OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "content/common/navigation_params.h" |
7 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
8 | 9 |
9 namespace content { | 10 namespace content { |
10 | 11 |
11 namespace { | 12 namespace { |
12 class CSPContextTest : public CSPContext { | 13 class CSPContextTest : public CSPContext { |
13 public: | 14 public: |
14 const std::string& LastConsoleMessage() { return console_message_; } | 15 const std::string& LastConsoleMessage() { return console_message_; } |
15 | 16 |
16 private: | 17 private: |
17 void LogToConsole(const std::string& message) override { | 18 void ReportContentSecurityPolicyViolation( |
18 console_message_ = message; | 19 const CSPViolationParams& violation_params) override { |
| 20 console_message_ = violation_params.console_message; |
19 } | 21 } |
20 std::string console_message_; | 22 std::string console_message_; |
21 }; | 23 }; |
22 | 24 |
23 ContentSecurityPolicyHeader EmptyCspHeader() { | 25 ContentSecurityPolicyHeader EmptyCspHeader() { |
24 return ContentSecurityPolicyHeader(std::string(), | 26 return ContentSecurityPolicyHeader(std::string(), |
25 blink::WebContentSecurityPolicyTypeEnforce, | 27 blink::WebContentSecurityPolicyTypeEnforce, |
26 blink::WebContentSecurityPolicySourceHTTP); | 28 blink::WebContentSecurityPolicySourceHTTP); |
27 } | 29 } |
28 | 30 |
29 } // namespace | 31 } // namespace |
30 | 32 |
31 TEST(ContentSecurityPolicy, NoDirective) { | 33 TEST(ContentSecurityPolicy, NoDirective) { |
32 CSPContextTest context; | 34 CSPContextTest context; |
33 std::vector<std::string> report_end_points; // empty | 35 std::vector<std::string> report_end_points; // empty |
34 ContentSecurityPolicy policy(EmptyCspHeader(), std::vector<CSPDirective>(), | 36 ContentSecurityPolicy policy(EmptyCspHeader(), std::vector<CSPDirective>(), |
35 report_end_points); | 37 report_end_points); |
36 | 38 |
37 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 39 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
38 GURL("http://www.example.com"), | 40 GURL("http://www.example.com"), |
39 &context)); | 41 false, &context, SourceLocation())); |
40 EXPECT_EQ("", context.LastConsoleMessage()); | 42 EXPECT_EQ("", context.LastConsoleMessage()); |
41 } | 43 } |
42 | 44 |
43 TEST(ContentSecurityPolicy, ReportViolation) { | 45 TEST(ContentSecurityPolicy, ReportViolation) { |
44 CSPContextTest context; | 46 CSPContextTest context; |
45 | 47 |
46 // source = "www.example.com" | 48 // source = "www.example.com" |
47 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, | 49 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, |
48 ""); | 50 ""); |
49 CSPSourceList source_list(false, false, {source}); | 51 CSPSourceList source_list(false, false, {source}); |
50 CSPDirective directive(CSPDirective::FormAction, source_list); | 52 CSPDirective directive(CSPDirective::FormAction, source_list); |
51 std::vector<std::string> report_end_points; // empty | 53 std::vector<std::string> report_end_points; // empty |
52 ContentSecurityPolicy policy(EmptyCspHeader(), {directive}, | 54 ContentSecurityPolicy policy(EmptyCspHeader(), {directive}, |
53 report_end_points); | 55 report_end_points); |
54 | 56 |
55 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 57 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
56 GURL("http://www.not-example.com"), | 58 GURL("http://www.not-example.com"), |
57 &context)); | 59 false, &context, SourceLocation())); |
58 | 60 |
59 const char console_message[] = | 61 const char console_message[] = |
60 "Refused to send form data to 'http://www.not-example.com/' because it " | 62 "Refused to send form data to 'http://www.not-example.com/' because it " |
61 "violates the following Content Security Policy directive: \"form-action " | 63 "violates the following Content Security Policy directive: \"form-action " |
62 "www.example.com\".\n"; | 64 "www.example.com\".\n"; |
63 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 65 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
64 } | 66 } |
65 | 67 |
66 TEST(ContentSecurityPolicy, DirectiveFallback) { | 68 TEST(ContentSecurityPolicy, DirectiveFallback) { |
67 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | 69 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
68 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); | 70 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
69 CSPSourceList source_list_a(false, false, {source_a}); | 71 CSPSourceList source_list_a(false, false, {source_a}); |
70 CSPSourceList source_list_b(false, false, {source_b}); | 72 CSPSourceList source_list_b(false, false, {source_b}); |
71 | 73 |
72 std::vector<std::string> report_end_points; // Empty. | 74 std::vector<std::string> report_end_points; // Empty. |
73 | 75 |
74 { | 76 { |
75 CSPContextTest context; | 77 CSPContextTest context; |
76 ContentSecurityPolicy policy( | 78 ContentSecurityPolicy policy( |
77 EmptyCspHeader(), | 79 EmptyCspHeader(), |
78 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, | 80 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, |
79 report_end_points); | 81 report_end_points); |
80 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 82 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
81 GURL("http://b.com"), &context)); | 83 GURL("http://b.com"), false, |
| 84 &context, SourceLocation())); |
82 const char console_message[] = | 85 const char console_message[] = |
83 "Refused to frame 'http://b.com/' because it violates " | 86 "Refused to frame 'http://b.com/' because it violates " |
84 "the following Content Security Policy directive: \"default-src " | 87 "the following Content Security Policy directive: \"default-src " |
85 "http://a.com\". Note that 'frame-src' was not explicitly " | 88 "http://a.com\". Note that 'frame-src' was not explicitly " |
86 "set, so 'default-src' is used as a fallback.\n"; | 89 "set, so 'default-src' is used as a fallback.\n"; |
87 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 90 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
88 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 91 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
89 GURL("http://a.com"), &context)); | 92 GURL("http://a.com"), false, |
| 93 &context, SourceLocation())); |
90 } | 94 } |
91 { | 95 { |
92 CSPContextTest context; | 96 CSPContextTest context; |
93 ContentSecurityPolicy policy( | 97 ContentSecurityPolicy policy( |
94 EmptyCspHeader(), {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, | 98 EmptyCspHeader(), {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, |
95 report_end_points); | 99 report_end_points); |
96 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 100 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
97 GURL("http://b.com"), &context)); | 101 GURL("http://b.com"), false, |
| 102 &context, SourceLocation())); |
98 const char console_message[] = | 103 const char console_message[] = |
99 "Refused to frame 'http://b.com/' because it violates " | 104 "Refused to frame 'http://b.com/' because it violates " |
100 "the following Content Security Policy directive: \"child-src " | 105 "the following Content Security Policy directive: \"child-src " |
101 "http://a.com\". Note that 'frame-src' was not explicitly " | 106 "http://a.com\". Note that 'frame-src' was not explicitly " |
102 "set, so 'child-src' is used as a fallback.\n"; | 107 "set, so 'child-src' is used as a fallback.\n"; |
103 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 108 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
104 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 109 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
105 GURL("http://a.com"), &context)); | 110 GURL("http://a.com"), false, |
| 111 &context, SourceLocation())); |
106 } | 112 } |
107 { | 113 { |
108 CSPContextTest context; | 114 CSPContextTest context; |
109 CSPSourceList source_list(false, false, {source_a, source_b}); | 115 CSPSourceList source_list(false, false, {source_a, source_b}); |
110 ContentSecurityPolicy policy( | 116 ContentSecurityPolicy policy( |
111 EmptyCspHeader(), | 117 EmptyCspHeader(), |
112 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), | 118 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), |
113 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, | 119 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, |
114 report_end_points); | 120 report_end_points); |
115 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 121 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
116 GURL("http://a.com"), &context)); | 122 GURL("http://a.com"), false, |
| 123 &context, SourceLocation())); |
117 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 124 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
118 GURL("http://b.com"), &context)); | 125 GURL("http://b.com"), false, |
| 126 &context, SourceLocation())); |
119 const char console_message[] = | 127 const char console_message[] = |
120 "Refused to frame 'http://b.com/' because it violates " | 128 "Refused to frame 'http://b.com/' because it violates " |
121 "the following Content Security Policy directive: \"frame-src " | 129 "the following Content Security Policy directive: \"frame-src " |
122 "http://a.com\".\n"; | 130 "http://a.com\".\n"; |
123 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 131 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
124 } | 132 } |
125 } | 133 } |
126 | 134 |
127 } // namespace content | 135 } // namespace content |
OLD | NEW |