Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(634)

Unified Diff: content/common/content_security_policy/csp_context_unittest.cc

Issue 2869423002: PlzNavigate: Do not disclose urls between cross-origin renderers. (Closed)
Patch Set: Applying suggestions. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: content/common/content_security_policy/csp_context_unittest.cc
diff --git a/content/common/content_security_policy/csp_context_unittest.cc b/content/common/content_security_policy/csp_context_unittest.cc
index c0fdfd99f7f8ef733f440188c9a97f7dee0b9b28..245249c04e61d7b3e236430a612ba3917cb22c84 100644
--- a/content/common/content_security_policy/csp_context_unittest.cc
+++ b/content/common/content_security_policy/csp_context_unittest.cc
@@ -2,6 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#include <set>
+
#include "content/common/content_security_policy/csp_context.h"
#include "content/common/content_security_policy_header.h"
#include "content/common/navigation_params.h"
@@ -13,24 +15,41 @@ namespace {
class CSPContextTest : public CSPContext {
public:
- const std::string& LastConsoleMessage() { return console_message_; }
+ const CSPViolationParams& LastViolation() { return last_violation_; }
alexmos 2017/05/16 05:56:49 nit: last_violation()
arthursonzogni 2017/05/16 12:48:44 Done.
void AddSchemeToBypassCSP(const std::string& scheme) {
- scheme_to_bypass_.push_back(scheme);
+ scheme_to_bypass_.insert(scheme);
}
bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
- return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
- scheme) != scheme_to_bypass_.end();
+ return scheme_to_bypass_.count(scheme.as_string());
+ }
+
+ void SetSanitizeDataForUseInCspViolation(bool value) {
alexmos 2017/05/16 05:56:49 nit: can use lowercase_with_underscores() for simp
arthursonzogni 2017/05/16 12:48:44 Done.
+ sanitize_data_for_use_in_csp_violation = value;
+ }
+
+ void SanitizeDataForUseInCspViolation(
+ GURL* blocked_url,
+ SourceLocation* source_location,
+ bool is_redirect,
+ CSPDirective::Name directive) const override {
+ if (!sanitize_data_for_use_in_csp_violation)
+ return;
+ *blocked_url = blocked_url->GetOrigin();
+ *source_location =
+ SourceLocation(GURL(source_location->url).GetOrigin().spec(), 0u, 0u);
}
private:
void ReportContentSecurityPolicyViolation(
const CSPViolationParams& violation_params) override {
- console_message_ = violation_params.console_message;
+ last_violation_ = violation_params;
}
- std::string console_message_;
- std::vector<std::string> scheme_to_bypass_;
+ CSPViolationParams last_violation_;
+ SourceLocation source_location_;
alexmos 2017/05/16 05:56:49 nit: looks unused?
arthursonzogni 2017/05/16 12:48:44 Yes!
+ std::set<std::string> scheme_to_bypass_;
+ bool sanitize_data_for_use_in_csp_violation = false;
alexmos 2017/05/16 05:56:49 nit: end member var name with _
arthursonzogni 2017/05/16 12:48:44 Done.
};
// Build a new policy made of only one directive and no report endpoints.
@@ -86,4 +105,49 @@ TEST(CSPContextTest, MultiplePolicies) {
CSPDirective::FrameSrc, GURL("http://d.com"), false, SourceLocation()));
}
+TEST(CSPContextTest, SanitizeDataForUseInCspViolation) {
+ CSPContextTest context;
+ context.SetSelf(url::Origin(GURL("http://a.com")));
+
+ // Content-Security-Policy: frame-src "a.com/iframe"
+ context.AddContentSecurityPolicy(
+ BuildPolicy(CSPDirective::FrameSrc,
+ {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false,
+ "/iframe")}));
+
+ GURL blocked_url("http://a.com/login?password=1234");
+ SourceLocation source_location("http://a.com/login", 10u, 20u);
+
+ // When the |blocked_url| and |source_location| aren't sensitive information.
+ {
+ EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, blocked_url,
+ false, source_location));
+ EXPECT_EQ(context.LastViolation().blocked_url, blocked_url);
+ EXPECT_EQ(context.LastViolation().source_location.url,
+ "http://a.com/login");
+ EXPECT_EQ(context.LastViolation().source_location.line_number, 10u);
+ EXPECT_EQ(context.LastViolation().source_location.column_number, 20u);
+ EXPECT_EQ(context.LastViolation().console_message,
+ "Refused to frame 'http://a.com/login?password=1234' because it "
+ "violates the following Content Security Policy directive: "
+ "\"frame-src a.com/iframe\".\n");
+ }
+
+ context.SetSanitizeDataForUseInCspViolation(true);
+
+ // When the |blocked_url| and |source_location| are sensitive information.
+ {
+ EXPECT_FALSE(context.IsAllowedByCsp(CSPDirective::FrameSrc, blocked_url,
+ false, source_location));
+ EXPECT_EQ(context.LastViolation().blocked_url, blocked_url.GetOrigin());
+ EXPECT_EQ(context.LastViolation().source_location.url, "http://a.com/");
+ EXPECT_EQ(context.LastViolation().source_location.line_number, 0u);
+ EXPECT_EQ(context.LastViolation().source_location.column_number, 0u);
+ EXPECT_EQ(context.LastViolation().console_message,
+ "Refused to frame 'http://a.com/' because it violates the "
+ "following Content Security Policy directive: \"frame-src "
+ "a.com/iframe\".\n");
+ }
+}
+
} // namespace content

Powered by Google App Engine
This is Rietveld 408576698