1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/renderer/content_security_policy_util.h"
#include "services/network/public/cpp/web_sandbox_flags.h"
#include "services/network/public/mojom/content_security_policy.mojom.h"
#include "services/network/public/mojom/integrity_algorithm.mojom.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace content {
TEST(ContentSecurityPolicyUtilTest, BackAndForthConversion) {
using network::mojom::ContentSecurityPolicy;
using network::mojom::ContentSecurityPolicyHeader;
using network::mojom::CSPDirectiveName;
auto basic_csp = ContentSecurityPolicy::New(
network::mojom::CSPSource::New("http", "www.example.org", 80, "", false,
false),
base::flat_map<CSPDirectiveName, std::string>(),
base::flat_map<CSPDirectiveName, network::mojom::CSPSourceListPtr>(),
false, false, false, network::mojom::WebSandboxFlags::kNone,
ContentSecurityPolicyHeader::New(
"my-csp", network::mojom::ContentSecurityPolicyType::kEnforce,
network::mojom::ContentSecurityPolicySource::kHTTP),
false, std::vector<std::string>(),
network::mojom::CSPRequireTrustedTypesFor::None, nullptr,
std::vector<std::string>());
using ModifyCSP = void(ContentSecurityPolicy&);
ModifyCSP* test_cases[] = {
[](ContentSecurityPolicy& csp) {},
[](ContentSecurityPolicy& csp) {
csp.raw_directives[CSPDirectiveName::ScriptSrc] = "'none'";
csp.raw_directives[CSPDirectiveName::DefaultSrc] =
" http://www.example.org:443/path 'self' invalid ";
},
[](ContentSecurityPolicy& csp) {
csp.raw_directives[CSPDirectiveName::ScriptSrc] = "'none'";
csp.raw_directives[CSPDirectiveName::DefaultSrc] =
" http://www.example.org:443/path 'self' invalid ";
},
[](ContentSecurityPolicy& csp) { csp.upgrade_insecure_requests = true; },
[](ContentSecurityPolicy& csp) { csp.treat_as_public_address = true; },
[](ContentSecurityPolicy& csp) { csp.block_all_mixed_content = true; },
[](ContentSecurityPolicy& csp) {
csp.sandbox = network::mojom::WebSandboxFlags::kPointerLock |
network::mojom::WebSandboxFlags::kDownloads;
},
[](ContentSecurityPolicy& csp) {
csp.header = ContentSecurityPolicyHeader::New(
"my-csp", network::mojom::ContentSecurityPolicyType::kReport,
network::mojom::ContentSecurityPolicySource::kMeta);
},
[](ContentSecurityPolicy& csp) { csp.use_reporting_api = true; },
[](ContentSecurityPolicy& csp) {
csp.report_endpoints = {"endpoint1", "endpoint2"};
},
[](ContentSecurityPolicy& csp) {
csp.require_trusted_types_for =
network::mojom::CSPRequireTrustedTypesFor::Script;
},
[](ContentSecurityPolicy& csp) {
csp.trusted_types = network::mojom::CSPTrustedTypes::New();
},
[](ContentSecurityPolicy& csp) {
csp.trusted_types = network::mojom::CSPTrustedTypes::New(
std::vector<std::string>({"policy1", "policy2"}), false, false);
},
[](ContentSecurityPolicy& csp) {
csp.trusted_types = network::mojom::CSPTrustedTypes::New(
std::vector<std::string>({"policy1", "policy2"}), true, false);
},
[](ContentSecurityPolicy& csp) {
csp.trusted_types = network::mojom::CSPTrustedTypes::New(
std::vector<std::string>({"policy1", "policy2"}), false, true);
},
[](ContentSecurityPolicy& csp) {
csp.parsing_errors = {"error1", "error2"};
},
};
for (const auto& modify_csp : test_cases) {
auto test_csp = basic_csp.Clone();
(*modify_csp)(*test_csp);
EXPECT_EQ(BuildContentSecurityPolicy(
ToWebContentSecurityPolicy(test_csp.Clone())),
test_csp);
}
}
TEST(ContentSecurityPolicyUtilTest, BackAndForthConversionForCSPSourceList) {
using network::mojom::ContentSecurityPolicy;
using network::mojom::CSPDirectiveName;
using network::mojom::CSPSource;
using network::mojom::CSPSourceList;
auto basic_csp = network::mojom::ContentSecurityPolicy::New(
CSPSource::New("http", "www.example.org", 80, "", false, false),
base::flat_map<CSPDirectiveName, std::string>(),
base::flat_map<CSPDirectiveName, network::mojom::CSPSourceListPtr>(),
false, false, false, network::mojom::WebSandboxFlags::kNone,
network::mojom::ContentSecurityPolicyHeader::New(
"my-csp", network::mojom::ContentSecurityPolicyType::kEnforce,
network::mojom::ContentSecurityPolicySource::kHTTP),
false, std::vector<std::string>(),
network::mojom::CSPRequireTrustedTypesFor::None, nullptr,
std::vector<std::string>());
basic_csp->directives[CSPDirectiveName::ScriptSrc] = CSPSourceList::New();
using ModifyCSP = void(CSPSourceList&);
ModifyCSP* test_cases[] = {
[](CSPSourceList& source_list) {},
[](CSPSourceList& source_list) {
source_list.sources.emplace_back(
CSPSource::New("http", "www.example.org", 80, "", false, false));
source_list.sources.emplace_back(CSPSource::New(
"http", "www.example.org", -1, "/path", false, false));
source_list.sources.emplace_back(
CSPSource::New("http", "www.example.org", 80, "", true, false));
source_list.sources.emplace_back(
CSPSource::New("http", "www.example.org", 8080, "", false, true));
},
[](CSPSourceList& source_list) {
source_list.nonces.emplace_back("nonce-abc");
source_list.nonces.emplace_back("nonce-cde");
},
[](CSPSourceList& source_list) {
source_list.hashes.emplace_back(network::mojom::CSPHashSource::New(
network::mojom::IntegrityAlgorithm::kSha256,
std::vector<uint8_t>({'a', 'd'})));
source_list.hashes.emplace_back(network::mojom::CSPHashSource::New(
network::mojom::IntegrityAlgorithm::kSha384,
std::vector<uint8_t>({'c', 'd', 'e'})));
},
[](CSPSourceList& source_list) {
source_list.hashes.emplace_back(network::mojom::CSPHashSource::New(
network::mojom::IntegrityAlgorithm::kSha256,
std::vector<uint8_t>({'a', 'd'})));
source_list.url_hashes.emplace_back(network::mojom::CSPHashSource::New(
network::mojom::IntegrityAlgorithm::kSha384,
std::vector<uint8_t>({'c', 'd', 'e'})));
source_list.eval_hashes.emplace_back(network::mojom::CSPHashSource::New(
network::mojom::IntegrityAlgorithm::kSha384,
std::vector<uint8_t>({'f', 'g', 'h'})));
},
[](CSPSourceList& source_list) { source_list.allow_self = true; },
[](CSPSourceList& source_list) { source_list.allow_star = true; },
[](CSPSourceList& source_list) { source_list.allow_inline = true; },
[](CSPSourceList& source_list) { source_list.allow_eval = true; },
[](CSPSourceList& source_list) { source_list.allow_wasm_eval = true; },
[](CSPSourceList& source_list) {
source_list.allow_wasm_unsafe_eval = true;
},
[](CSPSourceList& source_list) { source_list.allow_dynamic = true; },
[](CSPSourceList& source_list) {
source_list.allow_unsafe_hashes = true;
},
[](CSPSourceList& source_list) { source_list.report_sample = true; },
};
for (const auto& modify_csp : test_cases) {
auto test_csp = basic_csp.Clone();
test_csp->directives[CSPDirectiveName::ScriptSrc] = CSPSourceList::New();
(*modify_csp)(*test_csp->directives[CSPDirectiveName::ScriptSrc]);
EXPECT_EQ(BuildContentSecurityPolicy(
ToWebContentSecurityPolicy(test_csp.Clone())),
test_csp);
}
}
} // namespace content
|
