Index: content/common/content_security_policy/csp_source_unittest.cc |
diff --git a/content/common/content_security_policy/csp_source_unittest.cc b/content/common/content_security_policy/csp_source_unittest.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..1e8a2a4b82a53310cf7f2ffb890bb4f8f674ad1d |
--- /dev/null |
+++ b/content/common/content_security_policy/csp_source_unittest.cc |
@@ -0,0 +1,328 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/common/content_security_policy/csp_context.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace content { |
+ |
+namespace { |
+ |
+// Allow() is an abbreviation of CSPSource::Allow(). Useful for writting test |
+// expectations on one line. |
+bool Allow(const CSPSource& source, |
+ const GURL& url, |
+ CSPContext* context, |
+ bool is_redirect = false) { |
+ return CSPSource::Allow(source, url, context, is_redirect); |
+} |
+ |
+} // namespace |
+ |
+TEST(CSPSourceTest, BasicMatching) { |
+ CSPContext context; |
+ |
+ CSPSource source("http", "example.com", false, 8000, false, "/foo/"); |
+ |
+ EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/bar"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("HTTP://EXAMPLE.com:8000/foo/BAR"), &context)); |
+ |
+ EXPECT_FALSE(Allow(source, GURL("http://example.com:8000/bar/"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("https://example.com:8000/bar/"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://example.com:9000/bar/"), &context)); |
+ EXPECT_FALSE( |
+ Allow(source, GURL("HTTP://example.com:8000/FOO/bar"), &context)); |
+ EXPECT_FALSE( |
+ Allow(source, GURL("HTTP://example.com:8000/FOO/BAR"), &context)); |
+} |
+ |
+TEST(CSPSourceTest, AllowScheme) { |
+ CSPContext context; |
+ |
+ // http -> {http, https}. |
+ { |
+ CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without |
+ // the port. See http://crbug.com/692499 |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:80"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context)); |
+ } |
+ |
+ // ws -> {ws, wss}. |
+ { |
+ CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("ws://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
+ } |
+ |
+ // Exact matches required (ftp) |
+ { |
+ CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ } |
+ |
+ // Exact matches required (https) |
+ { |
+ CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ } |
+ |
+ // Exact matches required (wss) |
+ { |
+ CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); |
+ } |
+ |
+ // Scheme is empty (ProtocolMatchesSelf). |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ |
+ // Self's scheme is http. |
+ context.SetSelf(url::Origin(GURL("http://a.com"))); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
+ |
+ // Self's is https. |
+ context.SetSelf(url::Origin(GURL("https://a.com"))); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context)); |
+ // TODO(mkwst, arthursonzogni): Maybe it should return true. |
+ // See http://crbug.com/692442: |
+ EXPECT_FALSE(Allow(source, GURL("https-so://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); |
+ |
+ // Self's scheme is not in the http familly. |
+ context.SetSelf(url::Origin(GURL("ftp://a.com/"))); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); |
+ |
+ // Self's scheme is unique. |
+ context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); |
+ // TODO(mkwst, arthursonzogni): This result might be wrong. |
+ // See http://crbug.com/692449 |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ // TODO(mkwst, arthursonzogni): This result might be wrong. |
+ // See http://crbug.com/692449 |
+ EXPECT_FALSE(Allow(source, GURL("non-standard-scheme://a.com"), &context)); |
+ } |
+} |
+ |
+TEST(CSPSourceTest, AllowHost) { |
+ CSPContext context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ |
+ // Host is * (source-expression = "http://*") |
+ { |
+ CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://."), &context)); |
+ } |
+ |
+ // Host is *.foo.bar |
+ { |
+ CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://foo.bar"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://o.bar"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://*.foo.bar"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://sub.sub.foo.bar"), &context)); |
+ // Please see http://crbug.com/692505 |
+ EXPECT_TRUE(Allow(source, GURL("http://.foo.bar"), &context)); |
+ } |
+ |
+ // Host is exact. |
+ { |
+ CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://foo.bar"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://sub.foo.bar"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://bar"), &context)); |
+ // Please see http://crbug.com/692505 |
+ EXPECT_FALSE(Allow(source, GURL("http://.foo.bar"), &context)); |
+ } |
+} |
+ |
+TEST(CSPSourceTest, AllowPort) { |
+ CSPContext context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ |
+ // Source's port unspecified. |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("https://a.com:8080"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("unknown://a.com:80"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ } |
+ |
+ // Source's port is "*". |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:8080"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:0"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ } |
+ |
+ // Source has a port. |
+ { |
+ CSPSource source("", "a.com", false, 80, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); |
+ } |
+ |
+ // Allow upgrade from :80 to :443 |
+ { |
+ CSPSource source("", "a.com", false, 80, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); |
+ // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the |
+ // sheme. See http://crbug.com/692499 |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:443"), &context)); |
+ } |
+ |
+ // Host is * but port is specified |
+ { |
+ CSPSource source("http", "", true, 111, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context)); |
+ } |
+} |
+ |
+TEST(CSPSourceTest, AllowPath) { |
+ CSPContext context; |
+ context.SetSelf(url::Origin(GURL("http://example.com"))); |
+ |
+ // Path to a file |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
+ "/path/to/file"); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
+ EXPECT_FALSE( |
+ Allow(source, GURL("http://a.com/path/to/file/subpath"), &context)); |
+ EXPECT_FALSE( |
+ Allow(source, GURL("http://a.com/path/to/something"), &context)); |
+ } |
+ |
+ // Path to a directory |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, |
+ "/path/to/"); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com/path/"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context)); |
+ } |
+ |
+ // Empty path |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ } |
+ |
+ // Almost empty path |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/"); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); |
+ } |
+ |
+ // Path encoded. |
+ { |
+ CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, |
+ "/Hello Günter"); |
+ EXPECT_TRUE( |
+ Allow(source, GURL("http://a.com/Hello%20G%C3%BCnter"), &context)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/Hello Günter"), &context)); |
+ } |
+ |
+ // Host is * but path is specified. |
+ { |
+ CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, |
+ "/allowed-path"); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context)); |
+ } |
+} |
+ |
+TEST(CSPSourceTest, RedirectMatching) { |
+ CSPContext context; |
+ CSPSource source("http", "a.com", false, 8000, false, "/bar/"); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true)); |
+ EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true)); |
+ EXPECT_TRUE(Allow(source, GURL("https://a.com:8000/foo"), &context, true)); |
+ EXPECT_FALSE( |
+ Allow(source, GURL("http://not-a.com:8000/foo"), &context, true)); |
+ EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false)); |
+} |
+ |
+TEST(CSPSourceTest, ToString) { |
+ { |
+ CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_EQ("http:", source.ToString()); |
+ } |
+ { |
+ CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_EQ("http://a.com", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_EQ("a.com", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_EQ("*.a.com", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, ""); |
+ EXPECT_EQ("*", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "a.com", false, 80, false, ""); |
+ EXPECT_EQ("a.com:80", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); |
+ EXPECT_EQ("a.com:*", source.ToString()); |
+ } |
+ { |
+ CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); |
+ EXPECT_EQ("a.com/path", source.ToString()); |
+ } |
+} |
+ |
+} // namespace content |