def testDirectiveParser_parse_empty(self):
assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID()
assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID()
assert DirectiveParser(
strict=True).parse("img-src ") == Directive.INVALID()
assert DirectiveParser(
strict=False).parse("img-src ") == Directive.INVALID()
def testDirectiveParser_parse_standard(self):
assert DirectiveParser(strict=True).parse("default-src https: 'unsafe-inline' 'unsafe-eval'") \
== Directive("default-src", [URISourceExpression("https", None, None, None),
SourceExpression.UNSAFE_INLINE(), SourceExpression.UNSAFE_EVAL()])
assert DirectiveParser(strict=True).parse("default-src 'self'") \
== Directive("default-src", [SelfSourceExpression.SELF()])
assert DirectiveParser(strict=True).parse("img-src *") \
== Directive("img-src", [URISourceExpression(None, "*", None, None)])
assert DirectiveParser(strict=True).parse("object-src media1.example.com media2.example.com *.cdn.example.com") \
== Directive("object-src", [URISourceExpression(None, "media1.example.com", None, None),
URISourceExpression(None, "media2.example.com", None, None),
URISourceExpression(None, "*.cdn.example.com", None, None)])
def testDirectiveParser_parse_whitespaceRemoval(self):
"""Whitespace is properly removed."""
directive = "img-src 'self' https://abc.cloudfront.net/the-path chrome-extension: data: https://def.cloudfront.net/another-path "
directiveClean = "img-src 'self' chrome-extension: data: https://abc.cloudfront.net/the-path https://def.cloudfront.net/another-path"
cspDirective = DirectiveParser().parse(directive)
assert cspDirective.getType() == "img-src"
assert cspDirective.getWhitelistedSourceExpressions() == set([SelfSourceExpression.SELF(),
URISourceExpression("chrome-extension", None, None, None), URISourceExpression("data", None, None, None),
URISourceExpression("https", "abc.cloudfront.net", None, "/the-path"),
URISourceExpression("https", "def.cloudfront.net", None, "/another-path")])
assert str(cspDirective) == directiveClean
cspDirectiveClean = DirectiveParser().parse(directiveClean)
assert cspDirective == cspDirectiveClean
def testDirectiveParser_parse_eval(self):
"""'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'"""
scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'"""
scriptSrcWithEvalOnly = """script-src 'unsafe-eval'"""
defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'"""
invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'"""
assert str(
DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval
assert str(DirectiveParser().parse(
scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly
assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \
== defaultSrcWithInlineAndEvalOnly
assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \
== "img-src http://example/path"
def testDirectiveParser_parse_translate(self):
"""The old directive type 'xhr-src' is correctly rewritten to 'connect-src'."""
translateDirective = "xhr-src http://localhost"
cspTranslateDirective = DirectiveParser().parse(translateDirective)
assert cspTranslateDirective == Directive(
"connect-src",
(URISourceExpression("http", "localhost", None, None), ))
def testDirectiveParser_parse_none_syntaxerror_notstrict(self):
"""If 'none' appears in a directive not parsed strictly and other expressions occur, 'none' is ignored."""
noneDirectiveInvalid = """default-src http://one 'None' http://two"""
cspDirective = DirectiveParser(
strict=False).parse(noneDirectiveInvalid)
assert cspDirective == Directive("default-src", [
URISourceExpression("http", "one", None, None),
URISourceExpression("http", "two", None, None)
])
def testDirectiveParser_parse_whitespaceRemoval(self):
"""Whitespace is properly removed."""
directive = "img-src 'self' https://abc.cloudfront.net/the-path chrome-extension: data: https://def.cloudfront.net/another-path "
directiveClean = "img-src 'self' chrome-extension: data: https://abc.cloudfront.net/the-path https://def.cloudfront.net/another-path"
cspDirective = DirectiveParser().parse(directive)
assert cspDirective.getType() == "img-src"
assert cspDirective.getWhitelistedSourceExpressions() == set([
SelfSourceExpression.SELF(),
URISourceExpression("chrome-extension", None, None, None),
URISourceExpression("data", None, None, None),
URISourceExpression("https", "abc.cloudfront.net", None,
"/the-path"),
URISourceExpression("https", "def.cloudfront.net", None,
"/another-path")
])
assert str(cspDirective) == directiveClean
cspDirectiveClean = DirectiveParser().parse(directiveClean)
assert cspDirective == cspDirectiveClean
def testDirectiveParser_parse_inline(self):
"""'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'"""
scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/"""
styleSrcWithInline = """style-src 'unsafe-inline' http://other"""
styleSrcWithInlineOnly = """style-src 'unsafe-inline'"""
defaultSrcWithInlineOnly = """default-src 'unsafe-inline'"""
invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'"""
invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'"""
assert str(DirectiveParser().parse(
scriptSrcWithInline)) == scriptSrcWithInline
assert str(
DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline
assert str(DirectiveParser().parse(
styleSrcWithInlineOnly)) == styleSrcWithInlineOnly
assert str(DirectiveParser().parse(
defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \
== "object-src 'self'"
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \
== "object-src 'none'"
def testDirectiveParser_parse_evalScriptBaseRestriction(self):
"""The Firefox value 'eval script base restriction' for the 'violated-directive' field is parsed
correctly."""
firefoxViolatedDirective = "eval script base restriction"
assert DirectiveParser().parse(firefoxViolatedDirective) \
== Directive.EVAL_SCRIPT_BASE_RESTRICTION()
def testDirectiveParser_parse_inlineStyleBaseRestriction(self):
"""The Firefox value 'inline style base restriction' for the 'violated-directive' field is parsed
correctly."""
firefoxViolatedDirective = "inline style base restriction"
assert DirectiveParser().parse(firefoxViolatedDirective) \
== Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirectiveParser_parse_invalidSourceExpression_notstrict(self):
"""In non-strict mode, invalid source expressions are ignored."""
invalidDirective = """img-src http://url 'blah'"""
cspDirective = DirectiveParser(strict=False).parse(invalidDirective)
assert cspDirective == Directive(
"img-src", [URISourceExpression("http", "url", None, None)])
def testDirectiveParser_parse_invalidSourceExpression_strict(self):
"""In strict mode, only valid source expressions may be used."""
invalidDirective = """img-src http://url 'blah'"""
assert DirectiveParser(strict=True).parse(invalidDirective) \
== Directive.INVALID()
def testDirectiveParser_parse_none_syntaxerror_strict(self):
"""If 'none' appears in a directive parsed strictly, no other values are permitted."""
noneDirectiveInvalid = """default-src http://one 'None' http://two"""
assert DirectiveParser(strict=True).parse(noneDirectiveInvalid) \
== Directive.INVALID()
def testDirectiveParser_parse_none(self):
"""Parse a 'none' value."""
noneDirective = """default-src 'none' """
cspNoneDirective = DirectiveParser().parse(noneDirective)
assert cspNoneDirective == Directive("default-src", [])
def testDirectiveParser_parse_ignore(self):
"""Report URIs are not supported in CSP Directives."""
ignoredDirective = "report-uri http://localhost/saveme.exe"
assert DirectiveParser().parse(ignoredDirective) is Directive.INVALID()
def testDirectiveParser_parse_invalid(self):
invalidDirective = "blah"
assert DirectiveParser().parse(invalidDirective) is Directive.INVALID()