| Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| index a2e10a38b846664ddcaaaf7bb2b28cc0de2ae483..643f57dd3fbf61a9f398ecd2aa1ea709691d3d65 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| @@ -154,6 +154,80 @@ TEST_F(SourceListDirectiveTest, BlobMatchingSelf) {
|
| "https");
|
| }
|
|
|
| +TEST_F(SourceListDirectiveTest, FilesystemMatchingSelf) {
|
| + KURL base;
|
| + String sources = "'self'";
|
| + SourceListDirective sourceList("script-src", sources, csp.get());
|
| +
|
| + EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
|
| + EXPECT_FALSE(sourceList.allows(
|
| + KURL(base, "filesystem:https://example.test/file.txt")));
|
| +
|
| + // Register "https" as bypassing CSP, which should trigger the innerURL
|
| + // behavior.
|
| + SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
|
| +
|
| + EXPECT_TRUE(sourceList.allows(KURL(base, "https://example.test/")));
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "filesystem:https://example.test/file.txt")));
|
| +
|
| + // Unregister the scheme to clean up after ourselves.
|
| + SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
|
| + "https");
|
| +}
|
| +
|
| +TEST_F(SourceListDirectiveTest, BlobDisallowedWhenBypassingSelfScheme) {
|
| + KURL base;
|
| + String sources = "'self' blob:";
|
| + SourceListDirective sourceList("script-src", sources, csp.get());
|
| +
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "blob:https://example.test/1be95204-93d6-4GUID")));
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID")));
|
| +
|
| + // Register "https" as bypassing CSP, which should trigger the innerURL
|
| + // behavior.
|
| + SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
|
| +
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "blob:https://example.test/1be95204-93d6-4GUID")));
|
| + // TODO(mkwst, arthursonzogni): This should be true.
|
| + // See http://crbug.com/692046
|
| + EXPECT_FALSE(sourceList.allows(
|
| + KURL(base, "blob:https://not-example.test/1be95204-93d6-4GUID")));
|
| +
|
| + // Unregister the scheme to clean up after ourselves.
|
| + SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
|
| + "https");
|
| +}
|
| +
|
| +TEST_F(SourceListDirectiveTest, FilesystemDisallowedWhenBypassingSelfScheme) {
|
| + KURL base;
|
| + String sources = "'self' filesystem:";
|
| + SourceListDirective sourceList("script-src", sources, csp.get());
|
| +
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "filesystem:https://example.test/file.txt")));
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "filesystem:https://not-example.test/file.txt")));
|
| +
|
| + // Register "https" as bypassing CSP, which should trigger the innerURL
|
| + // behavior.
|
| + SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https");
|
| +
|
| + EXPECT_TRUE(sourceList.allows(
|
| + KURL(base, "filesystem:https://example.test/file.txt")));
|
| + // TODO(mkwst, arthursonzogni): This should be true.
|
| + // See http://crbug.com/692046
|
| + EXPECT_FALSE(sourceList.allows(
|
| + KURL(base, "filesystem:https://not-example.test/file.txt")));
|
| +
|
| + // Unregister the scheme to clean up after ourselves.
|
| + SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy(
|
| + "https");
|
| +}
|
| +
|
| TEST_F(SourceListDirectiveTest, BlobMatchingBlob) {
|
| KURL base;
|
| String sources = "blob:";
|
|
|
Chromium Code Reviews
Issue 2691063003:
Content-Security-Policy: Add test with 'filesystem' and 'blob'. (Closed)
