Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(771)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_source_list_unittest.cc

Issue 2792973004: Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
Patch Set: CR changes Jochen Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_security_policy/csp_source_list.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_source_list.h" 5 #include "content/common/content_security_policy/csp_source_list.h"
6 #include "content/common/content_security_policy/csp_context.h" 6 #include "content/common/content_security_policy/csp_context.h"
7 #include "testing/gtest/include/gtest/gtest.h" 7 #include "testing/gtest/include/gtest/gtest.h"
8 8
9 namespace content { 9 namespace content {
10 10
11 namespace { 11 namespace {
12 12
13 class CSPContextTest : public CSPContext {
14 public:
15 void AddSchemeToBypassCSP(const std::string& scheme) {
16 scheme_to_bypass_.push_back(scheme);
17 }
18
19 bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
20 return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
21 scheme) != scheme_to_bypass_.end();
22 }
23
24 private:
25 std::vector<std::string> scheme_to_bypass_;
26 };
27
28 // Allow() is an abbreviation of CSPSourceList::Allow(). Useful for writting 13 // Allow() is an abbreviation of CSPSourceList::Allow(). Useful for writting
29 // test expectations on one line. 14 // test expectations on one line.
30 bool Allow(const CSPSourceList& source_list, 15 bool Allow(const CSPSourceList& source_list,
31 const GURL& url, 16 const GURL& url,
32 CSPContext* context, 17 CSPContext* context,
33 bool is_redirect = false) { 18 bool is_redirect = false) {
34 return CSPSourceList::Allow(source_list, url, context, is_redirect); 19 return CSPSourceList::Allow(source_list, url, context, is_redirect);
35 } 20 }
36 21
37 } // namespace 22 } // namespace
38 23
39 TEST(CSPSourceListTest, MultipleSource) { 24 TEST(CSPSourceList, MultipleSource) {
40 CSPContextTest context; 25 CSPContext context;
41 context.SetSelf(url::Origin(GURL("http://example.com"))); 26 context.SetSelf(url::Origin(GURL("http://example.com")));
42 CSPSourceList source_list( 27 CSPSourceList source_list(
43 false, // allow_self 28 false, // allow_self
44 false, // allow_star: 29 false, // allow_star:
45 {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""), 30 {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""),
46 CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")}); 31 CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")});
47 EXPECT_TRUE(Allow(source_list, GURL("http://a.com"), &context)); 32 EXPECT_TRUE(Allow(source_list, GURL("http://a.com"), &context));
48 EXPECT_TRUE(Allow(source_list, GURL("http://b.com"), &context)); 33 EXPECT_TRUE(Allow(source_list, GURL("http://b.com"), &context));
49 EXPECT_FALSE(Allow(source_list, GURL("http://c.com"), &context)); 34 EXPECT_FALSE(Allow(source_list, GURL("http://c.com"), &context));
50 } 35 }
51 36
52 TEST(CSPSourceList, AllowStar) { 37 TEST(CSPSourceList, AllowStar) {
53 CSPContextTest context; 38 CSPContext context;
54 context.SetSelf(url::Origin(GURL("http://example.com"))); 39 context.SetSelf(url::Origin(GURL("http://example.com")));
55 CSPSourceList source_list(false, // allow_self 40 CSPSourceList source_list(false, // allow_self
56 true, // allow_star: 41 true, // allow_star:
57 std::vector<CSPSource>()); // source_list 42 std::vector<CSPSource>()); // source_list
58 EXPECT_TRUE(Allow(source_list, GURL("http://not-example.com"), &context)); 43 EXPECT_TRUE(Allow(source_list, GURL("http://not-example.com"), &context));
59 EXPECT_TRUE(Allow(source_list, GURL("https://not-example.com"), &context)); 44 EXPECT_TRUE(Allow(source_list, GURL("https://not-example.com"), &context));
60 EXPECT_TRUE(Allow(source_list, GURL("http-so://not-example.com"), &context)); 45 EXPECT_TRUE(Allow(source_list, GURL("http-so://not-example.com"), &context));
61 EXPECT_TRUE(Allow(source_list, GURL("https-so://not-example.com"), &context)); 46 EXPECT_TRUE(Allow(source_list, GURL("https-so://not-example.com"), &context));
62 EXPECT_TRUE(Allow(source_list, GURL("ws://not-example.com"), &context)); 47 EXPECT_TRUE(Allow(source_list, GURL("ws://not-example.com"), &context));
63 EXPECT_TRUE(Allow(source_list, GURL("wss://not-example.com"), &context)); 48 EXPECT_TRUE(Allow(source_list, GURL("wss://not-example.com"), &context));
64 EXPECT_TRUE(Allow(source_list, GURL("ftp://not-example.com"), &context)); 49 EXPECT_TRUE(Allow(source_list, GURL("ftp://not-example.com"), &context));
65 50
66 EXPECT_FALSE(Allow(source_list, GURL("file://not-example.com"), &context)); 51 EXPECT_FALSE(Allow(source_list, GURL("file://not-example.com"), &context));
67 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context)); 52 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context));
68 53
69 // With a protocol of 'file', '*' allow 'file:' 54 // With a protocol of 'file', '*' allow 'file:'
70 context.SetSelf(url::Origin(GURL("file://example.com"))); 55 context.SetSelf(url::Origin(GURL("file://example.com")));
71 EXPECT_TRUE(Allow(source_list, GURL("file://not-example.com"), &context)); 56 EXPECT_TRUE(Allow(source_list, GURL("file://not-example.com"), &context));
72 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context)); 57 EXPECT_FALSE(Allow(source_list, GURL("applewebdata://a.test"), &context));
73 } 58 }
74 59
75 TEST(CSPSourceList, AllowSelf) { 60 TEST(CSPSourceList, AllowSelf) {
76 CSPContextTest context; 61 CSPContext context;
77 context.SetSelf(url::Origin(GURL("http://example.com"))); 62 context.SetSelf(url::Origin(GURL("http://example.com")));
78 CSPSourceList source_list(true, // allow_self 63 CSPSourceList source_list(true, // allow_self
79 false, // allow_star: 64 false, // allow_star:
80 std::vector<CSPSource>()); // source_list 65 std::vector<CSPSource>()); // source_list
81 EXPECT_TRUE(Allow(source_list, GURL("http://example.com"), &context)); 66 EXPECT_TRUE(Allow(source_list, GURL("http://example.com"), &context));
82 EXPECT_FALSE(Allow(source_list, GURL("http://not-example.com"), &context)); 67 EXPECT_FALSE(Allow(source_list, GURL("http://not-example.com"), &context));
83 EXPECT_TRUE(Allow(source_list, GURL("https://example.com"), &context)); 68 EXPECT_TRUE(Allow(source_list, GURL("https://example.com"), &context));
84 EXPECT_FALSE(Allow(source_list, GURL("ws://example.com"), &context)); 69 EXPECT_FALSE(Allow(source_list, GURL("ws://example.com"), &context));
85 } 70 }
86 71
87 TEST(CSPSourceList, AllowSelfWithFilesystem) {
88 CSPContextTest context;
89 context.SetSelf(url::Origin(GURL("https://a.test")));
90 CSPSourceList source_list(true, // allow_self
91 false, // allow_star:
92 std::vector<CSPSource>()); // source_list
93
94 GURL filesystem_url("filesystem:https://a.test/file.txt");
95
96 EXPECT_TRUE(Allow(source_list, GURL("https://a.test/"), &context));
97 EXPECT_FALSE(Allow(source_list, filesystem_url, &context));
98
99 // Register 'https' as bypassing CSP, which should trigger the inner URL
100 // behavior.
101 context.AddSchemeToBypassCSP("https");
102
103 EXPECT_TRUE(Allow(source_list, GURL("https://a.test/"), &context));
104 EXPECT_TRUE(Allow(source_list, filesystem_url, &context));
105 }
106
107 TEST(CSPSourceList, BlobDisallowedWhenBypassingSelfScheme) {
108 CSPContextTest context;
109 context.SetSelf(url::Origin(GURL("https://a.test")));
110 CSPSource blob(
111 CSPSource("blob", "", false, url::PORT_UNSPECIFIED, false, ""));
112 CSPSourceList source_list(true, // allow_self
113 false, // allow_star:
114 {blob}); // source_list
115
116 GURL blob_url_self("blob:https://a.test/1be95204-93d6-4GUID");
117 GURL blob_url_not_self("blob:https://b.test/1be95204-93d6-4GUID");
118
119 EXPECT_TRUE(Allow(source_list, blob_url_self, &context));
120 EXPECT_TRUE(Allow(source_list, blob_url_not_self, &context));
121
122 // Register 'https' as bypassing CSP, which should trigger the inner URL
123 // behavior.
124 context.AddSchemeToBypassCSP("https");
125
126 EXPECT_TRUE(Allow(source_list, blob_url_self, &context));
127 // TODO(arthursonzogni, mkwst): This should be true
128 // see http://crbug.com/692046
129 EXPECT_FALSE(Allow(source_list, blob_url_not_self, &context));
130 }
131
132 TEST(CSPSourceList, FilesystemDisallowedWhenBypassingSelfScheme) {
133 CSPContextTest context;
134 context.SetSelf(url::Origin(GURL("https://a.test")));
135 CSPSource filesystem(
136 CSPSource("filesystem", "", false, url::PORT_UNSPECIFIED, false, ""));
137 CSPSourceList source_list(true, // allow_self
138 false, // allow_star:
139 {filesystem}); // source_list
140
141 GURL filesystem_url_self("filesystem:https://a.test/file.txt");
142 GURL filesystem_url_not_self("filesystem:https://b.test/file.txt");
143
144 EXPECT_TRUE(Allow(source_list, filesystem_url_self, &context));
145 EXPECT_TRUE(Allow(source_list, filesystem_url_not_self, &context));
146
147 // Register 'https' as bypassing CSP, which should trigger the inner URL
148 // behavior.
149 context.AddSchemeToBypassCSP("https");
150
151 EXPECT_TRUE(Allow(source_list, filesystem_url_self, &context));
152 // TODO(arthursonzogni, mkwst): This should be true
153 // see http://crbug.com/692046
154 EXPECT_FALSE(Allow(source_list, filesystem_url_not_self, &context));
155 }
156
157 TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) { 72 TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) {
158 CSPContext context; 73 CSPContext context;
159 context.SetSelf(url::Origin(GURL("chrome://print"))); 74 context.SetSelf(url::Origin(GURL("chrome://print")));
160 CSPSourceList source_list(true, // allow_self 75 CSPSourceList source_list(true, // allow_self
161 false, // allow_star: 76 false, // allow_star:
162 std::vector<CSPSource>()); // source_list 77 std::vector<CSPSource>()); // source_list
163 78
164 EXPECT_TRUE(Allow( 79 EXPECT_TRUE(Allow(
165 source_list, 80 source_list,
166 GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf"), 81 GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf"),
167 &context)); 82 &context));
168 } 83 }
169 84
170 TEST(CSPSourceList, AllowNone) { 85 TEST(CSPSourceList, AllowNone) {
171 CSPContextTest context; 86 CSPContext context;
172 context.SetSelf(url::Origin(GURL("http://example.com"))); 87 context.SetSelf(url::Origin(GURL("http://example.com")));
173 CSPSourceList source_list(false, // allow_self 88 CSPSourceList source_list(false, // allow_self
174 false, // allow_star: 89 false, // allow_star:
175 std::vector<CSPSource>()); // source_list 90 std::vector<CSPSource>()); // source_list
176 EXPECT_FALSE(Allow(source_list, GURL("http://example.com"), &context)); 91 EXPECT_FALSE(Allow(source_list, GURL("http://example.com"), &context));
177 EXPECT_FALSE(Allow(source_list, GURL("https://example.test/"), &context)); 92 EXPECT_FALSE(Allow(source_list, GURL("https://example.test/"), &context));
178 } 93 }
179 94
180 } // namespace content 95 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_security_policy/csp_source_list.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698