| Index: content/common/content_security_policy/content_security_policy_unittest.cc
|
| diff --git a/content/common/content_security_policy/content_security_policy_unittest.cc b/content/common/content_security_policy/content_security_policy_unittest.cc
|
| index 7a0a0b9a633043490ed00fc3391591a8459d92d6..ed5c4c90a700e8096505ef70fba70ecf65f7b517 100644
|
| --- a/content/common/content_security_policy/content_security_policy_unittest.cc
|
| +++ b/content/common/content_security_policy/content_security_policy_unittest.cc
|
| @@ -12,14 +12,28 @@ namespace content {
|
| namespace {
|
| class CSPContextTest : public CSPContext {
|
| public:
|
| + CSPContextTest() : CSPContext() {}
|
| +
|
| const std::string& LastConsoleMessage() { return console_message_; }
|
|
|
| + void AddSchemeToBypassCSP(const std::string& scheme) {
|
| + scheme_to_bypass_.push_back(scheme);
|
| + }
|
| +
|
| + bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
|
| + return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
|
| + scheme) != scheme_to_bypass_.end();
|
| + }
|
| +
|
| private:
|
| void ReportContentSecurityPolicyViolation(
|
| const CSPViolationParams& violation_params) override {
|
| console_message_ = violation_params.console_message;
|
| }
|
| std::string console_message_;
|
| + std::vector<std::string> scheme_to_bypass_;
|
| +
|
| + DISALLOW_COPY_AND_ASSIGN(CSPContextTest);
|
| };
|
|
|
| ContentSecurityPolicyHeader EmptyCspHeader() {
|
| @@ -132,4 +146,92 @@ TEST(ContentSecurityPolicy, DirectiveFallback) {
|
| }
|
| }
|
|
|
| +TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) {
|
| + CSPContextTest context;
|
| + std::vector<std::string> report_end_points; // empty
|
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false,
|
| + "");
|
| + CSPSourceList source_list(false, false, {source});
|
| + ContentSecurityPolicy policy(
|
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)},
|
| + report_end_points);
|
| +
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("https://example.com/"), false,
|
| + &context, SourceLocation()));
|
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("https://not-example.com/"),
|
| + false, &context, SourceLocation()));
|
| +
|
| + // Register 'https' as bypassing CSP, which should now bypass is entirely.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("https://example.com/"), false,
|
| + &context, SourceLocation()));
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("https://not-example.com/"),
|
| + false, &context, SourceLocation()));
|
| +}
|
| +
|
| +TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) {
|
| + CSPContextTest context;
|
| + std::vector<std::string> report_end_points; // empty
|
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false,
|
| + "");
|
| + CSPSourceList source_list(false, false, {source});
|
| + ContentSecurityPolicy policy(
|
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)},
|
| + report_end_points);
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc,
|
| + GURL("filesystem:https://example.com/file.txt"), false, &context,
|
| + SourceLocation()));
|
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc,
|
| + GURL("filesystem:https://not-example.com/file.txt"), false, &context,
|
| + SourceLocation()));
|
| +
|
| + // Register 'https' as bypassing CSP, which should now bypass is entirely.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc,
|
| + GURL("filesystem:https://example.com/file.txt"), false, &context,
|
| + SourceLocation()));
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc,
|
| + GURL("filesystem:https://not-example.com/file.txt"), false, &context,
|
| + SourceLocation()));
|
| +}
|
| +
|
| +TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) {
|
| + CSPContextTest context;
|
| + std::vector<std::string> report_end_points; // empty
|
| + CSPSource source("https", "example.com", false, url::PORT_UNSPECIFIED, false,
|
| + "");
|
| + CSPSourceList source_list(false, false, {source});
|
| + ContentSecurityPolicy policy(
|
| + EmptyCspHeader(), {CSPDirective(CSPDirective::DefaultSrc, source_list)},
|
| + report_end_points);
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("blob:https://example.com/"),
|
| + false, &context, SourceLocation()));
|
| + EXPECT_FALSE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"),
|
| + false, &context, SourceLocation()));
|
| +
|
| + // Register 'https' as bypassing CSP, which should now bypass is entirely.
|
| + context.AddSchemeToBypassCSP("https");
|
| +
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
|
| + GURL("blob:https://example.com/"),
|
| + false, &context, SourceLocation()));
|
| + EXPECT_TRUE(ContentSecurityPolicy::Allow(
|
| + policy, CSPDirective::FrameSrc, GURL("blob:https://not-example.com/"),
|
| + false, &context, SourceLocation()));
|
| +}
|
| +
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 2792973004:
Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
