| Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
|
| index 4c38b3d3b2ed4120d6e8708af392b177e99db163..388abc3e194d3498c13a9a68efe11e8af8fcc4ef 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
|
| @@ -35,6 +35,15 @@ class CSPDirectiveListTest : public ::testing::Test {
|
| kContentSecurityPolicyHeaderSourceHTTP);
|
| }
|
|
|
| + bool CallCSPDirectiveListIsValid(const String& policy) {
|
| + return CSPDirectiveList::IsValid(
|
| + policy,
|
| + ContentSecurityPolicyHeaderType::
|
| + kContentSecurityPolicyHeaderTypeEnforce,
|
| + ContentSecurityPolicyHeaderSource::
|
| + kContentSecurityPolicyHeaderSourceHTTP);
|
| + }
|
| +
|
| protected:
|
| Persistent<ContentSecurityPolicy> csp;
|
| };
|
| @@ -1140,4 +1149,94 @@ TEST_F(CSPDirectiveListTest, GetSourceVector) {
|
| }
|
| }
|
|
|
| +TEST_F(CSPDirectiveListTest, IsValidTest) {
|
| + // Empty string is invalid
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid(""), false);
|
| +
|
| + // Policy with single directive
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("base-uri http://example.com"), true);
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("invalid-policy-name http://example.com"),
|
| + false);
|
| +
|
| + // Policy with multiple directives
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid(
|
| + "base-uri http://example.com 'self'; child-src http://example.com; "
|
| + "default-src http://example.com"),
|
| + true);
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("default-src http://example.com; "
|
| + "invalid-policy-name http://example.com"),
|
| + false);
|
| +
|
| + // 'self', 'none'
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 'self'"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("default-src 'none'"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 'slef'"), false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("default-src 'non'"), false);
|
| +
|
| + // invalid ascii character
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src https: \x08"), false);
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("script-src 127.0.0.1%2F%DFisnotSorB%2F"),
|
| + false);
|
| +
|
| + // paths on script-src
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 127.0.0.1:*/"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 127.0.0.1:*/path"), true);
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("script-src 127.0.0.1:*/path?query=string"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 127.0.0.1:*/path#anchor"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 127.0.0.1:8000/"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 127.0.0.1:8000/path"),
|
| + true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid(
|
| + "script-src 127.0.0.1:8000/path?query=string"),
|
| + false);
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("script-src 127.0.0.1:8000/path#anchor"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid(
|
| + "script-src 127.0.0.1:8000/thisisa;pathwithasemicolon"),
|
| + false);
|
| +
|
| + // script-src invalid hosts
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http:/"), false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://"), false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http:/127.0.0.1"), false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http:///127.0.0.1"), false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://127.0.0.1:/"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src https://127.?.0.1:*"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src https://127.0.0.1:"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src https://127.0.0.1:\t* "),
|
| + false);
|
| +
|
| + // script-src host wildcards
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://*.0.1:8000"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://*.0.1:8000/"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://*.0.1:*"), true);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src http://*.0.1:*/"), true);
|
| +
|
| + // missing semicolon
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("default-src 'self' script-src example.com"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid(
|
| + "script-src 'self' object-src 'self' style-src *"),
|
| + false);
|
| +
|
| + // 'none' with other sources
|
| + EXPECT_EQ(
|
| + CallCSPDirectiveListIsValid("script-src http://127.0.0.1:8000 'none'"),
|
| + false);
|
| + EXPECT_EQ(CallCSPDirectiveListIsValid("script-src 'none' 'none' 'none'"),
|
| + false);
|
| +}
|
| +
|
| } // namespace blink
|
|
|
Chromium Code Reviews
Issue 2896833002:
Added validation of the policy specified in the 'csp' attribute (Closed)
