Added validation of the policy specified in the 'csp' attribute

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
index 98b3d0239921062add8a5614640c2c77277759d1..92c74fe10ceb84dfa6f0c77574d682b9d4014b49 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
@@ -1172,4 +1172,122 @@ TEST_F(ContentSecurityPolicyTest, BlobAllowedWhenBypassingCSP) {
       "https");
 }
 
+TEST_F(ContentSecurityPolicyTest, IsValidTest) {
+  // Empty string is invalid
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(""), false);
+
+  // Policy with single directive
+  EXPECT_EQ(

[Mike West, 2017/05/29 13:49:31]

Nit: EXPECT_TRUE

[andypaicu, 2017/05/30 08:51:22]

Done

+      ContentSecurityPolicy::IsValidCSPAttr("base-uri http://example.com"),
+      true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(

[Mike West, 2017/05/29 13:49:31]

Nit: EXPECT_FALSE

[andypaicu, 2017/05/30 08:51:22]

Done

+                "invalid-policy-name http://example.com"),
+            false);
+
+  // Policy with multiple directives
+  EXPECT_EQ(

[Mike West, 2017/05/29 13:49:31]

Ditto, all the way down.

[andypaicu, 2017/05/30 08:51:22]

Done

+      ContentSecurityPolicy::IsValidCSPAttr(
+          "base-uri http://example.com 'self'; child-src http://example.com; "
+          "default-src http://example.com"),
+      true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "default-src http://example.com; "
+                "invalid-policy-name http://example.com"),
+            false);
+
+  // 'self', 'none'
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src 'self'"), true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("default-src 'none'"), true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src 'slef'"), false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("default-src 'non'"), false);
+
+  // invalid ascii character
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src https:  \x08"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1%2F%DFisnotSorB%2F"),
+            false);
+
+  // paths on script-src
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/"),
+            true);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:*/path"),
+      true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1:*/path?query=string"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1:*/path#anchor"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/"),
+            true);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src 127.0.0.1:8000/path"),
+      true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1:8000/path?query=string"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1:8000/path#anchor"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 127.0.0.1:8000/thisisa;pathwithasemicolon"),

[Mike West, 2017/05/29 13:49:31]

Do we have layout tests covering URL encoded policies? That is, do we do the
right thing with HTML entities (`<` in the attribute), percent-encoding, etc?

[andypaicu, 2017/05/30 08:51:22]

No we don't, I'll add some to the WPT tests as part of crbug.com/726724.

+            false);
+
+  // script-src invalid hosts
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src http:/"), false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src http://"), false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src http:/127.0.0.1"),
+            false);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src http:///127.0.0.1"),
+      false);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src http://127.0.0.1:/"),
+      false);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.?.0.1:*"),
+      false);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src https://127.0.0.1:"),
+      false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src https://127.0.0.1:\t*   "),
+            false);
+
+  // script-src host wildcards
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000"),
+      true);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:8000/"),
+      true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*"),
+            true);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr("script-src http://*.0.1:*/"),
+            true);
+
+  // missing semicolon
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "default-src 'self' script-src example.com"),
+            false);
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 'self' object-src 'self' style-src *"),
+            false);
+
+  // 'none' with other sources
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src http://127.0.0.1:8000 'none'"),
+            false);
+  EXPECT_EQ(
+      ContentSecurityPolicy::IsValidCSPAttr("script-src 'none' 'none' 'none'"),
+      false);
+
+  // comma separated
+  EXPECT_EQ(ContentSecurityPolicy::IsValidCSPAttr(
+                "script-src 'none', object-src 'none'"),
+            false);
+}
+
 }  // namespace blink