Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(515)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/content_security_policy/csp_context_unittest.cc

Issue 2869423002: PlzNavigate: Do not disclose urls between cross-origin renderers. (Closed)
Patch Set: Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/common/content_security_policy/csp_context.h ('K') | « content/common/content_security_policy/csp_context.cc ('k') | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('j') | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/content_security_policy/csp_context_unittest.cc
diff --git a/content/common/content_security_policy/csp_context_unittest.cc b/content/common/content_security_policy/csp_context_unittest.cc
index c0fdfd99f7f8ef733f440188c9a97f7dee0b9b28..9cc9f83389d6529b76d1e4762552c2ec40ee6f3a 100644
--- a/content/common/content_security_policy/csp_context_unittest.cc
+++ b/content/common/content_security_policy/csp_context_unittest.cc
@@ -13,7 +13,7 @@ namespace {
class CSPContextTest : public CSPContext {
public:
- const std::string& LastConsoleMessage() { return console_message_; }
+ const CSPViolationParams& LastViolation() { return last_violation_; }
void AddSchemeToBypassCSP(const std::string& scheme) {
scheme_to_bypass_.push_back(scheme);
@@ -24,13 +24,26 @@ class CSPContextTest : public CSPContext {
scheme) != scheme_to_bypass_.end();
}
+ void AddOriginUnsafeToUseInCspViolation(const url::Origin& origin) {
+ origins_unsafe_to_use_in_csp_violation_.push_back(origin);
+ }
+
+ bool IsOriginSafeToUseInCspViolation(
+ const url::Origin& origin) const override {
+ return std::find(origins_unsafe_to_use_in_csp_violation_.begin(),
+ origins_unsafe_to_use_in_csp_violation_.end(),
+ origin) == origins_unsafe_to_use_in_csp_violation_.end();
+ }
+
private:
void ReportContentSecurityPolicyViolation(
const CSPViolationParams& violation_params) override {
- console_message_ = violation_params.console_message;
+ last_violation_ = violation_params;
}
- std::string console_message_;
+ CSPViolationParams last_violation_;
+ SourceLocation source_location_;
std::vector<std::string> scheme_to_bypass_;
+ std::vector<url::Origin> origins_unsafe_to_use_in_csp_violation_;
alexmos 2017/05/10 22:33:08 Why not std::set? That'll also let you use origin
arthursonzogni 2017/05/11 13:06:23 You are absolutely right.
};
// Build a new policy made of only one directive and no report endpoints.
@@ -86,4 +99,49 @@ TEST(CSPContextTest, MultiplePolicies) {
CSPDirective::FrameSrc, GURL("http://d.com"), false, SourceLocation()));
}
+TEST(CSPContextTest, IsOriginSafeToUseInCspViolation) {
+ CSPContextTest context;
+ context.SetSelf(url::Origin(GURL("http://a.com")));
+
+ // Content-Security-Policy: frame-src "a.com/iframe"
+ context.AddContentSecurityPolicy(
+ BuildPolicy(CSPDirective::FrameSrc,
+ {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false,
+ "/iframe")}));
+
+ GURL blocked_url("http://a.com/login?password=1234");
+ SourceLocation source_location("http://a.com/login", 10u, 20u);
+
+ // When the |blocked_url| and |source_location| aren't sensitive information.
+ {
+ EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, blocked_url,
+ false, source_location));
+ EXPECT_EQ(context.LastViolation().blocked_url, blocked_url);
+ EXPECT_EQ(context.LastViolation().source_location.url,
+ "http://a.com/login");
+ EXPECT_EQ(context.LastViolation().source_location.line_number, 10u);
+ EXPECT_EQ(context.LastViolation().source_location.column_number, 20u);
+ EXPECT_EQ(context.LastViolation().console_message,
+ "Refused to frame 'http://a.com/login?password=1234' because it "
+ "violates the following Content Security Policy directive: "
+ "\"frame-src a.com/iframe\".\n");
+ }
+
+ context.AddOriginUnsafeToUseInCspViolation(url::Origin(GURL("http://a.com")));
+
+ // When the |blocked_url| and |source_location| are sensitive information.
+ {
+ EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, blocked_url,
+ false, source_location));
+ EXPECT_EQ(context.LastViolation().blocked_url, blocked_url.GetOrigin());
+ EXPECT_EQ(context.LastViolation().source_location.url, "");
+ EXPECT_EQ(context.LastViolation().source_location.line_number, 0u);
+ EXPECT_EQ(context.LastViolation().source_location.column_number, 0u);
+ EXPECT_EQ(context.LastViolation().console_message,
+ "Refused to frame 'http://a.com/' because it violates the "
+ "following Content Security Policy directive: \"frame-src "
+ "a.com/iframe\".\n");
+ }
+}
+
} // namespace content
« content/common/content_security_policy/csp_context.h ('K') | « content/common/content_security_policy/csp_context.cc ('k') | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('j') | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('J')

Powered by Google App Engine
This is Rietveld 408576698