Chromium Code Reviews Chromium Code Reviews
Issue 1126343003:
Ignore unknown options to subresource integrity (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/SubresourceIntegrity.h" | 6 #include "core/frame/SubresourceIntegrity.h" |
| 7 | 7 |
| 8 #include "core/HTMLNames.h" | 8 #include "core/HTMLNames.h" |
| 9 #include "core/dom/Document.h" | 9 #include "core/dom/Document.h" |
| 10 #include "core/fetch/Resource.h" | 10 #include "core/fetch/Resource.h" |
| 11 #include "core/fetch/ResourcePtr.h" | 11 #include "core/fetch/ResourcePtr.h" |
| 12 #include "core/html/HTMLScriptElement.h" | 12 #include "core/html/HTMLScriptElement.h" |
| 13 #include "platform/Crypto.h" | 13 #include "platform/Crypto.h" |
| 14 #include "platform/weborigin/KURL.h" | 14 #include "platform/weborigin/KURL.h" |
| 15 #include "platform/weborigin/SecurityOrigin.h" | 15 #include "platform/weborigin/SecurityOrigin.h" |
| 16 #include "wtf/RefPtr.h" | 16 #include "wtf/RefPtr.h" |
| 17 #include "wtf/Vector.h" | 17 #include "wtf/Vector.h" |
| 18 #include "wtf/dtoa/utils.h" | 18 #include "wtf/dtoa/utils.h" |
| 19 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
| 20 #include <gtest/gtest.h> | 20 #include <gtest/gtest.h> |
| 21 | 21 |
| 22 namespace blink { | 22 namespace blink { |
| 23 | 23 |
| 24 static const char kBasicScript[] = "alert('test');"; | 24 static const char kBasicScript[] = "alert('test');"; |
| 25 static const char kSha256Integrity[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBA XwnkfpmQX4="; | 25 static const char kSha256Integrity[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBA XwnkfpmQX4="; |
| 26 static const char kSha256IntegrityLenientSyntax[] = "sha256-GAF48QOoxRvu0gZAmQiv UdJPyBacqznBAXwnkfpmQX4="; | 26 static const char kSha256IntegrityLenientSyntax[] = "sha256-GAF48QOoxRvu0gZAmQiv UdJPyBacqznBAXwnkfpmQX4="; |
| 27 static const char kSha256IntegrityWithUnknownOptions[] = "sha256-GAF48QOoxRvu0gZ AmQivUdJPyBacqznBAXwnkfpmQX4=?foo=bar?baz=foz"; | |
|
Mike West
2015/05/11 03:25:28
Nit: Add a test for a single unknown option as wel
| |
| 27 static const char kSha384Integrity[] = "sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD 4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; | 28 static const char kSha384Integrity[] = "sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD 4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; |
| 28 static const char kSha512Integrity[] = "sha512-TXkJw18PqlVlEUXXjeXbGetop1TKB3wYQ Ip1_ihxCOFGUfG9TYOaA1MlkpTAqSV6yaevLO8Tj5pgH1JmZ--ItA=="; | 29 static const char kSha512Integrity[] = "sha512-TXkJw18PqlVlEUXXjeXbGetop1TKB3wYQ Ip1_ihxCOFGUfG9TYOaA1MlkpTAqSV6yaevLO8Tj5pgH1JmZ--ItA=="; |
| 29 static const char kSha384IntegrityLabeledAs256[] = "sha256-nep3XpvhUxpCMOVXIFPec ThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; | 30 static const char kSha384IntegrityLabeledAs256[] = "sha256-nep3XpvhUxpCMOVXIFPec ThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; |
| 30 static const char kSha256AndSha384Integrities[] = "sha256-GAF48QOoxRvu0gZAmQivUd JPyBacqznBAXwnkfpmQX4= sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fT TaFgciTuZk7fmE"; | 31 static const char kSha256AndSha384Integrities[] = "sha256-GAF48QOoxRvu0gZAmQivUd JPyBacqznBAXwnkfpmQX4= sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fT TaFgciTuZk7fmE"; |
| 31 static const char kBadSha256AndGoodSha384Integrities[] = "sha256-deadbeef sha384 -nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; | 32 static const char kBadSha256AndGoodSha384Integrities[] = "sha256-deadbeef sha384 -nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; |
| 32 static const char kGoodSha256AndBadSha384Integrities[] = "sha256-GAF48QOoxRvu0gZ AmQivUdJPyBacqznBAXwnkfpmQX4= sha384-deadbeef"; | 33 static const char kGoodSha256AndBadSha384Integrities[] = "sha256-GAF48QOoxRvu0gZ AmQivUdJPyBacqznBAXwnkfpmQX4= sha384-deadbeef"; |
| 33 static const char kBadSha256AndBadSha384Integrities[] = "sha256-deadbeef sha384- deadbeef"; | 34 static const char kBadSha256AndBadSha384Integrities[] = "sha256-deadbeef sha384- deadbeef"; |
| 34 static const char kUnsupportedHashFunctionIntegrity[] = "sha1-JfLW308qMPKfb4DaHp UBEESwuPc="; | 35 static const char kUnsupportedHashFunctionIntegrity[] = "sha1-JfLW308qMPKfb4DaHp UBEESwuPc="; |
| 35 | 36 |
| 36 class SubresourceIntegrityTest : public ::testing::Test { | 37 class SubresourceIntegrityTest : public ::testing::Test { |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 93 Vector<UChar> characters; | 94 Vector<UChar> characters; |
| 94 text.appendTo(characters); | 95 text.appendTo(characters); |
| 95 const UChar* position = characters.data(); | 96 const UChar* position = characters.data(); |
| 96 const UChar* end = characters.end(); | 97 const UChar* end = characters.end(); |
| 97 String digest; | 98 String digest; |
| 98 | 99 |
| 99 EXPECT_FALSE(SubresourceIntegrity::parseDigest(position, end, digest)); | 100 EXPECT_FALSE(SubresourceIntegrity::parseDigest(position, end, digest)); |
| 100 EXPECT_TRUE(digest.isEmpty()); | 101 EXPECT_TRUE(digest.isEmpty()); |
| 101 } | 102 } |
| 102 | 103 |
| 103 void expectMimeType(const String& text, const char* expectedType) | 104 void expectValidMimeType(const String& text) |
| 105 { | |
| 106 EXPECT_TRUE(SubresourceIntegrity::isValidMimeTypeValue(text)); | |
| 107 } | |
| 108 | |
| 109 void expectInvalidMimeType(const String& text) | |
| 110 { | |
| 111 EXPECT_FALSE(SubresourceIntegrity::isValidMimeTypeValue(text)); | |
| 112 } | |
| 113 | |
| 114 void expectOption(const String& text, const char* expectedKey, const char* e xpectedValue) | |
| 104 { | 115 { |
| 105 Vector<UChar> characters; | 116 Vector<UChar> characters; |
| 106 text.appendTo(characters); | 117 text.appendTo(characters); |
| 107 const UChar* position = characters.data(); | 118 const UChar* position = characters.data(); |
| 108 const UChar* end = characters.end(); | 119 const UChar* end = characters.end(); |
| 109 String type; | 120 String key, value; |
| 110 | 121 |
| 111 EXPECT_TRUE(SubresourceIntegrity::parseMimeType(position, end, type)); | 122 EXPECT_TRUE(SubresourceIntegrity::parseOption(position, end, key, value) ); |
| 112 EXPECT_EQ(expectedType, type); | 123 EXPECT_EQ(expectedKey, key); |
| 124 EXPECT_EQ(expectedValue, value); | |
| 113 } | 125 } |
| 114 | 126 |
| 115 void expectMimeTypeFailure(const String& text) | 127 void expectOptionFailure(const String& text) |
| 116 { | 128 { |
| 117 Vector<UChar> characters; | 129 Vector<UChar> characters; |
| 118 text.appendTo(characters); | 130 text.appendTo(characters); |
| 119 const UChar* position = characters.data(); | 131 const UChar* position = characters.data(); |
| 120 const UChar* end = characters.end(); | 132 const UChar* end = characters.end(); |
| 121 String type; | 133 String key, value; |
| 122 | 134 |
| 123 EXPECT_FALSE(SubresourceIntegrity::parseMimeType(position, end, type)); | 135 EXPECT_FALSE(SubresourceIntegrity::parseOption(position, end, key, value )); |
|
Mike West
2015/05/11 03:25:28
Please also EXPECT that `key` and `value` are the
| |
| 124 EXPECT_TRUE(type.isEmpty()); | |
| 125 } | 136 } |
| 126 | 137 |
| 138 | |
| 127 void expectParse(const char* integrityAttribute, const char* expectedDigest, HashAlgorithm expectedAlgorithm, const char* expectedType) | 139 void expectParse(const char* integrityAttribute, const char* expectedDigest, HashAlgorithm expectedAlgorithm, const char* expectedType) |
| 128 { | 140 { |
| 129 Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; | 141 Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; |
| 130 | 142 |
| 131 EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIn tegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document)); | 143 EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIn tegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document)); |
| 132 EXPECT_EQ(1u, metadataList.size()); | 144 EXPECT_EQ(1u, metadataList.size()); |
| 133 if (metadataList.size() > 0) { | 145 if (metadataList.size() > 0) { |
| 134 EXPECT_EQ(expectedDigest, metadataList[0].digest); | 146 EXPECT_EQ(expectedDigest, metadataList[0].digest); |
| 135 EXPECT_EQ(expectedAlgorithm, metadataList[0].algorithm); | 147 EXPECT_EQ(expectedAlgorithm, metadataList[0].algorithm); |
| 136 EXPECT_EQ(expectedType, metadataList[0].type); | 148 EXPECT_EQ(expectedType, metadataList[0].type); |
| 137 } | 149 } |
| 138 } | 150 } |
| 139 | 151 |
| 140 void expectParseMultipleHashes(const char* integrityAttribute, const Subreso urceIntegrity::IntegrityMetadata expectedMetadatArray[], size_t expectedMetadata ArraySize) | 152 void expectParseMultipleHashes(const char* integrityAttribute, const Subreso urceIntegrity::IntegrityMetadata expectedMetadataArray[], size_t expectedMetadat aArraySize) |
| 141 { | 153 { |
| 142 Vector<SubresourceIntegrity::IntegrityMetadata> expectedMetadataList; | 154 Vector<SubresourceIntegrity::IntegrityMetadata> expectedMetadataList; |
| 143 expectedMetadataList.append(expectedMetadatArray, expectedMetadataArrayS ize); | 155 expectedMetadataList.append(expectedMetadataArray, expectedMetadataArray Size); |
| 144 Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; | 156 Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; |
| 145 EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIn tegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document)); | 157 EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIn tegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document)); |
| 146 EXPECT_EQ(expectedMetadataList.size(), metadataList.size()); | 158 EXPECT_EQ(expectedMetadataList.size(), metadataList.size()); |
| 147 if (expectedMetadataList.size() == metadataList.size()) { | 159 if (expectedMetadataList.size() == metadataList.size()) { |
| 148 for (size_t i = 0; i < metadataList.size(); i++) { | 160 for (size_t i = 0; i < metadataList.size(); i++) { |
| 149 EXPECT_EQ(expectedMetadataList[i].digest, metadataList[i].digest ); | 161 EXPECT_EQ(expectedMetadataList[i].digest, metadataList[i].digest ); |
| 150 EXPECT_EQ(expectedMetadataList[i].algorithm, metadataList[i].alg orithm); | 162 EXPECT_EQ(expectedMetadataList[i].algorithm, metadataList[i].alg orithm); |
| 151 EXPECT_EQ(expectedMetadataList[i].type, metadataList[i].type); | 163 EXPECT_EQ(expectedMetadataList[i].type, metadataList[i].type); |
| 152 } | 164 } |
| 153 } | 165 } |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 232 expectDigest("abcdefg", "abcdefg"); | 244 expectDigest("abcdefg", "abcdefg"); |
| 233 expectDigest("abcdefg?", "abcdefg"); | 245 expectDigest("abcdefg?", "abcdefg"); |
| 234 expectDigest("ab+de/g", "ab+de/g"); | 246 expectDigest("ab+de/g", "ab+de/g"); |
| 235 expectDigest("ab-de_g", "ab+de/g"); | 247 expectDigest("ab-de_g", "ab+de/g"); |
| 236 | 248 |
| 237 expectDigestFailure("?"); | 249 expectDigestFailure("?"); |
| 238 expectDigestFailure("&&&foobar&&&"); | 250 expectDigestFailure("&&&foobar&&&"); |
| 239 expectDigestFailure("\x01\x02\x03\x04"); | 251 expectDigestFailure("\x01\x02\x03\x04"); |
| 240 } | 252 } |
| 241 | 253 |
| 242 TEST_F(SubresourceIntegrityTest, ParseMimeType) | 254 TEST_F(SubresourceIntegrityTest, ValidMimeType) |
| 243 { | 255 { |
| 244 expectMimeType("?ct=application/javascript", "application/javascript"); | 256 expectValidMimeType("application/javascript"); |
| 245 expectMimeType("?ct=application/xhtml+xml", "application/xhtml+xml"); | 257 expectValidMimeType("application/xhtml+xml"); |
| 246 expectMimeType("?ct=text/vnd.abc", "text/vnd.abc"); | 258 expectValidMimeType("text/vnd.abc"); |
| 247 expectMimeType("?ct=video/x-ms-wmv", "video/x-ms-wmv"); | 259 expectValidMimeType("video/x-ms-wmv"); |
| 248 | 260 |
| 249 expectMimeTypeFailure("application/javascript"); | 261 expectInvalidMimeType("1application/javascript"); |
| 250 expectMimeTypeFailure("?application/javascript"); | 262 expectInvalidMimeType("app-lication/javascript"); |
| 251 expectMimeTypeFailure("?not-ct=application/javascript"); | 263 expectInvalidMimeType("video%2Fx-ms-wmv"); |
| 252 expectMimeTypeFailure("?ct==application/javascript"); | 264 } |
| 253 expectMimeTypeFailure("?yay=boo&ct=application/javascript"); | 265 |
| 254 expectMimeTypeFailure("?ct=application/javascript&yay=boo"); | 266 TEST_F(SubresourceIntegrityTest, ParseOption) |
| 255 expectMimeTypeFailure("?ct=video%2Fx-ms-wmv"); | 267 { |
| 268 expectOption("?ct=application/javascript", "ct", "application/javascript"); | |
| 269 expectOption("?ct=application/xhtml+xml", "ct", "application/xhtml+xml"); | |
| 270 expectOption("?ct=text/vnd.abc", "ct", "text/vnd.abc"); | |
| 271 expectOption("?ct=video/x-ms-wmv", "ct", "video/x-ms-wmv"); | |
| 272 expectOption("?foo=bar", "foo", "bar"); | |
| 273 expectOption("?foo=bar?baz", "foo", "bar"); | |
| 274 expectOption("?foo=bar?baz=boo", "foo", "bar"); | |
| 275 | |
| 276 expectOptionFailure("application/javascript"); | |
| 277 expectOptionFailure("?application/javascript"); | |
| 278 expectOptionFailure("?ct==application/javascript"); | |
| 279 expectOptionFailure("?yay=boo&ct=application/javascript"); | |
| 280 expectOptionFailure("?ct=application/javascript&yay=boo"); | |
| 281 expectOptionFailure("?foo=baz bar"); | |
| 256 } | 282 } |
| 257 | 283 |
| 258 // | 284 // |
| 259 // End-to-end parsing tests. | 285 // End-to-end parsing tests. |
| 260 // | 286 // |
| 261 | 287 |
| 262 TEST_F(SubresourceIntegrityTest, Parsing) | 288 TEST_F(SubresourceIntegrityTest, Parsing) |
| 263 { | 289 { |
| 264 expectParseFailure("not_really_a_valid_anything"); | 290 expectParseFailure("not_really_a_valid_anything"); |
| 265 expectParseFailure("sha256-&&&foobar&&&"); | 291 expectParseFailure("sha256-&&&foobar&&&"); |
| 266 expectParseFailure("sha256-\x01\x02\x03\x04"); | 292 expectParseFailure("sha256-\x01\x02\x03\x04"); |
| 267 expectParseFailure("sha256-!!! sha256-!!!"); | 293 expectParseFailure("sha256-!!! sha256-!!!"); |
| 268 | 294 |
| 269 expectEmptyParseResult("foobar:///sha256-abcdefg"); | 295 expectEmptyParseResult("foobar:///sha256-abcdefg"); |
| 270 expectEmptyParseResult("ni://sha256-abcdefg"); | 296 expectEmptyParseResult("ni://sha256-abcdefg"); |
| 271 expectEmptyParseResult("ni:///sha256-abcdefg"); | 297 expectEmptyParseResult("ni:///sha256-abcdefg"); |
| 272 expectEmptyParseResult("notsha256atall-abcdefg"); | 298 expectEmptyParseResult("notsha256atall-abcdefg"); |
| 273 | 299 |
| 274 expectParse( | 300 expectParse( |
| 275 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 301 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 276 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 302 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 277 HashAlgorithmSha256, | 303 HashAlgorithmSha256, |
| 278 ""); | 304 0); |
| 279 | 305 |
| 280 expectParse( | 306 expectParse( |
| 281 "sha-256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 307 "sha-256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 282 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 308 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 283 HashAlgorithmSha256, | 309 HashAlgorithmSha256, |
| 284 ""); | 310 0); |
| 285 | 311 |
| 286 expectParse( | 312 expectParse( |
| 287 " sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= ", | 313 " sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= ", |
| 288 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 314 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 289 HashAlgorithmSha256, | 315 HashAlgorithmSha256, |
| 290 ""); | 316 0); |
| 291 | 317 |
| 292 expectParse( | 318 expectParse( |
| 293 "sha384-XVVXBGoYw6AJOh9J-Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr ", | 319 "sha384-XVVXBGoYw6AJOh9J-Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr ", |
| 294 "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", | 320 "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| 295 HashAlgorithmSha384, | 321 HashAlgorithmSha384, |
| 296 ""); | 322 0); |
| 297 | 323 |
| 298 expectParse( | 324 expectParse( |
| 299 "sha-384-XVVXBGoYw6AJOh9J_Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GP r", | 325 "sha-384-XVVXBGoYw6AJOh9J_Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GP r", |
| 300 "XVVXBGoYw6AJOh9J/Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", | 326 "XVVXBGoYw6AJOh9J/Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| 301 HashAlgorithmSha384, | 327 HashAlgorithmSha384, |
| 302 ""); | 328 0); |
| 303 | 329 |
| 304 expectParse( | 330 expectParse( |
| 305 "sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0M PaIrPAjcHqba5csorDWtKg==", | 331 "sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0M PaIrPAjcHqba5csorDWtKg==", |
| 306 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | 332 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", |
| 307 HashAlgorithmSha512, | 333 HashAlgorithmSha512, |
| 308 ""); | 334 0); |
| 309 | 335 |
| 310 expectParse( | 336 expectParse( |
| 311 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==", | 337 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==", |
| 312 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | 338 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", |
| 313 HashAlgorithmSha512, | 339 HashAlgorithmSha512, |
| 314 ""); | 340 0); |
| 315 | 341 |
| 316 expectParse( | 342 expectParse( |
| 317 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?ct=application/javascript", | 343 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?ct=application/javascript", |
| 318 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | 344 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", |
| 319 HashAlgorithmSha512, | 345 HashAlgorithmSha512, |
| 320 "application/javascript"); | 346 "application/javascript"); |
| 321 | 347 |
| 348 expectParse( | |
| 349 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml", | |
| 350 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | |
| 351 HashAlgorithmSha512, | |
| 352 "application/xhtml+xml"); | |
| 353 | |
| 354 expectParse( | |
| 355 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?foo=bar?ct=application/xhtml+xml", | |
| 356 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | |
| 357 HashAlgorithmSha512, | |
| 358 "application/xhtml+xml"); | |
| 359 | |
| 360 expectParse( | |
| 361 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml?foo=bar", | |
| 362 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | |
| 363 HashAlgorithmSha512, | |
| 364 "application/xhtml+xml"); | |
| 365 | |
| 366 expectParse( | |
| 367 "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0 MPaIrPAjcHqba5csorDWtKg==?baz=foz?ct=application/xhtml+xml?foo=bar", | |
| 368 "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAj cHqba5csorDWtKg==", | |
| 369 HashAlgorithmSha512, | |
| 370 "application/xhtml+xml"); | |
| 371 | |
| 322 expectParseMultipleHashes("", 0, 0); | 372 expectParseMultipleHashes("", 0, 0); |
| 323 expectParseMultipleHashes(" ", 0, 0); | 373 expectParseMultipleHashes(" ", 0, 0); |
| 324 | 374 |
| 325 const SubresourceIntegrity::IntegrityMetadata kValidSha384AndSha512[] = { | 375 const SubresourceIntegrity::IntegrityMetadata kValidSha384AndSha512[] = { |
| 326 {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", Has hAlgorithmSha384, ""}, | 376 {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", Has hAlgorithmSha384, WTF::String()}, |
| 327 {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPA jcHqba5csorDWtKg==", HashAlgorithmSha512, ""} | 377 {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPA jcHqba5csorDWtKg==", HashAlgorithmSha512, WTF::String()} |
| 328 }; | 378 }; |
| 329 expectParseMultipleHashes( | 379 expectParseMultipleHashes( |
| 330 "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjc Hqba5csorDWtKg==", | 380 "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjc Hqba5csorDWtKg==", |
| 331 kValidSha384AndSha512, | 381 kValidSha384AndSha512, |
| 332 ARRAY_SIZE(kValidSha384AndSha512)); | 382 ARRAY_SIZE(kValidSha384AndSha512)); |
| 333 | 383 |
| 334 const SubresourceIntegrity::IntegrityMetadata kValidSha256AndSha256[] = { | 384 const SubresourceIntegrity::IntegrityMetadata kValidSha256AndSha256[] = { |
| 335 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, "" }, | 385 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WT F::String()}, |
| 336 {"deadbeef", HashAlgorithmSha256, ""} | 386 {"deadbeef", HashAlgorithmSha256, WTF::String()} |
| 337 }; | 387 }; |
| 338 expectParseMultipleHashes( | 388 expectParseMultipleHashes( |
| 339 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-deadbeef", | 389 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-deadbeef", |
| 340 kValidSha256AndSha256, | 390 kValidSha256AndSha256, |
| 341 ARRAY_SIZE(kValidSha256AndSha256)); | 391 ARRAY_SIZE(kValidSha256AndSha256)); |
| 342 | 392 |
| 343 const SubresourceIntegrity::IntegrityMetadata kValidSha256AndInvalidSha256[] = { | 393 const SubresourceIntegrity::IntegrityMetadata kValidSha256AndInvalidSha256[] = { |
| 344 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, "" } | 394 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WT F::String()} |
| 345 }; | 395 }; |
| 346 expectParseMultipleHashes( | 396 expectParseMultipleHashes( |
| 347 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-!!!!", | 397 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-!!!!", |
| 348 kValidSha256AndInvalidSha256, | 398 kValidSha256AndInvalidSha256, |
| 349 ARRAY_SIZE(kValidSha256AndInvalidSha256)); | 399 ARRAY_SIZE(kValidSha256AndInvalidSha256)); |
| 350 | 400 |
| 351 const SubresourceIntegrity::IntegrityMetadata kInvalidSha256AndValidSha256[] = { | 401 const SubresourceIntegrity::IntegrityMetadata kInvalidSha256AndValidSha256[] = { |
| 352 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, "" } | 402 {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WT F::String()} |
| 353 }; | 403 }; |
| 354 expectParseMultipleHashes( | 404 expectParseMultipleHashes( |
| 355 "sha256-!!! sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | 405 "sha256-!!! sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| 356 kInvalidSha256AndValidSha256, | 406 kInvalidSha256AndValidSha256, |
| 357 ARRAY_SIZE(kInvalidSha256AndValidSha256)); | 407 ARRAY_SIZE(kInvalidSha256AndValidSha256)); |
| 408 | |
| 409 expectParse( | |
| 410 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar", | |
| 411 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | |
| 412 HashAlgorithmSha256, | |
| 413 0); | |
| 414 | |
| 415 expectParse( | |
| 416 "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar?baz=foz", | |
| 417 "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", | |
| 418 HashAlgorithmSha256, | |
| 419 0); | |
| 420 | |
| 421 expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo= bar?"); | |
| 422 expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo: bar"); | |
| 358 } | 423 } |
| 359 | 424 |
| 360 TEST_F(SubresourceIntegrityTest, ParsingBase64) | 425 TEST_F(SubresourceIntegrityTest, ParsingBase64) |
| 361 { | 426 { |
| 362 expectParse( | 427 expectParse( |
| 363 "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr ", | 428 "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr ", |
| 364 "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", | 429 "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| 365 HashAlgorithmSha384, | 430 HashAlgorithmSha384, |
| 366 ""); | 431 0); |
| 367 } | 432 } |
| 368 | 433 |
| 369 // | 434 // |
| 370 // End-to-end tests of ::CheckSubresourceIntegrity. | 435 // End-to-end tests of ::CheckSubresourceIntegrity. |
| 371 // | 436 // |
| 372 | 437 |
| 373 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) | 438 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) |
| 374 { | 439 { |
| 375 document->updateSecurityOrigin(secureOrigin->isolatedCopy()); | 440 document->updateSecurityOrigin(secureOrigin->isolatedCopy()); |
| 376 | 441 |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 390 | 455 |
| 391 // With multiple values, at least one must match. | 456 // With multiple values, at least one must match. |
| 392 expectIntegrityFailure(kBadSha256AndBadSha384Integrities, kBasicScript, secu reURL, secureURL); | 457 expectIntegrityFailure(kBadSha256AndBadSha384Integrities, kBasicScript, secu reURL, secureURL); |
| 393 | 458 |
| 394 // Unsupported hash functions should succeed. | 459 // Unsupported hash functions should succeed. |
| 395 expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, secureURL); | 460 expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, secureURL); |
| 396 | 461 |
| 397 // All parameters are fine, and because this is not cross origin, CORS is | 462 // All parameters are fine, and because this is not cross origin, CORS is |
| 398 // not needed. | 463 // not needed. |
| 399 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String (), NoCors); | 464 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String (), NoCors); |
| 465 | |
| 466 // Unknown options should be ignored | |
| 467 expectIntegrity(kSha256IntegrityWithUnknownOptions, kBasicScript, secureURL, secureURL, String(), NoCors); | |
| 400 } | 468 } |
| 401 | 469 |
| 402 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) | 470 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) |
| 403 { | 471 { |
| 404 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass | 472 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass |
| 405 // here, with the expection of the NoCors check at the end. | 473 // here, with the expection of the NoCors check at the end. |
| 406 document->updateSecurityOrigin(insecureOrigin->isolatedCopy()); | 474 document->updateSecurityOrigin(insecureOrigin->isolatedCopy()); |
| 407 | 475 |
| 408 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL); | 476 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL); |
| 409 expectIntegrity(kSha256IntegrityLenientSyntax, kBasicScript, secureURL, inse cureURL); | 477 expectIntegrity(kSha256IntegrityLenientSyntax, kBasicScript, secureURL, inse cureURL); |
| 410 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL); | 478 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL); |
| 411 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL); | 479 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL); |
| 412 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , insecureURL); | 480 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , insecureURL); |
| 413 expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, insecureURL); | 481 expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, insecureURL); |
| 414 | 482 |
| 415 expectIntegrity(kSha256AndSha384Integrities, kBasicScript, secureURL, insecu reURL); | 483 expectIntegrity(kSha256AndSha384Integrities, kBasicScript, secureURL, insecu reURL); |
| 416 expectIntegrity(kBadSha256AndGoodSha384Integrities, kBasicScript, secureURL, insecureURL); | 484 expectIntegrity(kBadSha256AndGoodSha384Integrities, kBasicScript, secureURL, insecureURL); |
| 417 expectIntegrity(kGoodSha256AndBadSha384Integrities, kBasicScript, secureURL, insecureURL); | 485 expectIntegrity(kGoodSha256AndBadSha384Integrities, kBasicScript, secureURL, insecureURL); |
| 418 | 486 |
| 419 // This check should fail because, unlike in the | 487 // This check should fail because, unlike in the |
| 420 // CheckSubresourceIntegrityInSecureOrigin case, this is cross origin | 488 // CheckSubresourceIntegrityInSecureOrigin case, this is cross origin |
| 421 // (secure origin requesting a resource on an insecure origin) | 489 // (secure origin requesting a resource on an insecure origin) |
| 422 expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureUR L, String(), NoCors); | 490 expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureUR L, String(), NoCors); |
| 423 } | 491 } |
| 424 | 492 |
| 425 } // namespace blink | 493 } // namespace blink |
| OLD | NEW |
