@Test
public void testFutureDirectives() throws TokeniserException {
try {
parse("referrer no-referrer");
fail();
} catch (ParseException e1) {
assertEquals("The referrer directive is not in the CSP specification yet.", e1.getMessage());
}
try {
parse("upgrade-insecure-requests");
fail();
} catch (ParseException e2) {
assertEquals(
"The upgrade-insecure-requests directive is not in the CSP specification yet.",
e2.getMessage());
}
try {
parse("block-all-mixed-content");
fail();
} catch (ParseException e3) {
assertEquals(
"The block-all-mixed-content directive is not in the CSP specification yet.",
e3.getMessage());
}
}
@Test
public void testAllowDirective() throws TokeniserException {
try {
parse("allow 'none'");
} catch (ParseException e1) {
assertEquals(
"The allow directive has been replaced with default-src and is not in the CSP specification.",
e1.getMessage());
return;
}
fail();
}
@Test
public void testOptionsDirective() throws TokeniserException {
try {
parse("options inline-script");
} catch (ParseException e1) {
assertEquals(
"The options directive has been replaced with 'unsafe-inline' and 'unsafe-eval' and is not in the CSP specification.",
e1.getMessage());
return;
}
fail();
}
@Test
public void testParseMulti() throws ParseException, TokeniserException {
List<Policy> pl;
ArrayList<Warning> warnings;
pl =
Parser.parseMulti(
"script-src a; script-src b, , script-src c; script-src d", "https://origin.com");
assertEquals(2, pl.size());
assertEquals("script-src a", pl.get(0).show());
assertEquals("script-src c", pl.get(1).show());
pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"));
assertEquals(2, pl.size());
assertEquals("script-src a", pl.get(0).show());
assertEquals("", pl.get(1).show());
warnings = new ArrayList<>();
pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"), warnings);
assertEquals(2, pl.size());
assertEquals("script-src a", pl.get(0).show());
assertEquals("", pl.get(1).show());
assertEquals(0, warnings.size());
warnings = new ArrayList<>();
pl = Parser.parseMulti("script-src a, sandbox", "https://origin.com", warnings);
assertEquals(2, pl.size());
assertEquals("script-src a", pl.get(0).show());
assertEquals("sandbox", pl.get(1).show());
assertEquals(0, warnings.size());
warnings = new ArrayList<>();
pl =
ParserWithLocation.parseMulti(
" plugin-types a/b , script-src 'unsafe-redirect'", "https://origin.com", warnings);
assertEquals(2, pl.size());
assertEquals("plugin-types a/b", pl.get(0).show());
assertEquals("script-src 'unsafe-redirect'", pl.get(1).show());
assertEquals(1, warnings.size());
assertEquals(
"1:36: 'unsafe-redirect' has been removed from CSP as of version 2.0",
warnings.get(0).show());
warnings = new ArrayList<>();
pl =
ParserWithLocation.parseMulti(
"script-src a, frame-src b", URI.parse("https://origin.com"), warnings);
assertEquals(2, pl.size());
assertEquals("script-src a", pl.get(0).show());
assertEquals("frame-src b", pl.get(1).show());
assertEquals(1, warnings.size());
assertEquals(
"1:15: The frame-src directive is deprecated as of CSP version 1.1. Authors who wish to govern nested browsing contexts SHOULD use the child-src directive instead.",
warnings.get(0).show());
try {
pl.clear();
pl = Parser.parseMulti("script-src a,b", "https://origin.com");
fail();
} catch (IllegalArgumentException e1) {
assertEquals(0, pl.size());
assertEquals("Unrecognised directive name: b", e1.getMessage());
}
try {
ParserWithLocation.parse(
"script-src a, script-src b", "https://origin.com", new ArrayList<>());
fail();
} catch (ParseException e1) {
assertEquals(0, pl.size());
assertEquals("1:13: expecting end of policy but found ,", e1.getMessage());
}
try {
Parser.parse("script-src a, script-src b", "https://origin.com");
fail();
} catch (ParseException e1) {
assertEquals(0, pl.size());
assertEquals("expecting end of policy but found ,", e1.getMessage());
}
try {
pl.clear();
pl = ParserWithLocation.parseMulti("allow 'none', options", "https://origin.com");
fail();
} catch (ParseException e1) {
assertEquals(0, pl.size());
assertEquals(
"1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
e1.getMessage());
}
try {
pl.clear();
pl = ParserWithLocation.parseMulti("allow 'none', referrer", URI.parse("https://origin.com"));
fail();
} catch (ParseException e1) {
assertEquals(0, pl.size());
assertEquals(
"1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
e1.getMessage());
}
failsToParse("script-src *, ");
}
@Test
public void testHashSource() throws ParseException, TokeniserException {
failsToParse(
"script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
failsToParse(
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
parse(
"script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
parse(
"script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
assertEquals(
"directive-name, directive-value",
"script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
parse(
"script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
.getDirectiveByType(ScriptSrcDirective.class)
.show());
Policy p =
parse(
"script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
Policy q =
parse(
"script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
q =
parse(
"script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
try {
parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
}
try {
parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
}
try {
parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
fail();
} catch (ParseException e) {
assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
}
}