Chromium Code Reviews Chromium Code Reviews
Issue 2792973004:
Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "content/common/navigation_params.h" | 7 #include "content/common/navigation_params.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 9 |
| 10 namespace content { | 10 namespace content { |
| 11 | 11 |
| 12 namespace { | 12 namespace { |
| 13 class CSPContextTest : public CSPContext { | 13 class CSPContextTest : public CSPContext { |
| 14 public: | 14 public: |
| 15 const std::string& LastConsoleMessage() { return console_message_; } | 15 const std::string& LastConsoleMessage() { return console_message_; } |
| 16 | 16 |
| 17 void AddSchemeToBypassCSP(const std::string& scheme) { | |
| 18 scheme_to_bypass_.push_back(scheme); | |
| 19 } | |
| 20 | |
| 21 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { | |
| 22 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), | |
| 23 scheme) != scheme_to_bypass_.end(); | |
| 24 } | |
| 25 | |
| 17 private: | 26 private: |
| 18 void ReportContentSecurityPolicyViolation( | 27 void ReportContentSecurityPolicyViolation( |
| 19 const CSPViolationParams& violation_params) override { | 28 const CSPViolationParams& violation_params) override { |
| 20 console_message_ = violation_params.console_message; | 29 console_message_ = violation_params.console_message; |
| 21 } | 30 } |
| 22 std::string console_message_; | 31 std::string console_message_; |
| 32 std::vector<std::string> scheme_to_bypass_; | |
| 23 }; | 33 }; |
|
jochen (gone - plz use gerrit)
2017/04/05 12:22:35
please add DISALLOW_COPY_AND_ASSIGN(CSPContextTest
andypaicu
2017/04/05 12:55:00
Done
| |
| 24 | 34 |
| 25 ContentSecurityPolicyHeader EmptyCspHeader() { | 35 ContentSecurityPolicyHeader EmptyCspHeader() { |
| 26 return ContentSecurityPolicyHeader(std::string(), | 36 return ContentSecurityPolicyHeader(std::string(), |
| 27 blink::WebContentSecurityPolicyTypeEnforce, | 37 blink::WebContentSecurityPolicyTypeEnforce, |
| 28 blink::WebContentSecurityPolicySourceHTTP); | 38 blink::WebContentSecurityPolicySourceHTTP); |
| 29 } | 39 } |
| 30 | 40 |
| 31 } // namespace | 41 } // namespace |
| 32 | 42 |
| 33 TEST(ContentSecurityPolicy, NoDirective) { | 43 TEST(ContentSecurityPolicy, NoDirective) { |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 125 GURL("http://b.com"), false, | 135 GURL("http://b.com"), false, |
| 126 &context, SourceLocation())); | 136 &context, SourceLocation())); |
| 127 const char console_message[] = | 137 const char console_message[] = |
| 128 "Refused to frame 'http://b.com/' because it violates " | 138 "Refused to frame 'http://b.com/' because it violates " |
| 129 "the following Content Security Policy directive: \"frame-src " | 139 "the following Content Security Policy directive: \"frame-src " |
| 130 "http://a.com\".\n"; | 140 "http://a.com\".\n"; |
| 131 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 141 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 132 } | 142 } |
| 133 } | 143 } |
| 134 | 144 |
| 145 TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) { | |
| 146 CSPContextTest context; | |
| 147 std::vector<std::string> report_end_points; // empty | |
| 148 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, | |
| 149 ""); | |
| 150 CSPSourceList source_list(false, false, {source}); | |
| 151 ContentSecurityPolicy policy( | |
| 152 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, | |
| 153 report_end_points); | |
| 154 | |
| 155 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 156 GURL("https://example.com/"), false, | |
| 157 &context, SourceLocation())); | |
| 158 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 159 GURL("https://not-example.com/"), | |
| 160 false, &context, SourceLocation())); | |
| 161 | |
| 162 // Register 'https' as bypassing CSP, which should now bypass is entirely. | |
| 163 context.AddSchemeToBypassCSP("https"); | |
| 164 | |
| 165 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 166 GURL("https://example.com/"), false, | |
| 167 &context, SourceLocation())); | |
| 168 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 169 GURL("https://not-example.com/"), | |
| 170 false, &context, SourceLocation())); | |
| 171 } | |
| 172 | |
| 173 TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) { | |
| 174 CSPContextTest context; | |
| 175 std::vector<std::string> report_end_points; // empty | |
| 176 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, | |
| 177 ""); | |
| 178 CSPSourceList source_list(false, false, {source}); | |
| 179 ContentSecurityPolicy policy( | |
| 180 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, | |
| 181 report_end_points); | |
| 182 | |
| 183 EXPECT_FALSE(ContentSecurityPolicy::Allow( | |
| 184 policy, CSPDirective::FrameSrc, | |
| 185 GURL("filesystem:https://example.com/file.txt"), false, &context, | |
| 186 SourceLocation())); | |
| 187 EXPECT_FALSE(ContentSecurityPolicy::Allow( | |
| 188 policy, CSPDirective::FrameSrc, | |
| 189 GURL("filesystem:https://not-example.com/file.txt"), false, &context, | |
| 190 SourceLocation())); | |
| 191 | |
| 192 // Register 'https' as bypassing CSP, which should now bypass is entirely. | |
| 193 context.AddSchemeToBypassCSP("https"); | |
| 194 | |
| 195 EXPECT_TRUE(ContentSecurityPolicy::Allow( | |
| 196 policy, CSPDirective::FrameSrc, | |
| 197 GURL("filesystem:https://example.com/file.txt"), false, &context, | |
| 198 SourceLocation())); | |
| 199 EXPECT_TRUE(ContentSecurityPolicy::Allow( | |
| 200 policy, CSPDirective::FrameSrc, | |
| 201 GURL("filesystem:https://not-example.com/file.txt"), false, &context, | |
| 202 SourceLocation())); | |
| 203 } | |
| 204 | |
| 205 TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) { | |
| 206 CSPContextTest context; | |
| 207 std::vector<std::string> report_end_points; // empty | |
| 208 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, | |
| 209 ""); | |
| 210 CSPSourceList source_list(false, false, {source}); | |
| 211 ContentSecurityPolicy policy( | |
| 212 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, | |
| 213 report_end_points); | |
| 214 | |
| 215 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 216 GURL("blob:https://example.com/"), | |
| 217 false, &context, SourceLocation())); | |
| 218 EXPECT_FALSE(ContentSecurityPolicy::Allow( | |
| 219 policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), | |
| 220 false, &context, SourceLocation())); | |
| 221 | |
| 222 // Register 'https' as bypassing CSP, which should now bypass is entirely. | |
| 223 context.AddSchemeToBypassCSP("https"); | |
| 224 | |
| 225 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, | |
| 226 GURL("blob:https://example.com/"), | |
| 227 false, &context, SourceLocation())); | |
| 228 EXPECT_TRUE(ContentSecurityPolicy::Allow( | |
| 229 policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), | |
| 230 false, &context, SourceLocation())); | |
| 231 } | |
| 232 | |
| 135 } // namespace content | 233 } // namespace content |
| OLD | NEW |
