OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "content/common/navigation_params.h" |
7 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
8 | 9 |
9 namespace content { | 10 namespace content { |
10 | 11 |
11 namespace { | 12 namespace { |
12 | 13 |
13 class CSPContextTest : public CSPContext { | 14 class CSPContextTest : public CSPContext { |
14 public: | 15 public: |
15 const std::string& LastConsoleMessage() { return console_message_; } | 16 const std::string& LastConsoleMessage() { return console_message_; } |
16 | 17 |
17 void AddSchemeToBypassCSP(const std::string& scheme) { | 18 void AddSchemeToBypassCSP(const std::string& scheme) { |
18 scheme_to_bypass_.push_back(scheme); | 19 scheme_to_bypass_.push_back(scheme); |
19 } | 20 } |
20 | 21 |
21 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { | 22 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
22 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), | 23 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
23 scheme) != scheme_to_bypass_.end(); | 24 scheme) != scheme_to_bypass_.end(); |
24 } | 25 } |
25 | 26 |
26 private: | 27 private: |
27 void LogToConsole(const std::string& message) override { | 28 void ReportContentSecurityPolicyViolation( |
28 console_message_ = message; | 29 const CSPViolationParams& violation_params) override { |
| 30 console_message_ = violation_params.console_message; |
29 } | 31 } |
30 std::string console_message_; | 32 std::string console_message_; |
31 std::vector<std::string> scheme_to_bypass_; | 33 std::vector<std::string> scheme_to_bypass_; |
32 }; | 34 }; |
33 | 35 |
34 // Build a new policy made of only one directive and no report endpoints. | 36 // Build a new policy made of only one directive and no report endpoints. |
35 ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name, | 37 ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name, |
36 std::vector<CSPSource> sources) { | 38 std::vector<CSPSource> sources) { |
37 return ContentSecurityPolicy( | 39 return ContentSecurityPolicy( |
38 blink::WebContentSecurityPolicyTypeEnforce, | 40 blink::WebContentSecurityPolicyTypeEnforce, |
39 blink::WebContentSecurityPolicySourceHTTP, | 41 blink::WebContentSecurityPolicySourceHTTP, |
40 {CSPDirective(directive_name, CSPSourceList(false, false, sources))}, | 42 {CSPDirective(directive_name, CSPSourceList(false, false, sources))}, |
41 std::vector<std::string>(), // report_end_points | 43 std::vector<std::string>(), // report_end_points |
42 std::string()); // header | 44 std::string()); // header |
43 } | 45 } |
44 | 46 |
45 } // namespace; | 47 } // namespace |
46 | 48 |
47 TEST(CSPContextTest, SchemeShouldBypassCSP) { | 49 TEST(CSPContextTest, SchemeShouldBypassCSP) { |
48 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, ""); | 50 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, ""); |
49 CSPContextTest context; | 51 CSPContextTest context; |
50 context.AddContentSecurityPolicy( | 52 context.AddContentSecurityPolicy( |
51 BuildPolicy(CSPDirective::DefaultSrc, {source})); | 53 BuildPolicy(CSPDirective::DefaultSrc, {source})); |
52 | 54 |
53 EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, | 55 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, |
54 GURL("data:text/html,<html></html>"))); | 56 GURL("data:text/html,<html></html>"), false, |
| 57 SourceLocation())); |
55 | 58 |
56 context.AddSchemeToBypassCSP("data"); | 59 context.AddSchemeToBypassCSP("data"); |
57 | 60 |
58 EXPECT_TRUE(context.IsAllowedByCsp(CSPDirective::FrameSrc, | 61 EXPECT_TRUE(context.EnforceCsp(CSPDirective::FrameSrc, |
59 GURL("data:text/html,<html></html>"))); | 62 GURL("data:text/html,<html></html>"), false, |
| 63 SourceLocation())); |
60 } | 64 } |
61 | 65 |
62 TEST(CSPContextTest, MultiplePolicies) { | 66 TEST(CSPContextTest, MultiplePolicies) { |
63 CSPContextTest context; | 67 CSPContextTest context; |
64 context.SetSelf(url::Origin(GURL("http://example.com"))); | 68 context.SetSelf(url::Origin(GURL("http://example.com"))); |
65 | 69 |
66 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | 70 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
67 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, ""); | 71 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
68 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, ""); | 72 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, ""); |
69 | 73 |
70 context.AddContentSecurityPolicy( | 74 context.AddContentSecurityPolicy( |
71 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b})); | 75 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b})); |
72 context.AddContentSecurityPolicy( | 76 context.AddContentSecurityPolicy( |
73 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c})); | 77 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c})); |
74 | 78 |
75 EXPECT_TRUE( | 79 EXPECT_TRUE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://a.com"), |
76 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://a.com"))); | 80 false, SourceLocation())); |
77 EXPECT_FALSE( | 81 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://b.com"), |
78 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://b.com"))); | 82 false, SourceLocation())); |
79 EXPECT_FALSE( | 83 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://c.com"), |
80 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://c.com"))); | 84 false, SourceLocation())); |
81 EXPECT_FALSE( | 85 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://d.com"), |
82 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://d.com"))); | 86 false, SourceLocation())); |
83 } | 87 } |
84 | 88 |
85 } // namespace content | 89 } // namespace content |
OLD | NEW |