Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(25)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_source_unittest.cc

Issue 2797183002: CSP: Allow secure upgrade from an explicitly insecure expression. (Closed)
Patch Set: Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_security_policy/csp_source_list.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 #include "testing/gtest/include/gtest/gtest.h" 6 #include "testing/gtest/include/gtest/gtest.h"
7 7
8 namespace content { 8 namespace content {
9 9
10 namespace { 10 namespace {
(...skipping 28 matching lines...) Expand all
39 } 39 }
40 40
41 TEST(CSPSourceTest, AllowScheme) { 41 TEST(CSPSourceTest, AllowScheme) {
42 CSPContext context; 42 CSPContext context;
43 43
44 // http -> {http, https}. 44 // http -> {http, https}.
45 { 45 {
46 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); 46 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
47 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); 47 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
48 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 48 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
49 // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without 49 EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context));
50 // the port. See http://crbug.com/692499
51 EXPECT_TRUE(Allow(source, GURL("https://a.com:80"), &context));
52 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); 50 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
53 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context)); 51 EXPECT_FALSE(Allow(source, GURL("ws://a.com"), &context));
54 EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context)); 52 EXPECT_FALSE(Allow(source, GURL("wss://a.com"), &context));
55 } 53 }
56 54
57 // ws -> {ws, wss}. 55 // ws -> {ws, wss}.
58 { 56 {
59 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, ""); 57 CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, "");
60 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); 58 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
61 EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context)); 59 EXPECT_FALSE(Allow(source, GURL("https://a.com"), &context));
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
96 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 94 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
97 EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context)); 95 EXPECT_TRUE(Allow(source, GURL("http-so://a.com"), &context));
98 EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context)); 96 EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context));
99 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); 97 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
100 98
101 // Self's is https. 99 // Self's is https.
102 context.SetSelf(url::Origin(GURL("https://a.com"))); 100 context.SetSelf(url::Origin(GURL("https://a.com")));
103 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); 101 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
104 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 102 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
105 EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context)); 103 EXPECT_FALSE(Allow(source, GURL("http-so://a.com"), &context));
106 // TODO(mkwst, arthursonzogni): Maybe it should return true. 104 // TODO(jochen): Maybe it should return false?
107 // See http://crbug.com/692442: 105 EXPECT_TRUE(Allow(source, GURL("https-so://a.com"), &context));
108 EXPECT_FALSE(Allow(source, GURL("https-so://a.com"), &context));
109 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context)); 106 EXPECT_FALSE(Allow(source, GURL("ftp://a.com"), &context));
110 107
111 // Self's scheme is not in the http familly. 108 // Self's scheme is not in the http familly.
112 context.SetSelf(url::Origin(GURL("ftp://a.com/"))); 109 context.SetSelf(url::Origin(GURL("ftp://a.com/")));
113 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context)); 110 EXPECT_FALSE(Allow(source, GURL("http://a.com"), &context));
114 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context)); 111 EXPECT_TRUE(Allow(source, GURL("ftp://a.com"), &context));
115 112
116 // Self's scheme is unique. 113 // Self's scheme is unique.
117 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com"))); 114 context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com")));
118 // TODO(mkwst, arthursonzogni): This result might be wrong. 115 // TODO(mkwst, arthursonzogni): This result might be wrong.
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
178 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); 175 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
179 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 176 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
180 } 177 }
181 178
182 // Source's port is "*". 179 // Source's port is "*".
183 { 180 {
184 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); 181 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
185 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); 182 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
186 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); 183 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context));
187 EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context)); 184 EXPECT_TRUE(Allow(source, GURL("http://a.com:8080"), &context));
188 EXPECT_TRUE(Allow(source, GURL("https://a.com:8080"), &context));
189 EXPECT_TRUE(Allow(source, GURL("https://a.com:0"), &context));
190 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 185 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
186 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context));
187 EXPECT_FALSE(Allow(source, GURL("https://a.com:8080"), &context));
188 EXPECT_FALSE(Allow(source, GURL("https://a.com:0"), &context));
191 } 189 }
192 190
193 // Source has a port. 191 // Source has a port.
194 { 192 {
195 CSPSource source("", "a.com", false, 80, false, ""); 193 CSPSource source("", "a.com", false, 80, false, "");
196 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context)); 194 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context));
197 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context)); 195 EXPECT_TRUE(Allow(source, GURL("http://a.com"), &context));
198 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context)); 196 EXPECT_FALSE(Allow(source, GURL("http://a.com:8080"), &context));
199 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context)); 197 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context));
200 } 198 }
201 199
202 // Allow upgrade from :80 to :443 200 // Allow upgrade from :80 to :443
203 { 201 {
204 CSPSource source("", "a.com", false, 80, false, ""); 202 CSPSource source("", "a.com", false, 80, false, "");
205 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context)); 203 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context));
206 // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the 204 EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context));
207 // sheme. See http://crbug.com/692499
208 EXPECT_TRUE(Allow(source, GURL("http://a.com:443"), &context));
209 } 205 }
210 206
211 // Host is * but port is specified 207 // Host is * but port is specified
212 { 208 {
213 CSPSource source("http", "", true, 111, false, ""); 209 CSPSource source("http", "", true, 111, false, "");
214 EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context)); 210 EXPECT_TRUE(Allow(source, GURL("http://a.com:111"), &context));
215 EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context)); 211 EXPECT_FALSE(Allow(source, GURL("http://a.com:222"), &context));
216 } 212 }
217 } 213 }
218 214
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
277 EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context)); 273 EXPECT_TRUE(Allow(source, GURL("http://a.com/allowed-path"), &context));
278 EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context)); 274 EXPECT_FALSE(Allow(source, GURL("http://a.com/disallowed-path"), &context));
279 } 275 }
280 } 276 }
281 277
282 TEST(CSPSourceTest, RedirectMatching) { 278 TEST(CSPSourceTest, RedirectMatching) {
283 CSPContext context; 279 CSPContext context;
284 CSPSource source("http", "a.com", false, 8000, false, "/bar/"); 280 CSPSource source("http", "a.com", false, 8000, false, "/bar/");
285 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true)); 281 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/"), &context, true));
286 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true)); 282 EXPECT_TRUE(Allow(source, GURL("http://a.com:8000/foo"), &context, true));
287 EXPECT_TRUE(Allow(source, GURL("https://a.com:8000/foo"), &context, true)); 283 EXPECT_FALSE(Allow(source, GURL("https://a.com:8000/foo"), &context, true));
288 EXPECT_FALSE( 284 EXPECT_FALSE(
289 Allow(source, GURL("http://not-a.com:8000/foo"), &context, true)); 285 Allow(source, GURL("http://not-a.com:8000/foo"), &context, true));
290 EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false)); 286 EXPECT_FALSE(Allow(source, GURL("http://a.com:9000/foo/"), &context, false));
291 } 287 }
292 288
293 TEST(CSPSourceTest, ToString) { 289 TEST(CSPSourceTest, ToString) {
294 { 290 {
295 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, ""); 291 CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
296 EXPECT_EQ("http:", source.ToString()); 292 EXPECT_EQ("http:", source.ToString());
297 } 293 }
(...skipping 20 matching lines...) Expand all
318 { 314 {
319 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, ""); 315 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
320 EXPECT_EQ("a.com:*", source.ToString()); 316 EXPECT_EQ("a.com:*", source.ToString());
321 } 317 }
322 { 318 {
323 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path"); 319 CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path");
324 EXPECT_EQ("a.com/path", source.ToString()); 320 EXPECT_EQ("a.com/path", source.ToString());
325 } 321 }
326 } 322 }
327 323
324 TEST(CSPSourceTest, UpgradeRequests) {
325 CSPContext context;
326 CSPSource source("http", "a.com", false, 80, false, "");
327 EXPECT_TRUE(Allow(source, GURL("http://a.com:80"), &context, true));
328 EXPECT_FALSE(Allow(source, GURL("https://a.com:80"), &context, true));
329 EXPECT_FALSE(Allow(source, GURL("http://a.com:443"), &context, true));
330 EXPECT_TRUE(Allow(source, GURL("https://a.com:443"), &context, true));
331
332 EXPECT_TRUE(Allow(source, GURL("https://a.com"), &context, true));
333 }
334
328 } // namespace content 335 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_security_policy/csp_source_list.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698