Chromium Code Reviews Chromium Code Reviews
Issue 2792973004:
Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
| Index: content/common/content_security_policy/content_security_policy_unittest.cc |
| diff --git a/content/common/content_security_policy/content_security_policy_unittest.cc b/content/common/content_security_policy/content_security_policy_unittest.cc |
| index 7a0a0b9a633043490ed00fc3391591a8459d92d6..e64df0786739f43e37f3dc3b02a18ccc144e208e 100644 |
| --- a/content/common/content_security_policy/content_security_policy_unittest.cc |
| +++ b/content/common/content_security_policy/content_security_policy_unittest.cc |
| @@ -14,12 +14,22 @@ class CSPContextTest : public CSPContext { |
| public: |
| const std::string& LastConsoleMessage() { return console_message_; } |
| + void AddSchemeToBypassCSP(const std::string& scheme) { |
| + scheme_to_bypass_.push_back(scheme); |
| + } |
| + |
| + bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override { |
| + return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(), |
| + scheme) != scheme_to_bypass_.end(); |
| + } |
| + |
| private: |
| void ReportContentSecurityPolicyViolation( |
| const CSPViolationParams& violation_params) override { |
| console_message_ = violation_params.console_message; |
| } |
| std::string console_message_; |
| + std::vector<std::string> scheme_to_bypass_; |
| }; |
|
jochen (gone - plz use gerrit)
2017/04/05 12:22:35
please add DISALLOW_COPY_AND_ASSIGN(CSPContextTest
andypaicu
2017/04/05 12:55:00
Done
|
| ContentSecurityPolicyHeader EmptyCspHeader() { |
| @@ -132,4 +142,92 @@ TEST(ContentSecurityPolicy, DirectiveFallback) { |
| } |
| } |
| +TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) { |
| + CSPContextTest context; |
| + std::vector<std::string> report_end_points; // empty |
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| + ""); |
| + CSPSourceList source_list(false, false, {source}); |
| + ContentSecurityPolicy policy( |
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| + report_end_points); |
| + |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("https://example.com/"), false, |
| + &context, SourceLocation())); |
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("https://not-example.com/"), |
| + false, &context, SourceLocation())); |
| + |
| + // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| + context.AddSchemeToBypassCSP("https"); |
| + |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("https://example.com/"), false, |
| + &context, SourceLocation())); |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("https://not-example.com/"), |
| + false, &context, SourceLocation())); |
| +} |
| + |
| +TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) { |
| + CSPContextTest context; |
| + std::vector<std::string> report_end_points; // empty |
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| + ""); |
| + CSPSourceList source_list(false, false, {source}); |
| + ContentSecurityPolicy policy( |
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| + report_end_points); |
| + |
| + EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, |
| + GURL("filesystem:https://example.com/file.txt"), false, &context, |
| + SourceLocation())); |
| + EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, |
| + GURL("filesystem:https://not-example.com/file.txt"), false, &context, |
| + SourceLocation())); |
| + |
| + // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| + context.AddSchemeToBypassCSP("https"); |
| + |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, |
| + GURL("filesystem:https://example.com/file.txt"), false, &context, |
| + SourceLocation())); |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, |
| + GURL("filesystem:https://not-example.com/file.txt"), false, &context, |
| + SourceLocation())); |
| +} |
| + |
| +TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) { |
| + CSPContextTest context; |
| + std::vector<std::string> report_end_points; // empty |
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false, |
| + ""); |
| + CSPSourceList source_list(false, false, {source}); |
| + ContentSecurityPolicy policy( |
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)}, |
| + report_end_points); |
| + |
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("blob:https://example.com/"), |
| + false, &context, SourceLocation())); |
| + EXPECT_FALSE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), |
| + false, &context, SourceLocation())); |
| + |
| + // Register 'https' as bypassing CSP, which should now bypass is entirely. |
| + context.AddSchemeToBypassCSP("https"); |
| + |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc, |
| + GURL("blob:https://example.com/"), |
| + false, &context, SourceLocation())); |
| + EXPECT_TRUE(ContentSecurityPolicy::Allow( |
| + policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"), |
| + false, &context, SourceLocation())); |
| +} |
| + |
| } // namespace content |
