OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "content/common/navigation_params.h" |
7 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
8 | 9 |
9 namespace content { | 10 namespace content { |
10 | 11 |
11 namespace { | 12 namespace { |
12 class CSPContextTest : public CSPContext { | 13 class CSPContextTest : public CSPContext { |
13 public: | 14 public: |
14 const std::string& LastConsoleMessage() { return console_message_; } | 15 const std::string& LastConsoleMessage() { return console_message_; } |
15 | 16 |
16 private: | 17 private: |
17 void LogToConsole(const std::string& message) override { | 18 void ReportContentSecurityPolicyViolation( |
18 console_message_ = message; | 19 const CSPViolationParams& violation_params) override { |
| 20 console_message_ = violation_params.console_message; |
19 } | 21 } |
20 std::string console_message_; | 22 std::string console_message_; |
21 }; | 23 }; |
22 | 24 |
23 } // namespace | 25 } // namespace |
24 | 26 |
25 TEST(ContentSecurityPolicy, NoDirective) { | 27 TEST(ContentSecurityPolicy, NoDirective) { |
26 CSPContextTest context; | 28 CSPContextTest context; |
27 std::vector<std::string> report_end_points; // empty | 29 std::vector<std::string> report_end_points; // empty |
28 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, | 30 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
29 blink::WebContentSecurityPolicySourceHTTP, | 31 blink::WebContentSecurityPolicySourceHTTP, |
30 std::vector<CSPDirective>(), report_end_points, | 32 std::vector<CSPDirective>(), report_end_points, |
31 "" /* header */); | 33 "" /* header */); |
32 | 34 |
33 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 35 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
34 GURL("http://www.example.com"), | 36 GURL("http://www.example.com"), |
35 &context)); | 37 false, &context, SourceLocation())); |
36 EXPECT_EQ("", context.LastConsoleMessage()); | 38 EXPECT_EQ("", context.LastConsoleMessage()); |
37 } | 39 } |
38 | 40 |
39 TEST(ContentSecurityPolicy, ReportViolation) { | 41 TEST(ContentSecurityPolicy, ReportViolation) { |
40 CSPContextTest context; | 42 CSPContextTest context; |
41 | 43 |
42 // source = "www.example.com" | 44 // source = "www.example.com" |
43 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, | 45 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, |
44 ""); | 46 ""); |
45 CSPSourceList source_list(false, false, {source}); | 47 CSPSourceList source_list(false, false, {source}); |
46 CSPDirective directive(CSPDirective::FormAction, source_list); | 48 CSPDirective directive(CSPDirective::FormAction, source_list); |
47 std::vector<std::string> report_end_points; // empty | 49 std::vector<std::string> report_end_points; // empty |
48 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, | 50 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, |
49 blink::WebContentSecurityPolicySourceHTTP, | 51 blink::WebContentSecurityPolicySourceHTTP, |
50 {directive}, report_end_points, "" /* header */); | 52 {directive}, report_end_points, "" /* header */); |
51 | 53 |
52 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 54 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
53 GURL("http://www.not-example.com"), | 55 GURL("http://www.not-example.com"), |
54 &context)); | 56 false, &context, SourceLocation())); |
55 | 57 |
56 const char console_message[] = | 58 const char console_message[] = |
57 "Refused to send form data to 'http://www.not-example.com/' because it " | 59 "Refused to send form data to 'http://www.not-example.com/' because it " |
58 "violates the following Content Security Policy directive: \"form-action " | 60 "violates the following Content Security Policy directive: \"form-action " |
59 "www.example.com\".\n"; | 61 "www.example.com\".\n"; |
60 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 62 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
61 } | 63 } |
62 | 64 |
63 TEST(ContentSecurityPolicy, DirectiveFallback) { | 65 TEST(ContentSecurityPolicy, DirectiveFallback) { |
64 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | 66 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
65 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); | 67 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
66 CSPSourceList source_list_a(false, false, {source_a}); | 68 CSPSourceList source_list_a(false, false, {source_a}); |
67 CSPSourceList source_list_b(false, false, {source_b}); | 69 CSPSourceList source_list_b(false, false, {source_b}); |
68 | 70 |
69 std::vector<std::string> report_end_points; // Empty. | 71 std::vector<std::string> report_end_points; // Empty. |
70 | 72 |
71 { | 73 { |
72 CSPContextTest context; | 74 CSPContextTest context; |
73 ContentSecurityPolicy policy( | 75 ContentSecurityPolicy policy( |
74 blink::WebContentSecurityPolicyTypeEnforce, | 76 blink::WebContentSecurityPolicyTypeEnforce, |
75 blink::WebContentSecurityPolicySourceHTTP, | 77 blink::WebContentSecurityPolicySourceHTTP, |
76 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, | 78 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, |
77 report_end_points, "" /* header */); | 79 report_end_points, "" /* header */); |
78 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 80 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
79 GURL("http://b.com"), &context)); | 81 GURL("http://b.com"), false, |
| 82 &context, SourceLocation())); |
80 const char console_message[] = | 83 const char console_message[] = |
81 "Refused to frame 'http://b.com/' because it violates " | 84 "Refused to frame 'http://b.com/' because it violates " |
82 "the following Content Security Policy directive: \"default-src " | 85 "the following Content Security Policy directive: \"default-src " |
83 "http://a.com\". Note that 'frame-src' was not explicitly " | 86 "http://a.com\". Note that 'frame-src' was not explicitly " |
84 "set, so 'default-src' is used as a fallback.\n"; | 87 "set, so 'default-src' is used as a fallback.\n"; |
85 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 88 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
86 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 89 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
87 GURL("http://a.com"), &context)); | 90 GURL("http://a.com"), false, |
| 91 &context, SourceLocation())); |
88 } | 92 } |
89 { | 93 { |
90 CSPContextTest context; | 94 CSPContextTest context; |
91 ContentSecurityPolicy policy( | 95 ContentSecurityPolicy policy( |
92 blink::WebContentSecurityPolicyTypeEnforce, | 96 blink::WebContentSecurityPolicyTypeEnforce, |
93 blink::WebContentSecurityPolicySourceHTTP, | 97 blink::WebContentSecurityPolicySourceHTTP, |
94 {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, | 98 {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, |
95 report_end_points, "" /* header */); | 99 report_end_points, "" /* header */); |
96 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 100 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
97 GURL("http://b.com"), &context)); | 101 GURL("http://b.com"), false, |
| 102 &context, SourceLocation())); |
98 const char console_message[] = | 103 const char console_message[] = |
99 "Refused to frame 'http://b.com/' because it violates " | 104 "Refused to frame 'http://b.com/' because it violates " |
100 "the following Content Security Policy directive: \"child-src " | 105 "the following Content Security Policy directive: \"child-src " |
101 "http://a.com\". Note that 'frame-src' was not explicitly " | 106 "http://a.com\". Note that 'frame-src' was not explicitly " |
102 "set, so 'child-src' is used as a fallback.\n"; | 107 "set, so 'child-src' is used as a fallback.\n"; |
103 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 108 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
104 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 109 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
105 GURL("http://a.com"), &context)); | 110 GURL("http://a.com"), false, |
| 111 &context, SourceLocation())); |
106 } | 112 } |
107 { | 113 { |
108 CSPContextTest context; | 114 CSPContextTest context; |
109 CSPSourceList source_list(false, false, {source_a, source_b}); | 115 CSPSourceList source_list(false, false, {source_a, source_b}); |
110 ContentSecurityPolicy policy( | 116 ContentSecurityPolicy policy( |
111 blink::WebContentSecurityPolicyTypeEnforce, | 117 blink::WebContentSecurityPolicyTypeEnforce, |
112 blink::WebContentSecurityPolicySourceHTTP, | 118 blink::WebContentSecurityPolicySourceHTTP, |
113 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), | 119 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), |
114 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, | 120 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, |
115 report_end_points, "" /* header */); | 121 report_end_points, "" /* header */); |
116 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 122 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
117 GURL("http://a.com"), &context)); | 123 GURL("http://a.com"), false, |
| 124 &context, SourceLocation())); |
118 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 125 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
119 GURL("http://b.com"), &context)); | 126 GURL("http://b.com"), false, |
| 127 &context, SourceLocation())); |
120 const char console_message[] = | 128 const char console_message[] = |
121 "Refused to frame 'http://b.com/' because it violates " | 129 "Refused to frame 'http://b.com/' because it violates " |
122 "the following Content Security Policy directive: \"frame-src " | 130 "the following Content Security Policy directive: \"frame-src " |
123 "http://a.com\".\n"; | 131 "http://a.com\".\n"; |
124 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 132 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
125 } | 133 } |
126 } | 134 } |
127 | 135 |
128 } // namespace content | 136 } // namespace content |
OLD | NEW |