| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 #include "content/common/content_security_policy_header.h" | 6 #include "content/common/content_security_policy_header.h" |
| 7 #include "content/common/navigation_params.h" | 7 #include "content/common/navigation_params.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 9 |
| 10 namespace content { | 10 namespace content { |
| 11 | 11 |
| 12 namespace { | 12 namespace { |
| 13 class CSPContextTest : public CSPContext { | 13 class CSPContextTest : public CSPContext { |
| 14 public: | 14 public: |
| 15 CSPContextTest() : CSPContext() {} |
| 16 |
| 15 const std::string& LastConsoleMessage() { return console_message_; } | 17 const std::string& LastConsoleMessage() { return console_message_; } |
| 16 | 18 |
| 19 void AddSchemeToBypassCSP(const std::string& scheme) { |
| 20 scheme_to_bypass_.push_back(scheme); |
| 21 } |
| 22 |
| 23 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
| 24 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
| 25 scheme) != scheme_to_bypass_.end(); |
| 26 } |
| 27 |
| 17 private: | 28 private: |
| 18 void ReportContentSecurityPolicyViolation( | 29 void ReportContentSecurityPolicyViolation( |
| 19 const CSPViolationParams& violation_params) override { | 30 const CSPViolationParams& violation_params) override { |
| 20 console_message_ = violation_params.console_message; | 31 console_message_ = violation_params.console_message; |
| 21 } | 32 } |
| 22 std::string console_message_; | 33 std::string console_message_; |
| 34 std::vector<std::string> scheme_to_bypass_; |
| 35 |
| 36 DISALLOW_COPY_AND_ASSIGN(CSPContextTest); |
| 23 }; | 37 }; |
| 24 | 38 |
| 25 ContentSecurityPolicyHeader EmptyCspHeader() { | 39 ContentSecurityPolicyHeader EmptyCspHeader() { |
| 26 return ContentSecurityPolicyHeader(std::string(), | 40 return ContentSecurityPolicyHeader(std::string(), |
| 27 blink::WebContentSecurityPolicyTypeEnforce, | 41 blink::WebContentSecurityPolicyTypeEnforce, |
| 28 blink::WebContentSecurityPolicySourceHTTP); | 42 blink::WebContentSecurityPolicySourceHTTP); |
| 29 } | 43 } |
| 30 | 44 |
| 31 } // namespace | 45 } // namespace |
| 32 | 46 |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 125 GURL("http://b.com"), false, | 139 GURL("http://b.com"), false, |
| 126 &context, SourceLocation())); | 140 &context, SourceLocation())); |
| 127 const char console_message[] = | 141 const char console_message[] = |
| 128 "Refused to frame 'http://b.com/' because it violates " | 142 "Refused to frame 'http://b.com/' because it violates " |
| 129 "the following Content Security Policy directive: \"frame-src " | 143 "the following Content Security Policy directive: \"frame-src " |
| 130 "http://a.com\".\n"; | 144 "http://a.com\".\n"; |
| 131 EXPECT_EQ(console_message, context.LastConsoleMessage()); | 145 EXPECT_EQ(console_message, context.LastConsoleMessage()); |
| 132 } | 146 } |
| 133 } | 147 } |
| 134 | 148 |
| 149 TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) { |
| 150 CSPContextTest context; |
| 151 std::vector<std::string> report_end_points; // empty |
| 152 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| 153 ""); |
| 154 CSPSourceList source_list(false, false, {source}); |
| 155 ContentSecurityPolicy policy( |
| 156 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| 157 report_end_points); |
| 158 |
| 159 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 160 GURL("https://example.com/"), false, |
| 161 &context, SourceLocation())); |
| 162 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 163 GURL("https://not-example.com/"), |
| 164 false, &context, SourceLocation())); |
| 165 |
| 166 // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| 167 context.AddSchemeToBypassCSP("https"); |
| 168 |
| 169 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 170 GURL("https://example.com/"), false, |
| 171 &context, SourceLocation())); |
| 172 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 173 GURL("https://not-example.com/"), |
| 174 false, &context, SourceLocation())); |
| 175 } |
| 176 |
| 177 TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) { |
| 178 CSPContextTest context; |
| 179 std::vector<std::string> report_end_points; // empty |
| 180 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| 181 ""); |
| 182 CSPSourceList source_list(false, false, {source}); |
| 183 ContentSecurityPolicy policy( |
| 184 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| 185 report_end_points); |
| 186 |
| 187 EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| 188 policy, CSPDirective::FrameSrc, |
| 189 GURL("filesystem:https://example.com/file.txt"), false, &context, |
| 190 SourceLocation())); |
| 191 EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| 192 policy, CSPDirective::FrameSrc, |
| 193 GURL("filesystem:https://not-example.com/file.txt"), false, &context, |
| 194 SourceLocation())); |
| 195 |
| 196 // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| 197 context.AddSchemeToBypassCSP("https"); |
| 198 |
| 199 EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| 200 policy, CSPDirective::FrameSrc, |
| 201 GURL("filesystem:https://example.com/file.txt"), false, &context, |
| 202 SourceLocation())); |
| 203 EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| 204 policy, CSPDirective::FrameSrc, |
| 205 GURL("filesystem:https://not-example.com/file.txt"), false, &context, |
| 206 SourceLocation())); |
| 207 } |
| 208 |
| 209 TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) { |
| 210 CSPContextTest context; |
| 211 std::vector<std::string> report_end_points; // empty |
| 212 CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| 213 ""); |
| 214 CSPSourceList source_list(false, false, {source}); |
| 215 ContentSecurityPolicy policy( |
| 216 EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| 217 report_end_points); |
| 218 |
| 219 EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 220 GURL("blob:https://example.com/"), |
| 221 false, &context, SourceLocation())); |
| 222 EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| 223 policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), |
| 224 false, &context, SourceLocation())); |
| 225 |
| 226 // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| 227 context.AddSchemeToBypassCSP("https"); |
| 228 |
| 229 EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| 230 GURL("blob:https://example.com/"), |
| 231 false, &context, SourceLocation())); |
| 232 EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| 233 policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), |
| 234 false, &context, SourceLocation())); |
| 235 } |
| 236 |
| 135 } // namespace content | 237 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2792973004:
Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
