Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_context_unittest.cc

Issue 2727633005: PlzNavigate: Enforce frame-src CSP on the browser. (Closed)
Patch Set: Addressed Alex's comments + trying to fix subframe swap issue Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« content/common/content_security_policy/csp_context.h ('K') | « content/common/content_security_policy/csp_context.cc ('k') | content/common/frame_messages.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 #include "content/common/content_security_policy_header.h" 6 #include "content/common/content_security_policy_header.h"
7 #include "testing/gtest/include/gtest/gtest.h" 7 #include "testing/gtest/include/gtest/gtest.h"
8 8
9 namespace content { 9 namespace content {
10 10
(...skipping 27 matching lines...) Expand all
38 blink::WebContentSecurityPolicyTypeEnforce, 38 blink::WebContentSecurityPolicyTypeEnforce,
39 blink::WebContentSecurityPolicySourceHTTP, 39 blink::WebContentSecurityPolicySourceHTTP,
40 {CSPDirective(directive_name, CSPSourceList(false, false, sources))}, 40 {CSPDirective(directive_name, CSPSourceList(false, false, sources))},
41 std::vector<std::string>(), // report_end_points 41 std::vector<std::string>(), // report_end_points
42 std::string()); // header 42 std::string()); // header
43 } 43 }
44 44
45 } // namespace; 45 } // namespace;
46 46
47 TEST(CSPContextTest, SchemeShouldBypassCSP) { 47 TEST(CSPContextTest, SchemeShouldBypassCSP) {
48 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, "");
48 CSPContextTest context; 49 CSPContextTest context;
49 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, ""); 50 context.AddContentSecurityPolicy(
50 ContentSecurityPolicy policy = 51 BuildPolicy(CSPDirective::DefaultSrc, {source}));
51 BuildPolicy(CSPDirective::DefaultSrc, {source}); 52
52 EXPECT_FALSE(context.Allow({policy}, CSPDirective::FrameSrc, 53 EXPECT_FALSE(context.AllowContentSecurityPolicy(
53 GURL("data:text/html,<html></html>"))); 54 CSPDirective::FrameSrc, GURL("data:text/html,<html></html>")));
55
54 context.AddSchemeToBypassCSP("data"); 56 context.AddSchemeToBypassCSP("data");
55 EXPECT_TRUE(context.Allow({policy}, CSPDirective::FrameSrc, 57
56 GURL("data:text/html,<html></html>"))); 58 EXPECT_TRUE(context.AllowContentSecurityPolicy(
59 CSPDirective::FrameSrc, GURL("data:text/html,<html></html>")));
57 } 60 }
58 61
59 TEST(CSPContextTest, MultiplePolicies) { 62 TEST(CSPContextTest, MultiplePolicies) {
60 CSPContextTest context; 63 CSPContextTest context;
61 context.SetSelf(url::Origin(GURL("http://example.com"))); 64 context.SetSelf(url::Origin(GURL("http://example.com")));
62 65
63 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); 66 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
64 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, ""); 67 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, "");
65 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, ""); 68 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, "");
66 69
67 ContentSecurityPolicy policy1 = 70 context.AddContentSecurityPolicy(
68 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b}); 71 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b}));
69 ContentSecurityPolicy policy2 = 72 context.AddContentSecurityPolicy(
70 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c}); 73 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c}));
71 74
72 std::vector<ContentSecurityPolicy> policies = {policy1, policy2}; 75 EXPECT_TRUE(context.AllowContentSecurityPolicy(CSPDirective::FrameSrc,
73 76 GURL("http://a.com")));
74 EXPECT_TRUE( 77 EXPECT_FALSE(context.AllowContentSecurityPolicy(CSPDirective::FrameSrc,
75 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://a.com"))); 78 GURL("http://b.com")));
76 EXPECT_FALSE( 79 EXPECT_FALSE(context.AllowContentSecurityPolicy(CSPDirective::FrameSrc,
77 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://b.com"))); 80 GURL("http://c.com")));
78 EXPECT_FALSE( 81 EXPECT_FALSE(context.AllowContentSecurityPolicy(CSPDirective::FrameSrc,
79 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://c.com"))); 82 GURL("http://d.com")));
80 EXPECT_FALSE(
81 context.Allow(policies, CSPDirective::FrameSrc, GURL("http://d.com")));
82 } 83 }
83 84
84 } // namespace content 85 } // namespace content
OLDNEW
« content/common/content_security_policy/csp_context.h ('K') | « content/common/content_security_policy/csp_context.cc ('k') | content/common/frame_messages.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698