chrome/common/secure_origin_whitelist_unittest.cc - chromium/src - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "base/command_line.h"
 #include "base/test/scoped_command_line.h"
 #include "chrome/common/chrome_switches.h"
 #include "content/public/common/origin_util.h"
 #include "content/public/test/test_utils.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"

 using content::IsOriginSecure;

 namespace chrome {

 class SecureOriginWhiteListTest : public testing::Test {
   void TearDown() override {
     // Ensure that we reset the whitelisted origins without any flags applied.
     content::ResetSchemesAndOriginsWhitelist();
   }
 };

 TEST_F(SecureOriginWhiteListTest, UnsafelyTreatInsecureOriginAsSecure) {
   EXPECT_FALSE(content::IsOriginSecure(GURL("http://example.com/a.html")));
   EXPECT_FALSE(
       content::IsOriginSecure(GURL("http://127.example.com/a.html")));
   // Add http://example.com and http://127.example.com to whitelist by
   // command-line and see if they are now considered secure origins.
   // (The command line is applied via
   // ChromeContentClient::AddSecureSchemesAndOrigins)
   base::test::ScopedCommandLine scoped_command_line;
   base::CommandLine* command_line = scoped_command_line.GetProcessCommandLine();
   command_line->AppendSwitchASCII(
       switches::kUnsafelyTreatInsecureOriginAsSecure,
       "http://example.com,http://127.example.com");
   content::ResetSchemesAndOriginsWhitelist();

   // They should be now white-listed.
   EXPECT_TRUE(content::IsOriginSecure(GURL("http://example.com/a.html")));
   EXPECT_TRUE(content::IsOriginSecure(GURL("http://127.example.com/a.html")));

   // Check that similarly named sites are not considered secure.
   EXPECT_FALSE(content::IsOriginSecure(GURL("http://128.example.com/a.html")));
   EXPECT_FALSE(content::IsOriginSecure(
       GURL("http://foobar.127.example.com/a.html")));
 }

 TEST_F(SecureOriginWhiteListTest, HostnamePatterns) {
   const struct HostnamePatternCase {
     const char* pattern;
     const char* test_input;
     bool expected_secure;
   } kTestCases[] = {
       {"*.foo.com", "http://bar.foo.com", true},
       {"*.foo.*.bar.com", "http://a.foo.b.bar.com:8000", true},
       // For parsing/canonicalization simplicity, wildcard patterns can be
       // hostnames only, not full origins.
       {"http://*.foo.com", "http://bar.foo.com", false},
       {"*://foo.com", "http://foo.com", false},
       // Wildcards must be beyond eTLD+1.
       {"*.co.uk", "http://foo.co.uk", false},
       {"*.co.uk", "http://co.uk", false},
       {"*.baz", "http://foo.baz", false},
       {"foo.*.com", "http://foo.bar.com", false},
       {"*.foo.baz", "http://a.foo.baz", true},
       // Hostname patterns should be canonicalized.
       {"*.FoO.com", "http://a.foo.com", true},
       {"%2A.foo.com", "http://a.foo.com", false},
       // Hostname patterns must contain a wildcard and a wildcard can only
       // replace a component, not a part of a component.
       {"foo.com", "http://foo.com", false},
       {"test*.foo.com", "http://testblah.foo.com", false},
       {"*foo.com", "http://testfoo.com", false},
       {"foo*.com", "http://footest.com", false},
   };

   for (const auto& test : kTestCases) {
     base::test::ScopedCommandLine scoped_command_line;
     base::CommandLine* command_line =
         scoped_command_line.GetProcessCommandLine();
     command_line->AppendSwitchASCII(
         switches::kUnsafelyTreatInsecureOriginAsSecure, test.pattern);
     content::ResetSchemesAndOriginsWhitelist();
     EXPECT_EQ(test.expected_secure,
               content::IsOriginSecure(GURL(test.test_input)));
     EXPECT_EQ(test.expected_secure,
               content::IsPotentiallyTrustworthyOrigin(
                   url::Origin::Create(GURL(test.test_input))));
   }
 }

 }  // namespace chrome
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "base/command_line.h"
	#include "base/test/scoped_command_line.h"
	#include "chrome/common/chrome_switches.h"
	#include "content/public/common/origin_util.h"
	#include "content/public/test/test_utils.h"
	#include "testing/gtest/include/gtest/gtest.h"
	#include "url/gurl.h"

	using content::IsOriginSecure;

	namespace chrome {

	class SecureOriginWhiteListTest : public testing::Test {
	void TearDown() override {
	// Ensure that we reset the whitelisted origins without any flags applied.
	content::ResetSchemesAndOriginsWhitelist();
	}
	};

	TEST_F(SecureOriginWhiteListTest, UnsafelyTreatInsecureOriginAsSecure) {
	EXPECT_FALSE(content::IsOriginSecure(GURL("http://example.com/a.html")));
	EXPECT_FALSE(
	content::IsOriginSecure(GURL("http://127.example.com/a.html")));
	// Add http://example.com and http://127.example.com to whitelist by
	// command-line and see if they are now considered secure origins.
	// (The command line is applied via
	// ChromeContentClient::AddSecureSchemesAndOrigins)
	base::test::ScopedCommandLine scoped_command_line;
	base::CommandLine* command_line = scoped_command_line.GetProcessCommandLine();
	command_line->AppendSwitchASCII(
	switches::kUnsafelyTreatInsecureOriginAsSecure,
	"http://example.com,http://127.example.com");
	content::ResetSchemesAndOriginsWhitelist();

	// They should be now white-listed.
	EXPECT_TRUE(content::IsOriginSecure(GURL("http://example.com/a.html")));
	EXPECT_TRUE(content::IsOriginSecure(GURL("http://127.example.com/a.html")));

	// Check that similarly named sites are not considered secure.
	EXPECT_FALSE(content::IsOriginSecure(GURL("http://128.example.com/a.html")));
	EXPECT_FALSE(content::IsOriginSecure(
	GURL("http://foobar.127.example.com/a.html")));
	}

	TEST_F(SecureOriginWhiteListTest, HostnamePatterns) {
	const struct HostnamePatternCase {
	const char* pattern;
	const char* test_input;
	bool expected_secure;
	} kTestCases[] = {
	{"*.foo.com", "http://bar.foo.com", true},
	{".foo..bar.com", "http://a.foo.b.bar.com:8000", true},
	// For parsing/canonicalization simplicity, wildcard patterns can be
	// hostnames only, not full origins.
	{"http://*.foo.com", "http://bar.foo.com", false},
	{"*://foo.com", "http://foo.com", false},
	// Wildcards must be beyond eTLD+1.
	{"*.co.uk", "http://foo.co.uk", false},
	{"*.co.uk", "http://co.uk", false},
	{"*.baz", "http://foo.baz", false},
	{"foo.*.com", "http://foo.bar.com", false},
	{"*.foo.baz", "http://a.foo.baz", true},
	// Hostname patterns should be canonicalized.
	{"*.FoO.com", "http://a.foo.com", true},
	{"%2A.foo.com", "http://a.foo.com", false},
	// Hostname patterns must contain a wildcard and a wildcard can only
	// replace a component, not a part of a component.
	{"foo.com", "http://foo.com", false},
	{"test*.foo.com", "http://testblah.foo.com", false},
	{"*foo.com", "http://testfoo.com", false},
	{"foo*.com", "http://footest.com", false},
	};

	for (const auto& test : kTestCases) {
	base::test::ScopedCommandLine scoped_command_line;
	base::CommandLine* command_line =
	scoped_command_line.GetProcessCommandLine();
	command_line->AppendSwitchASCII(
	switches::kUnsafelyTreatInsecureOriginAsSecure, test.pattern);
	content::ResetSchemesAndOriginsWhitelist();
	EXPECT_EQ(test.expected_secure,
	content::IsOriginSecure(GURL(test.test_input)));
	EXPECT_EQ(test.expected_secure,
	content::IsPotentiallyTrustworthyOrigin(
	url::Origin::Create(GURL(test.test_input))));
	}
	}

	} // namespace chrome