// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "services/network/public/cpp/content_security_policy/content_security_policy.h" #include "base/containers/contains.h" #include "base/memory/raw_ref.h" #include "base/strings/stringprintf.h" #include "base/test/scoped_feature_list.h" #include "net/http/http_response_headers.h" #include "services/network/public/cpp/content_security_policy/csp_context.h" #include "services/network/public/cpp/features.h" #include "services/network/public/cpp/web_sandbox_flags.h" #include "services/network/public/mojom/content_security_policy.mojom.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/gurl.h" #include "url/origin.h" #include "url/third_party/mozilla/url_parse.h" namespace network { CSPDirectiveName; namespace { struct ExpectedResult { … }; struct TestData { … }; std::vector<mojom::ContentSecurityPolicyPtr> ParseCSP(std::string expression) { … } static void TestFrameAncestorsCSPParser(const std::string& header, const ExpectedResult* expected_result) { … } class CSPContextTest : public CSPContext { … }; mojom::ContentSecurityPolicyPtr EmptyCSP() { … } // Build a new policy made of only one directive and no report endpoints. mojom::ContentSecurityPolicyPtr BuildPolicy(CSPDirectiveName directive_name, mojom::CSPSourcePtr source) { … } mojom::CSPSourcePtr BuildCSPSource(const char* scheme, const char* host) { … } // Return "Content-Security-Policy: default-src <host>" mojom::ContentSecurityPolicyPtr DefaultSrc(const char* scheme, const char* host) { … } network::mojom::SourceLocationPtr SourceLocation() { … } mojom::ContentSecurityPolicyPtr ParseOneCspReportOnly(std::string expression) { … } } // namespace TEST(ContentSecurityPolicy, ParseFrameAncestors) { … } TEST(ContentSecurityPolicy, ParseDirectives) { … } TEST(ContentSecurityPolicy, ParseAllow) { … } TEST(ContentSecurityPolicy, ParseOptions) { … } TEST(ContentSecurityPolicy, ParsePolicyUri) { … } TEST(ContentSecurityPolicy, ParsePluginTypes) { … } TEST(ContentSecurityPolicy, ParseRequireTrustedTypesFor) { … } TEST(ContentSecurityPolicy, ParseTrustedTypes) { … } TEST(ContentSecurityPolicy, ParseBlockAllMixedContent) { … } TEST(ContentSecurityPolicy, ParseReportEndpoint) { … } TEST(ContentSecurityPolicy, ParseStoresSelfOrigin) { … } // Check URL are upgraded iif "upgrade-insecure-requests" directive is defined. TEST(ContentSecurityPolicy, ShouldUpgradeInsecureRequest) { … } // Check upgraded URLs are only the Non-trusted Non-HTTP URLs. TEST(ContentSecurityPolicy, UpgradeInsecureRequests) { … } TEST(ContentSecurityPolicy, NoDirective) { … } TEST(ContentSecurityPolicy, ReportViolation) { … } TEST(ContentSecurityPolicy, DirectiveFallback) { … } TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) { … } TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) { … } TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) { … } TEST(ContentSecurityPolicy, NavigateToChecks) { … } TEST(ContentSecurityPolicy, ParseSandbox) { … } TEST(ContentSecurityPolicy, ParseSerializedSourceList) { … } TEST(ContentSecurityPolicy, ParseHash) { … } TEST(ContentSecurityPolicy, ParseInlineSpeculationRules) { … } TEST(ContentSecurityPolicy, IsValidRequiredCSPAttr) { … } TEST(ContentSecurityPolicy, Subsumes) { … } TEST(ContentSecurityPolicy, SubsumesBasedOnCSPSourcesOnly) { … } TEST(ContentSecurityPolicy, SubsumesIfNoneIsPresent) { … } TEST(ContentSecurityPolicy, InvalidPolicyInReportOnlySandbox) { … } TEST(ContentSecurityPolicy, InvalidPolicyInReportOnlyUpgradeInsecureRequest) { … } TEST(ContentSecurityPolicy, InvalidPolicyInReportTreatAsPublicAddress) { … } TEST(ContentSecurityPolicy, InvalidPolicyInMetaFrameAncestors) { … } TEST(ContentSecurityPolicy, InvalidPolicyInMetaReportUri) { … } TEST(ContentSecurityPolicy, InvalidPolicyInMetaSandbox) { … } TEST(ContentSecurityPolicy, InvalidPolicyInMetaTreatAsPublicAddress) { … } TEST(ContentSecurityPolicy, AllowsBlanketEnforcementOfRequiredCSP) { … } TEST(ContentSecurityPolicy, FencedFrameSrcFallback) { … } TEST(ContentSecurityPolicy, FencedFrameSrcOpaqueURL) { … } } // namespace network
Codebase Browser
chromium