1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/strings/string_piece.h" 6 #include "base/strings/utf_string_conversions.h" 7 #include "content/child/site_isolation_policy.h" 8 #include "content/public/common/context_menu_params.h" 9 #include "testing/gtest/include/gtest/gtest.h" 10 #include "third_party/WebKit/public/platform/WebURLResponse.h" 11 #include "ui/gfx/range/range.h" 12 13 using base::StringPiece; 14 15 namespace content { 16 17 TEST(SiteIsolationPolicyTest, IsBlockableScheme) { 18 GURL data_url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA=="); 19 GURL ftp_url("ftp://google.com"); 20 GURL mailto_url("mailto:google (at) google.com"); 21 GURL about_url("about:chrome"); 22 GURL http_url("http://google.com"); 23 GURL https_url("https://google.com"); 24 25 EXPECT_FALSE(SiteIsolationPolicy::IsBlockableScheme(data_url)); 26 EXPECT_FALSE(SiteIsolationPolicy::IsBlockableScheme(ftp_url)); 27 EXPECT_FALSE(SiteIsolationPolicy::IsBlockableScheme(mailto_url)); 28 EXPECT_FALSE(SiteIsolationPolicy::IsBlockableScheme(about_url)); 29 EXPECT_TRUE(SiteIsolationPolicy::IsBlockableScheme(http_url)); 30 EXPECT_TRUE(SiteIsolationPolicy::IsBlockableScheme(https_url)); 31 } 32 33 TEST(SiteIsolationPolicyTest, IsSameSite) { 34 GURL a_com_url0("https://mock1.a.com:8080/page1.html"); 35 GURL a_com_url1("https://mock2.a.com:9090/page2.html"); 36 GURL a_com_url2("https://a.com/page3.html"); 37 EXPECT_TRUE(SiteIsolationPolicy::IsSameSite(a_com_url0, a_com_url1)); 38 EXPECT_TRUE(SiteIsolationPolicy::IsSameSite(a_com_url1, a_com_url2)); 39 EXPECT_TRUE(SiteIsolationPolicy::IsSameSite(a_com_url2, a_com_url0)); 40 41 GURL b_com_url0("https://mock1.b.com/index.html"); 42 EXPECT_FALSE(SiteIsolationPolicy::IsSameSite(a_com_url0, b_com_url0)); 43 44 GURL about_blank_url("about:blank"); 45 EXPECT_FALSE(SiteIsolationPolicy::IsSameSite(a_com_url0, about_blank_url)); 46 47 GURL chrome_url("chrome://extension"); 48 EXPECT_FALSE(SiteIsolationPolicy::IsSameSite(a_com_url0, chrome_url)); 49 50 GURL empty_url(""); 51 EXPECT_FALSE(SiteIsolationPolicy::IsSameSite(a_com_url0, empty_url)); 52 } 53 54 TEST(SiteIsolationPolicyTest, IsValidCorsHeaderSet) { 55 GURL frame_origin("http://www.google.com"); 56 GURL site_origin("http://www.yahoo.com"); 57 58 EXPECT_TRUE(SiteIsolationPolicy::IsValidCorsHeaderSet( 59 frame_origin, site_origin, "*")); 60 EXPECT_FALSE(SiteIsolationPolicy::IsValidCorsHeaderSet( 61 frame_origin, site_origin, "\"*\"")); 62 EXPECT_TRUE(SiteIsolationPolicy::IsValidCorsHeaderSet( 63 frame_origin, site_origin, "http://mail.google.com")); 64 EXPECT_FALSE(SiteIsolationPolicy::IsValidCorsHeaderSet( 65 frame_origin, site_origin, "https://mail.google.com")); 66 EXPECT_FALSE(SiteIsolationPolicy::IsValidCorsHeaderSet( 67 frame_origin, site_origin, "http://yahoo.com")); 68 EXPECT_FALSE(SiteIsolationPolicy::IsValidCorsHeaderSet( 69 frame_origin, site_origin, "www.google.com")); 70 } 71 72 TEST(SiteIsolationPolicyTest, SniffForHTML) { 73 StringPiece html_data(" \t\r\n <HtMladfokadfkado"); 74 StringPiece comment_html_data(" <!-- this is comment --> <html><body>"); 75 StringPiece two_comments_html_data( 76 "<!-- this is comment -->\n<!-- this is comment --><html><body>"); 77 StringPiece mixed_comments_html_data( 78 "<!-- this is comment <!-- --> <script></script>"); 79 StringPiece non_html_data(" var name=window.location;\nadfadf"); 80 StringPiece comment_js_data(" <!-- this is comment -> document.write(1); "); 81 StringPiece empty_data(""); 82 83 EXPECT_TRUE(SiteIsolationPolicy::SniffForHTML(html_data)); 84 EXPECT_TRUE(SiteIsolationPolicy::SniffForHTML(comment_html_data)); 85 EXPECT_TRUE(SiteIsolationPolicy::SniffForHTML(two_comments_html_data)); 86 EXPECT_TRUE(SiteIsolationPolicy::SniffForHTML(mixed_comments_html_data)); 87 EXPECT_FALSE(SiteIsolationPolicy::SniffForHTML(non_html_data)); 88 EXPECT_FALSE(SiteIsolationPolicy::SniffForHTML(comment_js_data)); 89 90 // Basic bounds check. 91 EXPECT_FALSE(SiteIsolationPolicy::SniffForHTML(empty_data)); 92 } 93 94 TEST(SiteIsolationPolicyTest, SniffForXML) { 95 StringPiece xml_data(" \t \r \n <?xml version=\"1.0\"?>\n <catalog"); 96 StringPiece non_xml_data(" var name=window.location;\nadfadf"); 97 StringPiece empty_data(""); 98 99 EXPECT_TRUE(SiteIsolationPolicy::SniffForXML(xml_data)); 100 EXPECT_FALSE(SiteIsolationPolicy::SniffForXML(non_xml_data)); 101 102 // Basic bounds check. 103 EXPECT_FALSE(SiteIsolationPolicy::SniffForXML(empty_data)); 104 } 105 106 TEST(SiteIsolationPolicyTest, SniffForJSON) { 107 StringPiece json_data("\t\t\r\n { \"name\" : \"chrome\", "); 108 StringPiece non_json_data0("\t\t\r\n { name : \"chrome\", "); 109 StringPiece non_json_data1("\t\t\r\n foo({ \"name\" : \"chrome\", "); 110 StringPiece empty_data(""); 111 112 EXPECT_TRUE( 113 SiteIsolationPolicy::SniffForJSON(json_data)); 114 EXPECT_FALSE(SiteIsolationPolicy::SniffForJSON(non_json_data0)); 115 EXPECT_FALSE(SiteIsolationPolicy::SniffForJSON(non_json_data1)); 116 117 // Basic bounds check. 118 EXPECT_FALSE(SiteIsolationPolicy::SniffForJSON(empty_data)); 119 } 120 121 TEST(SiteIsolationPolicyTest, SniffForJS) { 122 StringPiece basic_js_data("var a = 4"); 123 StringPiece js_data("\t\t\r\n var a = 4"); 124 StringPiece json_data("\t\t\r\n { \"name\" : \"chrome\", "); 125 StringPiece empty_data(""); 126 127 EXPECT_TRUE(SiteIsolationPolicy::SniffForJS(js_data)); 128 EXPECT_FALSE(SiteIsolationPolicy::SniffForJS(json_data)); 129 130 // Basic bounds check. 131 EXPECT_FALSE(SiteIsolationPolicy::SniffForJS(empty_data)); 132 } 133 134 } // namespace content 135
