Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(257)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/content_security_policy_unittest.cc

Issue 2761153003: PlzNavigate & CSP. Use the SourceLocation in violation reports. (Closed)
Patch Set: Addressed comment @alexmos Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_security_policy/content_security_policy.cc ('k') | content/common/content_security_policy/csp_context.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 #include "content/common/content_security_policy_header.h" 6 #include "content/common/content_security_policy_header.h"
7 #include "content/common/navigation_params.h"
7 #include "testing/gtest/include/gtest/gtest.h" 8 #include "testing/gtest/include/gtest/gtest.h"
8 9
9 namespace content { 10 namespace content {
10 11
11 namespace { 12 namespace {
12 class CSPContextTest : public CSPContext { 13 class CSPContextTest : public CSPContext {
13 public: 14 public:
14 const std::string& LastConsoleMessage() { return console_message_; } 15 const std::string& LastConsoleMessage() { return console_message_; }
15 16
16 private: 17 private:
17 void LogToConsole(const std::string& message) override { 18 void ReportContentSecurityPolicyViolation(
18 console_message_ = message; 19 const CSPViolationParams& violation_params) override {
20 console_message_ = violation_params.console_message;
19 } 21 }
20 std::string console_message_; 22 std::string console_message_;
21 }; 23 };
22 24
23 ContentSecurityPolicyHeader EmptyCspHeader() { 25 ContentSecurityPolicyHeader EmptyCspHeader() {
24 return ContentSecurityPolicyHeader(std::string(), 26 return ContentSecurityPolicyHeader(std::string(),
25 blink::WebContentSecurityPolicyTypeEnforce, 27 blink::WebContentSecurityPolicyTypeEnforce,
26 blink::WebContentSecurityPolicySourceHTTP); 28 blink::WebContentSecurityPolicySourceHTTP);
27 } 29 }
28 30
29 } // namespace 31 } // namespace
30 32
31 TEST(ContentSecurityPolicy, NoDirective) { 33 TEST(ContentSecurityPolicy, NoDirective) {
32 CSPContextTest context; 34 CSPContextTest context;
33 std::vector<std::string> report_end_points; // empty 35 std::vector<std::string> report_end_points; // empty
34 ContentSecurityPolicy policy(EmptyCspHeader(), std::vector<CSPDirective>(), 36 ContentSecurityPolicy policy(EmptyCspHeader(), std::vector<CSPDirective>(),
35 report_end_points); 37 report_end_points);
36 38
37 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, 39 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction,
38 GURL("http://www.example.com"), 40 GURL("http://www.example.com"),
39 &context)); 41 false, &context, SourceLocation()));
40 EXPECT_EQ("", context.LastConsoleMessage()); 42 EXPECT_EQ("", context.LastConsoleMessage());
41 } 43 }
42 44
43 TEST(ContentSecurityPolicy, ReportViolation) { 45 TEST(ContentSecurityPolicy, ReportViolation) {
44 CSPContextTest context; 46 CSPContextTest context;
45 47
46 // source = "www.example.com" 48 // source = "www.example.com"
47 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, 49 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false,
48 ""); 50 "");
49 CSPSourceList source_list(false, false, {source}); 51 CSPSourceList source_list(false, false, {source});
50 CSPDirective directive(CSPDirective::FormAction, source_list); 52 CSPDirective directive(CSPDirective::FormAction, source_list);
51 std::vector<std::string> report_end_points; // empty 53 std::vector<std::string> report_end_points; // empty
52 ContentSecurityPolicy policy(EmptyCspHeader(), {directive}, 54 ContentSecurityPolicy policy(EmptyCspHeader(), {directive},
53 report_end_points); 55 report_end_points);
54 56
55 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, 57 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction,
56 GURL("http://www.not-example.com"), 58 GURL("http://www.not-example.com"),
57 &context)); 59 false, &context, SourceLocation()));
58 60
59 const char console_message[] = 61 const char console_message[] =
60 "Refused to send form data to 'http://www.not-example.com/' because it " 62 "Refused to send form data to 'http://www.not-example.com/' because it "
61 "violates the following Content Security Policy directive: \"form-action " 63 "violates the following Content Security Policy directive: \"form-action "
62 "www.example.com\".\n"; 64 "www.example.com\".\n";
63 EXPECT_EQ(console_message, context.LastConsoleMessage()); 65 EXPECT_EQ(console_message, context.LastConsoleMessage());
64 } 66 }
65 67
66 TEST(ContentSecurityPolicy, DirectiveFallback) { 68 TEST(ContentSecurityPolicy, DirectiveFallback) {
67 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); 69 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, "");
68 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); 70 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, "");
69 CSPSourceList source_list_a(false, false, {source_a}); 71 CSPSourceList source_list_a(false, false, {source_a});
70 CSPSourceList source_list_b(false, false, {source_b}); 72 CSPSourceList source_list_b(false, false, {source_b});
71 73
72 std::vector<std::string> report_end_points; // Empty. 74 std::vector<std::string> report_end_points; // Empty.
73 75
74 { 76 {
75 CSPContextTest context; 77 CSPContextTest context;
76 ContentSecurityPolicy policy( 78 ContentSecurityPolicy policy(
77 EmptyCspHeader(), 79 EmptyCspHeader(),
78 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, 80 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)},
79 report_end_points); 81 report_end_points);
80 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 82 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
81 GURL("http://b.com"), &context)); 83 GURL("http://b.com"), false,
84 &context, SourceLocation()));
82 const char console_message[] = 85 const char console_message[] =
83 "Refused to frame 'http://b.com/' because it violates " 86 "Refused to frame 'http://b.com/' because it violates "
84 "the following Content Security Policy directive: \"default-src " 87 "the following Content Security Policy directive: \"default-src "
85 "http://a.com\". Note that 'frame-src' was not explicitly " 88 "http://a.com\". Note that 'frame-src' was not explicitly "
86 "set, so 'default-src' is used as a fallback.\n"; 89 "set, so 'default-src' is used as a fallback.\n";
87 EXPECT_EQ(console_message, context.LastConsoleMessage()); 90 EXPECT_EQ(console_message, context.LastConsoleMessage());
88 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 91 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
89 GURL("http://a.com"), &context)); 92 GURL("http://a.com"), false,
93 &context, SourceLocation()));
90 } 94 }
91 { 95 {
92 CSPContextTest context; 96 CSPContextTest context;
93 ContentSecurityPolicy policy( 97 ContentSecurityPolicy policy(
94 EmptyCspHeader(), {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, 98 EmptyCspHeader(), {CSPDirective(CSPDirective::ChildSrc, source_list_a)},
95 report_end_points); 99 report_end_points);
96 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 100 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
97 GURL("http://b.com"), &context)); 101 GURL("http://b.com"), false,
102 &context, SourceLocation()));
98 const char console_message[] = 103 const char console_message[] =
99 "Refused to frame 'http://b.com/' because it violates " 104 "Refused to frame 'http://b.com/' because it violates "
100 "the following Content Security Policy directive: \"child-src " 105 "the following Content Security Policy directive: \"child-src "
101 "http://a.com\". Note that 'frame-src' was not explicitly " 106 "http://a.com\". Note that 'frame-src' was not explicitly "
102 "set, so 'child-src' is used as a fallback.\n"; 107 "set, so 'child-src' is used as a fallback.\n";
103 EXPECT_EQ(console_message, context.LastConsoleMessage()); 108 EXPECT_EQ(console_message, context.LastConsoleMessage());
104 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 109 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
105 GURL("http://a.com"), &context)); 110 GURL("http://a.com"), false,
111 &context, SourceLocation()));
106 } 112 }
107 { 113 {
108 CSPContextTest context; 114 CSPContextTest context;
109 CSPSourceList source_list(false, false, {source_a, source_b}); 115 CSPSourceList source_list(false, false, {source_a, source_b});
110 ContentSecurityPolicy policy( 116 ContentSecurityPolicy policy(
111 EmptyCspHeader(), 117 EmptyCspHeader(),
112 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), 118 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}),
113 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, 119 CSPDirective(CSPDirective::ChildSrc, {source_list_b})},
114 report_end_points); 120 report_end_points);
115 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 121 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
116 GURL("http://a.com"), &context)); 122 GURL("http://a.com"), false,
123 &context, SourceLocation()));
117 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, 124 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
118 GURL("http://b.com"), &context)); 125 GURL("http://b.com"), false,
126 &context, SourceLocation()));
119 const char console_message[] = 127 const char console_message[] =
120 "Refused to frame 'http://b.com/' because it violates " 128 "Refused to frame 'http://b.com/' because it violates "
121 "the following Content Security Policy directive: \"frame-src " 129 "the following Content Security Policy directive: \"frame-src "
122 "http://a.com\".\n"; 130 "http://a.com\".\n";
123 EXPECT_EQ(console_message, context.LastConsoleMessage()); 131 EXPECT_EQ(console_message, context.LastConsoleMessage());
124 } 132 }
125 } 133 }
126 134
127 } // namespace content 135 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_security_policy/content_security_policy.cc ('k') | content/common/content_security_policy/csp_context.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698