_header.h » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698