OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/frame/csp/CSPDirectiveList.h" | 7 #include "core/frame/csp/CSPDirectiveList.h" |
8 #include "core/html/HTMLScriptElement.h" | 8 #include "core/html/HTMLScriptElement.h" |
9 #include "core/testing/NullExecutionContext.h" | 9 #include "core/testing/NullExecutionContext.h" |
10 #include "platform/Crypto.h" | 10 #include "platform/Crypto.h" |
(...skipping 1154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1165 csp->AllowRequest(WebURLRequest::kRequestContextObject, | 1165 csp->AllowRequest(WebURLRequest::kRequestContextObject, |
1166 KURL(base, "blob:https://not-example.com/"), String(), | 1166 KURL(base, "blob:https://not-example.com/"), String(), |
1167 IntegrityMetadataSet(), kParserInserted, | 1167 IntegrityMetadataSet(), kParserInserted, |
1168 ResourceRequest::RedirectStatus::kNoRedirect, | 1168 ResourceRequest::RedirectStatus::kNoRedirect, |
1169 SecurityViolationReportingPolicy::kSuppressReporting)); | 1169 SecurityViolationReportingPolicy::kSuppressReporting)); |
1170 | 1170 |
1171 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( | 1171 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
1172 "https"); | 1172 "https"); |
1173 } | 1173 } |
1174 | 1174 |
| 1175 TEST_F(ContentSecurityPolicyTest, IsValidTest) { |
| 1176 // Empty string is invalid |
| 1177 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("")); |
| 1178 |
| 1179 // Policy with single directive |
| 1180 EXPECT_TRUE( |
| 1181 ContentSecurityPolicy::IsValidCSPAttr("base-uri http://example.com")); |
| 1182 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1183 "invalid-policy-name http://example.com")); |
| 1184 |
| 1185 // Policy with multiple directives |
| 1186 EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1187 "base-uri http://example.com 'self'; child-src http://example.com; " |
| 1188 "default-src http://example.com")); |
| 1189 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1190 "default-src http://example.com; " |
| 1191 "invalid-policy-name http://example.com")); |
| 1192 |
| 1193 // 'self', 'none' |
| 1194 EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("script-src 'self'")); |
| 1195 EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("default-src 'none'")); |
| 1196 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src 'slef'")); |
| 1197 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("default-src 'non'")); |
| 1198 |
| 1199 // invalid ascii character |
| 1200 EXPECT_FALSE( |
| 1201 ContentSecurityPolicy::IsValidCSPAttr("script-src https: \x08")); |
| 1202 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1203 "script-src 127.0.0.1%2F%DFisnotSorB%2F")); |
| 1204 |
| 1205 // paths on script-src |
| 1206 EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/")); |
| 1207 EXPECT_TRUE( |
| 1208 ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/path")); |
| 1209 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1210 "script-src 127.0.0.1:*/path?query=string")); |
| 1211 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1212 "script-src 127.0.0.1:*/path#anchor")); |
| 1213 EXPECT_TRUE( |
| 1214 ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/")); |
| 1215 EXPECT_TRUE( |
| 1216 ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/path")); |
| 1217 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1218 "script-src 127.0.0.1:8000/path?query=string")); |
| 1219 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1220 "script-src 127.0.0.1:8000/path#anchor")); |
| 1221 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1222 "script-src 127.0.0.1:8000/thisisa;pathwithasemicolon")); |
| 1223 |
| 1224 // script-src invalid hosts |
| 1225 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src http:/")); |
| 1226 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src http://")); |
| 1227 EXPECT_FALSE( |
| 1228 ContentSecurityPolicy::IsValidCSPAttr("script-src http:/127.0.0.1")); |
| 1229 EXPECT_FALSE( |
| 1230 ContentSecurityPolicy::IsValidCSPAttr("script-src http:///127.0.0.1")); |
| 1231 EXPECT_FALSE( |
| 1232 ContentSecurityPolicy::IsValidCSPAttr("script-src http://127.0.0.1:/")); |
| 1233 EXPECT_FALSE( |
| 1234 ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.?.0.1:*")); |
| 1235 EXPECT_FALSE( |
| 1236 ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.0.0.1:")); |
| 1237 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1238 "script-src https://127.0.0.1:\t* ")); |
| 1239 |
| 1240 // script-src host wildcards |
| 1241 EXPECT_TRUE( |
| 1242 ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000")); |
| 1243 EXPECT_TRUE( |
| 1244 ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000/")); |
| 1245 EXPECT_TRUE( |
| 1246 ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*")); |
| 1247 EXPECT_TRUE( |
| 1248 ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*/")); |
| 1249 |
| 1250 // missing semicolon |
| 1251 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1252 "default-src 'self' script-src example.com")); |
| 1253 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1254 "script-src 'self' object-src 'self' style-src *")); |
| 1255 |
| 1256 // 'none' with other sources |
| 1257 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1258 "script-src http://127.0.0.1:8000 'none'")); |
| 1259 EXPECT_FALSE( |
| 1260 ContentSecurityPolicy::IsValidCSPAttr("script-src 'none' 'none' 'none'")); |
| 1261 |
| 1262 // comma separated |
| 1263 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
| 1264 "script-src 'none', object-src 'none'")); |
| 1265 } |
| 1266 |
1175 } // namespace blink | 1267 } // namespace blink |
OLD | NEW |