Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(102)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2691063003: Content-Security-Policy: Add test with 'filesystem' and 'blob'. (Closed)
Patch Set: Add TODO and BUG id. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "core/frame/csp/SourceListDirective.h" 5 #include "core/frame/csp/SourceListDirective.h"
6 6
7 #include "core/dom/Document.h" 7 #include "core/dom/Document.h"
8 #include "core/frame/csp/CSPSource.h" 8 #include "core/frame/csp/CSPSource.h"
9 #include "core/frame/csp/ContentSecurityPolicy.h" 9 #include "core/frame/csp/ContentSecurityPolicy.h"
10 #include "platform/network/ResourceRequest.h" 10 #include "platform/network/ResourceRequest.h"
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after
147 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); 147 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
148 148
149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/"))); 149 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
150 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); 150 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/")));
151 151
152 // Unregister the scheme to clean up after ourselves. 152 // Unregister the scheme to clean up after ourselves.
153 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy( 153 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
154 "https"); 154 "https");
155 } 155 }
156 156
157 TEST_F(SourceListDirectiveTest, FilesystemMatchingSelf) {
158 KURL base;
159 String sources = "'self'";
160 SourceListDirective sourceList("script-src", sources, csp.get());
161
162 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
163 EXPECT_FALSE(sourceList.allows(
164 KURL(base, "filesystem:https://example.test/file.txt")));
165
166 // Register "https" as bypassing CSP, which should trigger the innerURL
167 // behavior.
168 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
169
170 EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
171 EXPECT_TRUE(sourceList.allows(
172 KURL(base, "filesystem:https://example.test/file.txt")));
173
174 // Unregister the scheme to clean up after ourselves.
175 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
176 "https");
177 }
178
179 TEST_F(SourceListDirectiveTest, BlobDisallowedWhenBypassingSelfScheme) {
180 KURL base;
181 String sources = "'self' blob:";
182 SourceListDirective sourceList("script-src", sources, csp.get());
183
184 EXPECT_TRUE(sourceList.allows(
185 KURL(base, "blob:https://example.test/1be95204-93d6-4GUID")));
186 EXPECT_TRUE(sourceList.allows(
187 KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID")));
188
189 // Register "https" as bypassing CSP, which should trigger the innerURL
190 // behavior.
191 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
192
193 EXPECT_TRUE(sourceList.allows(
194 KURL(base, "blob:https://example.test/1be95204-93d6-4GUID")));
195 // TODO(mkwst, arthursonzogni): This should be true.
196 // See http://crbug.com/692046
197 EXPECT_FALSE(sourceList.allows(
198 KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID")));
199
200 // Unregister the scheme to clean up after ourselves.
201 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
202 "https");
203 }
204
205 TEST_F(SourceListDirectiveTest, FilesystemDisallowedWhenBypassingSelfScheme) {
206 KURL base;
207 String sources = "'self' filesystem:";
208 SourceListDirective sourceList("script-src", sources, csp.get());
209
210 EXPECT_TRUE(sourceList.allows(
211 KURL(base, "filesystem:https://example.test/file.txt")));
212 EXPECT_TRUE(sourceList.allows(
213 KURL(base, "filesystem:https://not-example.test/file.txt")));
214
215 // Register "https" as bypassing CSP, which should trigger the innerURL
216 // behavior.
217 SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
218
219 EXPECT_TRUE(sourceList.allows(
220 KURL(base, "filesystem:https://example.test/file.txt")));
221 // TODO(mkwst, arthursonzogni): This should be true.
222 // See http://crbug.com/692046
223 EXPECT_FALSE(sourceList.allows(
224 KURL(base, "filesystem:https://not-example.test/file.txt")));
225
226 // Unregister the scheme to clean up after ourselves.
227 SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
228 "https");
229 }
230
157 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) { 231 TEST_F(SourceListDirectiveTest, BlobMatchingBlob) {
158 KURL base; 232 KURL base;
159 String sources = "blob:"; 233 String sources = "blob:";
160 SourceListDirective sourceList("script-src", sources, csp.get()); 234 SourceListDirective sourceList("script-src", sources, csp.get());
161 235
162 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/"))); 236 EXPECT_FALSE(sourceList.allows(KURL(base, "https://example.test/")));
163 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/"))); 237 EXPECT_TRUE(sourceList.allows(KURL(base, "blob:https://example.test/")));
164 } 238 }
165 239
166 TEST_F(SourceListDirectiveTest, BasicMatching) { 240 TEST_F(SourceListDirectiveTest, BasicMatching) {
(...skipping 1226 matching lines...) Expand 10 before | Expand all | Expand 10 after
1393 // When the host-part is "*" and the expression-source is not "*", then every 1467 // When the host-part is "*" and the expression-source is not "*", then every
1394 // host are allowed. See crbug.com/682673. 1468 // host are allowed. See crbug.com/682673.
1395 { 1469 {
1396 String sources = "http://*"; 1470 String sources = "http://*";
1397 SourceListDirective sourceList("default-src", sources, csp.get()); 1471 SourceListDirective sourceList("default-src", sources, csp.get());
1398 EXPECT_TRUE(sourceList.allows(KURL(base, "http://a.com"))); 1472 EXPECT_TRUE(sourceList.allows(KURL(base, "http://a.com")));
1399 } 1473 }
1400 } 1474 }
1401 1475
1402 } // namespace blink 1476 } // namespace blink
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698