| Index: content/common/content_security_policy/csp_source_unittest.cc
|
| diff --git a/content/common/content_security_policy/csp_source_unittest.cc b/content/common/content_security_policy/csp_source_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..1e8a2a4b82a53310cf7f2ffb890bb4f8f674ad1d
|
| --- /dev/null
|
| +++ b/content/common/content_security_policy/csp_source_unittest.cc
|
| @@ -0,0 +1,328 @@
|
| +// Copyright 2017 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "content/common/content_security_policy/csp_context.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +namespace content {
|
| +
|
| +namespace {
|
| +
|
| +// Allow() is an abbreviation of CSPSource::Allow(). Useful for writting test
|
| +// expectations on one line.
|
| +bool Allow(const CSPSource& source,
|
| + const GURL& url,
|
| + CSPContext* context,
|
| + bool is_redirect = false) {
|
| + return CSPSource::Allow(source, url, context, is_redirect);
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +TEST(CSPSourceTest, BasicMatching) {
|
| + CSPContext context;
|
| +
|
| + CSPSource source("http", "example.com", false, 8000, false, "/foo/");
|
| +
|
| + EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://example.com:8000/foo/bar"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("HTTP://EXAMPLE.com:8000/foo/BAR"), &context));
|
| +
|
| + EXPECT_FALSE(Allow(source, GURL("http://example.com:8000/bar/"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("https://example.com:8000/bar/"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://example.com:9000/bar/"), &context));
|
| + EXPECT_FALSE(
|
| + Allow(source, GURL("HTTP://example.com:8000/FOO/bar"), &context));
|
| + EXPECT_FALSE(
|
| + Allow(source, GURL("HTTP://example.com:8000/FOO/BAR"), &context));
|
| +}
|
| +
|
| +TEST(CSPSourceTest, AllowScheme) {
|
| + CSPContext context;
|
| +
|
| + // http -> {http, https}.
|
| + {
|
| + CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without
|
| + // the port. See http://crbug.com/692499
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:80"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context));
|
| + }
|
| +
|
| + // ws -> {ws, wss}.
|
| + {
|
| + CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("ws://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context));
|
| + }
|
| +
|
| + // Exact matches required (ftp)
|
| + {
|
| + CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + }
|
| +
|
| + // Exact matches required (https)
|
| + {
|
| + CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + }
|
| +
|
| + // Exact matches required (wss)
|
| + {
|
| + CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("wss://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context));
|
| + }
|
| +
|
| + // Scheme is empty (ProtocolMatchesSelf).
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| +
|
| + // Self's scheme is http.
|
| + context.SetSelf(url::Origin(GURL("http://a.com")));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
|
| +
|
| + // Self's is https.
|
| + context.SetSelf(url::Origin(GURL("https://a.com")));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context));
|
| + // TODO(mkwst, arthursonzogni): Maybe it should return true.
|
| + // See http://crbug.com/692442:
|
| + EXPECT_FALSE(Allow(source, GURL("https-so://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
|
| +
|
| + // Self's scheme is not in the http familly.
|
| + context.SetSelf(url::Origin(GURL("ftp://a.com/")));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context));
|
| +
|
| + // Self's scheme is unique.
|
| + context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com")));
|
| + // TODO(mkwst, arthursonzogni): This result might be wrong.
|
| + // See http://crbug.com/692449
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + // TODO(mkwst, arthursonzogni): This result might be wrong.
|
| + // See http://crbug.com/692449
|
| + EXPECT_FALSE(Allow(source, GURL("non-standard-scheme://a.com"), &context));
|
| + }
|
| +}
|
| +
|
| +TEST(CSPSourceTest, AllowHost) {
|
| + CSPContext context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| +
|
| + // Host is * (source-expression = "http://*")
|
| + {
|
| + CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://."), &context));
|
| + }
|
| +
|
| + // Host is *.foo.bar
|
| + {
|
| + CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://bar"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://foo.bar"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://o.bar"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://*.foo.bar"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://sub.foo.bar"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://sub.sub.foo.bar"), &context));
|
| + // Please see http://crbug.com/692505
|
| + EXPECT_TRUE(Allow(source, GURL("http://.foo.bar"), &context));
|
| + }
|
| +
|
| + // Host is exact.
|
| + {
|
| + CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://foo.bar"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://sub.foo.bar"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://bar"), &context));
|
| + // Please see http://crbug.com/692505
|
| + EXPECT_FALSE(Allow(source, GURL("http://.foo.bar"), &context));
|
| + }
|
| +}
|
| +
|
| +TEST(CSPSourceTest, AllowPort) {
|
| + CSPContext context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| +
|
| + // Source's port unspecified.
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("https://a.com:8080"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("unknown://a.com:80"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + }
|
| +
|
| + // Source's port is "*".
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:8080"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:0"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + }
|
| +
|
| + // Source has a port.
|
| + {
|
| + CSPSource source("", "a.com", false, 80, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
|
| + }
|
| +
|
| + // Allow upgrade from :80 to :443
|
| + {
|
| + CSPSource source("", "a.com", false, 80, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context));
|
| + // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the
|
| + // sheme. See http://crbug.com/692499
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:443"), &context));
|
| + }
|
| +
|
| + // Host is * but port is specified
|
| + {
|
| + CSPSource source("http", "", true, 111, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context));
|
| + }
|
| +}
|
| +
|
| +TEST(CSPSourceTest, AllowPath) {
|
| + CSPContext context;
|
| + context.SetSelf(url::Origin(GURL("http://example.com")));
|
| +
|
| + // Path to a file
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
|
| + "/path/to/file");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to/"), &context));
|
| + EXPECT_FALSE(
|
| + Allow(source, GURL("http://a.com/path/to/file/subpath"), &context));
|
| + EXPECT_FALSE(
|
| + Allow(source, GURL("http://a.com/path/to/something"), &context));
|
| + }
|
| +
|
| + // Path to a directory
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
|
| + "/path/to/");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com/path/"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com/path/to"), &context));
|
| + }
|
| +
|
| + // Empty path
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + }
|
| +
|
| + // Almost empty path
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/file"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/path/to/"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
|
| + }
|
| +
|
| + // Path encoded.
|
| + {
|
| + CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false,
|
| + "/Hello Günter");
|
| + EXPECT_TRUE(
|
| + Allow(source, GURL("http://a.com/Hello%20G%C3%BCnter"), &context));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/Hello Günter"), &context));
|
| + }
|
| +
|
| + // Host is * but path is specified.
|
| + {
|
| + CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false,
|
| + "/allowed-path");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context));
|
| + }
|
| +}
|
| +
|
| +TEST(CSPSourceTest, RedirectMatching) {
|
| + CSPContext context;
|
| + CSPSource source("http", "a.com", false, 8000, false, "/bar/");
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true));
|
| + EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true));
|
| + EXPECT_TRUE(Allow(source, GURL("https://a.com:8000/foo"), &context, true));
|
| + EXPECT_FALSE(
|
| + Allow(source, GURL("http://not-a.com:8000/foo"), &context, true));
|
| + EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false));
|
| +}
|
| +
|
| +TEST(CSPSourceTest, ToString) {
|
| + {
|
| + CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_EQ("http:", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_EQ("http://a.com", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_EQ("a.com", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_EQ("*.a.com", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, "");
|
| + EXPECT_EQ("*", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "a.com", false, 80, false, "");
|
| + EXPECT_EQ("a.com:80", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
|
| + EXPECT_EQ("a.com:*", source.ToString());
|
| + }
|
| + {
|
| + CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path");
|
| + EXPECT_EQ("a.com/path", source.ToString());
|
| + }
|
| +}
|
| +
|
| +} // namespace content
|
|
|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
