| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "testing/gtest/include/gtest/gtest.h" | 7 #include "testing/gtest/include/gtest/gtest.h" |
| 8 | 8 |
| 9 namespace content { | 9 namespace content { |
| 10 | 10 |
| 11 namespace { | 11 namespace { |
| 12 class CSPContextTest : public CSPContext { | 12 class CSPContextTest : public CSPContext { |
| 13 public: | 13 public: |
| 14 const std::string& LastConsoleMessage() { return console_message_; } | 14 const std::string& LastConsoleMessage() { return console_message_; } |
| 15 | 15 |
| 16 private: | 16 private: |
| 17 void LogToConsole(const std::string& message) override { | 17 void LogToConsole(const std::string& message) override { |
| 18 console_message_ = message; | 18 console_message_ = message; |
| 19 } | 19 } |
| 20 std::string console_message_; | 20 std::string console_message_; |
| 21 }; | 21 }; |
| 22 | 22 |
| 23 ContentSecurityPolicyHeader EmptyCspHeader() { |
| 24 return ContentSecurityPolicyHeader(std::string(), |
| 25 blink::WebContentSecurityPolicyTypeEnforce, |
| 26 blink::WebContentSecurityPolicySourceHTTP); |
| 27 } |
| 28 |
| 23 } // namespace | 29 } // namespace |
| 24 | 30 |
| 25 TEST(ContentSecurityPolicy, NoDirective) { | 31 TEST(ContentSecurityPolicy, NoDirective) { |
| 26 CSPContextTest context; | 32 CSPContextTest context; |
| 27 std::vector<std::string> report_end_points; // empty | 33 std::vector<std::string> report_end_points; // empty |
| 28 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, | 34 ContentSecurityPolicy policy(EmptyCspHeader(), std::vector<CSPDirective>(), |
| 29 blink::WebContentSecurityPolicySourceHTTP, | 35 report_end_points); |
| 30 std::vector<CSPDirective>(), report_end_points, | |
| 31 "" /* header */); | |
| 32 | 36 |
| 33 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 37 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
| 34 GURL("http://www.example.com"), | 38 GURL("http://www.example.com"), |
| 35 &context)); | 39 &context)); |
| 36 EXPECT_EQ("", context.LastConsoleMessage()); | 40 EXPECT_EQ("", context.LastConsoleMessage()); |
| 37 } | 41 } |
| 38 | 42 |
| 39 TEST(ContentSecurityPolicy, ReportViolation) { | 43 TEST(ContentSecurityPolicy, ReportViolation) { |
| 40 CSPContextTest context; | 44 CSPContextTest context; |
| 41 | 45 |
| 42 // source = "www.example.com" | 46 // source = "www.example.com" |
| 43 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, | 47 CSPSource source("", "www.example.com", false, url::PORT_UNSPECIFIED, false, |
| 44 ""); | 48 ""); |
| 45 CSPSourceList source_list(false, false, {source}); | 49 CSPSourceList source_list(false, false, {source}); |
| 46 CSPDirective directive(CSPDirective::FormAction, source_list); | 50 CSPDirective directive(CSPDirective::FormAction, source_list); |
| 47 std::vector<std::string> report_end_points; // empty | 51 std::vector<std::string> report_end_points; // empty |
| 48 ContentSecurityPolicy policy(blink::WebContentSecurityPolicyTypeEnforce, | 52 ContentSecurityPolicy policy(EmptyCspHeader(), {directive}, |
| 49 blink::WebContentSecurityPolicySourceHTTP, | 53 report_end_points); |
| 50 {directive}, report_end_points, "" /* header */); | |
| 51 | 54 |
| 52 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, | 55 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FormAction, |
| 53 GURL("http://www.not-example.com"), | 56 GURL("http://www.not-example.com"), |
| 54 &context)); | 57 &context)); |
| 55 | 58 |
| 56 const char console_message[] = | 59 const char console_message[] = |
| 57 "Refused to send form data to 'http://www.not-example.com/' because it " | 60 "Refused to send form data to 'http://www.not-example.com/' because it " |
| 58 "violates the following Content Security Policy directive: \"form-action " | 61 "violates the following Content Security Policy directive: \"form-action " |
| 59 "www.example.com\".\n"; | 62 "www.example.com\".\n"; |
| 60 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 63 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 61 } | 64 } |
| 62 | 65 |
| 63 TEST(ContentSecurityPolicy, DirectiveFallback) { | 66 TEST(ContentSecurityPolicy, DirectiveFallback) { |
| 64 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); | 67 CSPSource source_a("http", "a.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 65 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); | 68 CSPSource source_b("http", "b.com", false, url::PORT_UNSPECIFIED, false, ""); |
| 66 CSPSourceList source_list_a(false, false, {source_a}); | 69 CSPSourceList source_list_a(false, false, {source_a}); |
| 67 CSPSourceList source_list_b(false, false, {source_b}); | 70 CSPSourceList source_list_b(false, false, {source_b}); |
| 68 | 71 |
| 69 std::vector<std::string> report_end_points; // Empty. | 72 std::vector<std::string> report_end_points; // Empty. |
| 70 | 73 |
| 71 { | 74 { |
| 72 CSPContextTest context; | 75 CSPContextTest context; |
| 73 ContentSecurityPolicy policy( | 76 ContentSecurityPolicy policy( |
| 74 blink::WebContentSecurityPolicyTypeEnforce, | 77 EmptyCspHeader(), |
| 75 blink::WebContentSecurityPolicySourceHTTP, | |
| 76 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, | 78 {CSPDirective(CSPDirective::DefaultSrc, source_list_a)}, |
| 77 report_end_points, "" /* header */); | 79 report_end_points); |
| 78 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 80 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 79 GURL("http://b.com"), &context)); | 81 GURL("http://b.com"), &context)); |
| 80 const char console_message[] = | 82 const char console_message[] = |
| 81 "Refused to frame 'http://b.com/' because it violates " | 83 "Refused to frame 'http://b.com/' because it violates " |
| 82 "the following Content Security Policy directive: \"default-src " | 84 "the following Content Security Policy directive: \"default-src " |
| 83 "http://a.com\". Note that 'frame-src' was not explicitly " | 85 "http://a.com\". Note that 'frame-src' was not explicitly " |
| 84 "set, so 'default-src' is used as a fallback.\n"; | 86 "set, so 'default-src' is used as a fallback.\n"; |
| 85 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 87 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 86 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 88 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 87 GURL("http://a.com"), &context)); | 89 GURL("http://a.com"), &context)); |
| 88 } | 90 } |
| 89 { | 91 { |
| 90 CSPContextTest context; | 92 CSPContextTest context; |
| 91 ContentSecurityPolicy policy( | 93 ContentSecurityPolicy policy( |
| 92 blink::WebContentSecurityPolicyTypeEnforce, | 94 EmptyCspHeader(), {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, |
| 93 blink::WebContentSecurityPolicySourceHTTP, | 95 report_end_points); |
| 94 {CSPDirective(CSPDirective::ChildSrc, source_list_a)}, | |
| 95 report_end_points, "" /* header */); | |
| 96 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 96 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 97 GURL("http://b.com"), &context)); | 97 GURL("http://b.com"), &context)); |
| 98 const char console_message[] = | 98 const char console_message[] = |
| 99 "Refused to frame 'http://b.com/' because it violates " | 99 "Refused to frame 'http://b.com/' because it violates " |
| 100 "the following Content Security Policy directive: \"child-src " | 100 "the following Content Security Policy directive: \"child-src " |
| 101 "http://a.com\". Note that 'frame-src' was not explicitly " | 101 "http://a.com\". Note that 'frame-src' was not explicitly " |
| 102 "set, so 'child-src' is used as a fallback.\n"; | 102 "set, so 'child-src' is used as a fallback.\n"; |
| 103 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 103 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 104 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 104 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 105 GURL("http://a.com"), &context)); | 105 GURL("http://a.com"), &context)); |
| 106 } | 106 } |
| 107 { | 107 { |
| 108 CSPContextTest context; | 108 CSPContextTest context; |
| 109 CSPSourceList source_list(false, false, {source_a, source_b}); | 109 CSPSourceList source_list(false, false, {source_a, source_b}); |
| 110 ContentSecurityPolicy policy( | 110 ContentSecurityPolicy policy( |
| 111 blink::WebContentSecurityPolicyTypeEnforce, | 111 EmptyCspHeader(), |
| 112 blink::WebContentSecurityPolicySourceHTTP, | |
| 113 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), | 112 {CSPDirective(CSPDirective::FrameSrc, {source_list_a}), |
| 114 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, | 113 CSPDirective(CSPDirective::ChildSrc, {source_list_b})}, |
| 115 report_end_points, "" /* header */); | 114 report_end_points); |
| 116 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 115 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 117 GURL("http://a.com"), &context)); | 116 GURL("http://a.com"), &context)); |
| 118 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | 117 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 119 GURL("http://b.com"), &context)); | 118 GURL("http://b.com"), &context)); |
| 120 const char console_message[] = | 119 const char console_message[] = |
| 121 "Refused to frame 'http://b.com/' because it violates " | 120 "Refused to frame 'http://b.com/' because it violates " |
| 122 "the following Content Security Policy directive: \"frame-src " | 121 "the following Content Security Policy directive: \"frame-src " |
| 123 "http://a.com\".\n"; | 122 "http://a.com\".\n"; |
| 124 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 123 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 125 } | 124 } |
| 126 } | 125 } |
| 127 | 126 |
| 128 } // namespace content | 127 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2764993002:
CSP: group policies in didAddContentSecurityPolicy. (Closed)
