Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(217)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_context_unittest.cc

Issue 2761153003: PlzNavigate & CSP. Use the SourceLocation in violation reports. (Closed)
Patch Set: Nit. Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« content/browser/frame_host/ancestor_throttle.cc ('K') | « content/common/content_security_policy/csp_context.cc ('k') | content/common/frame_messages.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 #include "content/common/content_security_policy_header.h" 6 #include "content/common/content_security_policy_header.h"
7 #include "content/common/navigation_params.h"
7 #include "testing/gtest/include/gtest/gtest.h" 8 #include "testing/gtest/include/gtest/gtest.h"
8 9
9 namespace content { 10 namespace content {
10 11
11 namespace { 12 namespace {
12 13
13 class CSPContextTest : public CSPContext { 14 class CSPContextTest : public CSPContext {
14 public: 15 public:
15 const std::string& LastConsoleMessage() { return console_message_; } 16 const std::string& LastConsoleMessage() { return console_message_; }
16 17
17 void AddSchemeToBypassCSP(const std::string& scheme) { 18 void AddSchemeToBypassCSP(const std::string& scheme) {
18 scheme_to_bypass_.push_back(scheme); 19 scheme_to_bypass_.push_back(scheme);
19 } 20 }
20 21
21 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { 22 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
22 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), 23 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
23 scheme) != scheme_to_bypass_.end(); 24 scheme) != scheme_to_bypass_.end();
24 } 25 }
25 26
26 private: 27 private:
27 void LogToConsole(const std::string& message) override { 28 void ReportContentSecurityPolicyViolation(
28 console_message_ = message; 29 const CSPViolationParams& violation_params) override {
30 console_message_ = violation_params.console_message;
29 } 31 }
30 std::string console_message_; 32 std::string console_message_;
31 std::vector<std::string> scheme_to_bypass_; 33 std::vector<std::string> scheme_to_bypass_;
32 }; 34 };
33 35
34 // Build a new policy made of only one directive and no report endpoints. 36 // Build a new policy made of only one directive and no report endpoints.
35 ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name, 37 ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name,
36 std::vector<CSPSource> sources) { 38 std::vector<CSPSource> sources) {
37 return ContentSecurityPolicy( 39 return ContentSecurityPolicy(
38 blink::WebContentSecurityPolicyTypeEnforce, 40 blink::WebContentSecurityPolicyTypeEnforce,
39 blink::WebContentSecurityPolicySourceHTTP, 41 blink::WebContentSecurityPolicySourceHTTP,
40 {CSPDirective(directive_name, CSPSourceList(false, false, sources))}, 42 {CSPDirective(directive_name, CSPSourceList(false, false, sources))},
41 std::vector<std::string>(), // report_end_points 43 std::vector<std::string>(), // report_end_points
42 std::string()); // header 44 std::string()); // header
43 } 45 }
44 46
45 } // namespace; 47 } // namespace
46 48
47 TEST(CSPContextTest, SchemeShouldBypassCSP) { 49 TEST(CSPContextTest, SchemeShouldBypassCSP) {
48 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, ""); 50 CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, "");
49 CSPContextTest context; 51 CSPContextTest context;
50 context.AddContentSecurityPolicy( 52 context.AddContentSecurityPolicy(
51 BuildPolicy(CSPDirective::DefaultSrc, {source})); 53 BuildPolicy(CSPDirective::DefaultSrc, {source}));
52 54
53 EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, 55 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc,
54 GURL("data:text/html,<html></html>"))); 56 GURL("data:text/html,<html></html>"), false,
57 SourceLocation()));
55 58
56 context.AddSchemeToBypassCSP("data"); 59 context.AddSchemeToBypassCSP("data");
57 60
58 EXPECT_TRUE(context.IsAllowedByCsp(CSPDirective::FrameSrc, 61 EXPECT_TRUE(context.EnforceCsp(CSPDirective::FrameSrc,
59 GURL("data:text/html,<html></html>"))); 62 GURL("data:text/html,<html></html>"), false,
63 SourceLocation()));
60 } 64 }
61 65
62 TEST(CSPContextTest, MultiplePolicies) { 66 TEST(CSPContextTest, MultiplePolicies) {
63 CSPContextTest context; 67 CSPContextTest context;
64 context.SetSelf(url::Origin(GURL("http://example.com"))); 68 context.SetSelf(url::Origin(GURL("http://example.com")));
65 69
66 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, ""); 70 CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
67 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, ""); 71 CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, "");
68 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, ""); 72 CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, "");
69 73
70 context.AddContentSecurityPolicy( 74 context.AddContentSecurityPolicy(
71 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b})); 75 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b}));
72 context.AddContentSecurityPolicy( 76 context.AddContentSecurityPolicy(
73 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c})); 77 BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c}));
74 78
75 EXPECT_TRUE( 79 EXPECT_TRUE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://a.com"),
76 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://a.com"))); 80 false, SourceLocation()));
77 EXPECT_FALSE( 81 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://b.com"),
78 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://b.com"))); 82 false, SourceLocation()));
79 EXPECT_FALSE( 83 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://c.com"),
80 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://c.com"))); 84 false, SourceLocation()));
81 EXPECT_FALSE( 85 EXPECT_FALSE(context.EnforceCsp(CSPDirective::FrameSrc, GURL("http://d.com"),
82 context.IsAllowedByCsp(CSPDirective::FrameSrc, GURL("http://d.com"))); 86 false, SourceLocation()));
83 } 87 }
84 88
85 } // namespace content 89 } // namespace content
OLDNEW
« content/browser/frame_host/ancestor_throttle.cc ('K') | « content/common/content_security_policy/csp_context.cc ('k') | content/common/frame_messages.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698