@Test public void testFutureDirectives() throws TokeniserException { try { parse("referrer no-referrer"); fail(); } catch (ParseException e1) { assertEquals("The referrer directive is not in the CSP specification yet.", e1.getMessage()); } try { parse("upgrade-insecure-requests"); fail(); } catch (ParseException e2) { assertEquals( "The upgrade-insecure-requests directive is not in the CSP specification yet.", e2.getMessage()); } try { parse("block-all-mixed-content"); fail(); } catch (ParseException e3) { assertEquals( "The block-all-mixed-content directive is not in the CSP specification yet.", e3.getMessage()); } }
@Test public void testAllowDirective() throws TokeniserException { try { parse("allow 'none'"); } catch (ParseException e1) { assertEquals( "The allow directive has been replaced with default-src and is not in the CSP specification.", e1.getMessage()); return; } fail(); }
@Test public void testOptionsDirective() throws TokeniserException { try { parse("options inline-script"); } catch (ParseException e1) { assertEquals( "The options directive has been replaced with 'unsafe-inline' and 'unsafe-eval' and is not in the CSP specification.", e1.getMessage()); return; } fail(); }
@Test public void testParseMulti() throws ParseException, TokeniserException { List<Policy> pl; ArrayList<Warning> warnings; pl = Parser.parseMulti( "script-src a; script-src b, , script-src c; script-src d", "https://origin.com"); assertEquals(2, pl.size()); assertEquals("script-src a", pl.get(0).show()); assertEquals("script-src c", pl.get(1).show()); pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com")); assertEquals(2, pl.size()); assertEquals("script-src a", pl.get(0).show()); assertEquals("", pl.get(1).show()); warnings = new ArrayList<>(); pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"), warnings); assertEquals(2, pl.size()); assertEquals("script-src a", pl.get(0).show()); assertEquals("", pl.get(1).show()); assertEquals(0, warnings.size()); warnings = new ArrayList<>(); pl = Parser.parseMulti("script-src a, sandbox", "https://origin.com", warnings); assertEquals(2, pl.size()); assertEquals("script-src a", pl.get(0).show()); assertEquals("sandbox", pl.get(1).show()); assertEquals(0, warnings.size()); warnings = new ArrayList<>(); pl = ParserWithLocation.parseMulti( " plugin-types a/b , script-src 'unsafe-redirect'", "https://origin.com", warnings); assertEquals(2, pl.size()); assertEquals("plugin-types a/b", pl.get(0).show()); assertEquals("script-src 'unsafe-redirect'", pl.get(1).show()); assertEquals(1, warnings.size()); assertEquals( "1:36: 'unsafe-redirect' has been removed from CSP as of version 2.0", warnings.get(0).show()); warnings = new ArrayList<>(); pl = ParserWithLocation.parseMulti( "script-src a, frame-src b", URI.parse("https://origin.com"), warnings); assertEquals(2, pl.size()); assertEquals("script-src a", pl.get(0).show()); assertEquals("frame-src b", pl.get(1).show()); assertEquals(1, warnings.size()); assertEquals( "1:15: The frame-src directive is deprecated as of CSP version 1.1. Authors who wish to govern nested browsing contexts SHOULD use the child-src directive instead.", warnings.get(0).show()); try { pl.clear(); pl = Parser.parseMulti("script-src a,b", "https://origin.com"); fail(); } catch (IllegalArgumentException e1) { assertEquals(0, pl.size()); assertEquals("Unrecognised directive name: b", e1.getMessage()); } try { ParserWithLocation.parse( "script-src a, script-src b", "https://origin.com", new ArrayList<>()); fail(); } catch (ParseException e1) { assertEquals(0, pl.size()); assertEquals("1:13: expecting end of policy but found ,", e1.getMessage()); } try { Parser.parse("script-src a, script-src b", "https://origin.com"); fail(); } catch (ParseException e1) { assertEquals(0, pl.size()); assertEquals("expecting end of policy but found ,", e1.getMessage()); } try { pl.clear(); pl = ParserWithLocation.parseMulti("allow 'none', options", "https://origin.com"); fail(); } catch (ParseException e1) { assertEquals(0, pl.size()); assertEquals( "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.", e1.getMessage()); } try { pl.clear(); pl = ParserWithLocation.parseMulti("allow 'none', referrer", URI.parse("https://origin.com")); fail(); } catch (ParseException e1) { assertEquals(0, pl.size()); assertEquals( "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.", e1.getMessage()); } failsToParse("script-src *, "); }
@Test public void testHashSource() throws ParseException, TokeniserException { failsToParse( "script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'"); failsToParse( "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'"); assertEquals( "directive-name, directive-value", "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='", parse( "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='") .getDirectiveByType(ScriptSrcDirective.class) .show()); assertEquals( "directive-name, directive-value", "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'", parse( "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'") .getDirectiveByType(ScriptSrcDirective.class) .show()); assertEquals( "directive-name, directive-value", "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='", parse( "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='") .getDirectiveByType(ScriptSrcDirective.class) .show()); Policy p = parse( "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='"); Policy q = parse( "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='"); assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode()); ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class); assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class))); q = parse( "script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='"); assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class))); try { parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='"); fail(); } catch (ParseException e) { assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage()); } try { parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='"); fail(); } catch (ParseException e) { assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage()); } try { parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='"); fail(); } catch (ParseException e) { assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage()); } }