OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
147 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); | 147 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
148 | 148 |
149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); | 149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
150 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); | 150 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
151 | 151 |
152 // Unregister the scheme to clean up after ourselves. | 152 // Unregister the scheme to clean up after ourselves. |
153 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( | 153 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
154 "https"); | 154 "https"); |
155 } | 155 } |
156 | 156 |
| 157 TEST_F(SourceListDirectiveTest, FilesystemMatchingSelf) { |
| 158 KURL base; |
| 159 String sources = "'self'"; |
| 160 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 161 |
| 162 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 163 EXPECT_FALSE(sourceList.allows( |
| 164 KURL(base, "filesystem:https://example.test/file.txt"))); |
| 165 |
| 166 // Register "https" as bypassing CSP, which should trigger the innerURL |
| 167 // behavior. |
| 168 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
| 169 |
| 170 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); |
| 171 EXPECT_TRUE(sourceList.allows( |
| 172 KURL(base, "filesystem:https://example.test/file.txt"))); |
| 173 |
| 174 // Unregister the scheme to clean up after ourselves. |
| 175 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
| 176 "https"); |
| 177 } |
| 178 |
| 179 TEST_F(SourceListDirectiveTest, BlobDisallowedWhenBypassingSelfScheme) { |
| 180 KURL base; |
| 181 String sources = "'self' blob:"; |
| 182 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 183 |
| 184 EXPECT_TRUE(sourceList.allows( |
| 185 KURL(base, "blob:https://example.test/1be95204-93d6-4GUID"))); |
| 186 EXPECT_TRUE(sourceList.allows( |
| 187 KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID"))); |
| 188 |
| 189 // Register "https" as bypassing CSP, which should trigger the innerURL |
| 190 // behavior. |
| 191 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
| 192 |
| 193 EXPECT_TRUE(sourceList.allows( |
| 194 KURL(base, "blob:https://example.test/1be95204-93d6-4GUID"))); |
| 195 // TODO(mkwst, arthursonzogni): This should be true. |
| 196 // See http://crbug.com/692046 |
| 197 EXPECT_FALSE(sourceList.allows( |
| 198 KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID"))); |
| 199 |
| 200 // Unregister the scheme to clean up after ourselves. |
| 201 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
| 202 "https"); |
| 203 } |
| 204 |
| 205 TEST_F(SourceListDirectiveTest, FilesystemDisallowedWhenBypassingSelfScheme) { |
| 206 KURL base; |
| 207 String sources = "'self' filesystem:"; |
| 208 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 209 |
| 210 EXPECT_TRUE(sourceList.allows( |
| 211 KURL(base, "filesystem:https://example.test/file.txt"))); |
| 212 EXPECT_TRUE(sourceList.allows( |
| 213 KURL(base, "filesystem:https://not-example.test/file.txt"))); |
| 214 |
| 215 // Register "https" as bypassing CSP, which should trigger the innerURL |
| 216 // behavior. |
| 217 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
| 218 |
| 219 EXPECT_TRUE(sourceList.allows( |
| 220 KURL(base, "filesystem:https://example.test/file.txt"))); |
| 221 // TODO(mkwst, arthursonzogni): This should be true. |
| 222 // See http://crbug.com/692046 |
| 223 EXPECT_FALSE(sourceList.allows( |
| 224 KURL(base, "filesystem:https://not-example.test/file.txt"))); |
| 225 |
| 226 // Unregister the scheme to clean up after ourselves. |
| 227 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
| 228 "https"); |
| 229 } |
| 230 |
157 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) { | 231 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) { |
158 KURL base; | 232 KURL base; |
159 String sources = "blob:"; | 233 String sources = "blob:"; |
160 SourceListDirective sourceList("script-src", sources, csp.get()); | 234 SourceListDirective sourceList("script-src", sources, csp.get()); |
161 | 235 |
162 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); | 236 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); |
163 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); | 237 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); |
164 } | 238 } |
165 | 239 |
166 TEST_F(SourceListDirectiveTest, BasicMatching) { | 240 TEST_F(SourceListDirectiveTest, BasicMatching) { |
(...skipping 1226 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1393 // When the host-part is "*" and the expression-source is not "*", then every | 1467 // When the host-part is "*" and the expression-source is not "*", then every |
1394 // host are allowed. See crbug.com/682673. | 1468 // host are allowed. See crbug.com/682673. |
1395 { | 1469 { |
1396 String sources = "http://*"; | 1470 String sources = "http://*"; |
1397 SourceListDirective sourceList("default-src", sources, csp.get()); | 1471 SourceListDirective sourceList("default-src", sources, csp.get()); |
1398 EXPECT_TRUE(sourceList.allows(KURL(base, "http://a.com"))); | 1472 EXPECT_TRUE(sourceList.allows(KURL(base, "http://a.com"))); |
1399 } | 1473 } |
1400 } | 1474 } |
1401 | 1475 |
1402 } // namespace blink | 1476 } // namespace blink |
OLD | NEW |