| Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
|
| index 98b3d0239921062add8a5614640c2c77277759d1..80b6709beef85eceac2da57b1587b4c279ed533b 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
|
| @@ -1172,4 +1172,96 @@ TEST_F(ContentSecurityPolicyTest, BlobAllowedWhenBypassingCSP) {
|
| "https");
|
| }
|
|
|
| +TEST_F(ContentSecurityPolicyTest, IsValidTest) {
|
| + // Empty string is invalid
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(""));
|
| +
|
| + // Policy with single directive
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("base-uri http://example.com"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "invalid-policy-name http://example.com"));
|
| +
|
| + // Policy with multiple directives
|
| + EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "base-uri http://example.com 'self'; child-src http://example.com; "
|
| + "default-src http://example.com"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "default-src http://example.com; "
|
| + "invalid-policy-name http://example.com"));
|
| +
|
| + // 'self', 'none'
|
| + EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("script-src 'self'"));
|
| + EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("default-src 'none'"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src 'slef'"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("default-src 'non'"));
|
| +
|
| + // invalid ascii character
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src https: \x08"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1%2F%DFisnotSorB%2F"));
|
| +
|
| + // paths on script-src
|
| + EXPECT_TRUE(ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/path"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1:*/path?query=string"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1:*/path#anchor"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/path"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1:8000/path?query=string"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1:8000/path#anchor"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 127.0.0.1:8000/thisisa;pathwithasemicolon"));
|
| +
|
| + // script-src invalid hosts
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src http:/"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr("script-src http://"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http:/127.0.0.1"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http:///127.0.0.1"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http://127.0.0.1:/"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.?.0.1:*"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.0.0.1:"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src https://127.0.0.1:\t* "));
|
| +
|
| + // script-src host wildcards
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000/"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*"));
|
| + EXPECT_TRUE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*/"));
|
| +
|
| + // missing semicolon
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "default-src 'self' script-src example.com"));
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 'self' object-src 'self' style-src *"));
|
| +
|
| + // 'none' with other sources
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src http://127.0.0.1:8000 'none'"));
|
| + EXPECT_FALSE(
|
| + ContentSecurityPolicy::IsValidCSPAttr("script-src 'none' 'none' 'none'"));
|
| +
|
| + // comma separated
|
| + EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr(
|
| + "script-src 'none', object-src 'none'"));
|
| +}
|
| +
|
| } // namespace blink
|
|
|
Chromium Code Reviews
Issue 2896833002:
Added validation of the policy specified in the 'csp' attribute (Closed)
