Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(958)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/SubresourceIntegrityTest.cpp

Issue 1126343003: Ignore unknown options to subresource integrity (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/frame/SubresourceIntegrity.cpp ('K') | « Source/core/frame/SubresourceIntegrity.cpp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/SubresourceIntegrityTest.cpp
diff --git a/Source/core/frame/SubresourceIntegrityTest.cpp b/Source/core/frame/SubresourceIntegrityTest.cpp
index 399183632de3854a3ce229b6603c3a0a9787659e..241f2c6951112601579729ab44974d0c19b88fcf 100644
--- a/Source/core/frame/SubresourceIntegrityTest.cpp
+++ b/Source/core/frame/SubresourceIntegrityTest.cpp
@@ -24,6 +24,7 @@ namespace blink {
static const char kBasicScript[] = "alert('test');";
static const char kSha256Integrity[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4=";
static const char kSha256IntegrityLenientSyntax[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4=";
+static const char kSha256IntegrityWithUnknownOptions[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4=?foo=bar?baz=foz";
Mike West 2015/05/11 03:25:28 Nit: Add a test for a single unknown option as wel
static const char kSha384Integrity[] = "sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE";
static const char kSha512Integrity[] = "sha512-TXkJw18PqlVlEUXXjeXbGetop1TKB3wYQIp1_ihxCOFGUfG9TYOaA1MlkpTAqSV6yaevLO8Tj5pgH1JmZ--ItA==";
static const char kSha384IntegrityLabeledAs256[] = "sha256-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE";
@@ -100,30 +101,41 @@ protected:
EXPECT_TRUE(digest.isEmpty());
}
- void expectMimeType(const String& text, const char* expectedType)
+ void expectValidMimeType(const String& text)
+ {
+ EXPECT_TRUE(SubresourceIntegrity::isValidMimeTypeValue(text));
+ }
+
+ void expectInvalidMimeType(const String& text)
+ {
+ EXPECT_FALSE(SubresourceIntegrity::isValidMimeTypeValue(text));
+ }
+
+ void expectOption(const String& text, const char* expectedKey, const char* expectedValue)
{
Vector<UChar> characters;
text.appendTo(characters);
const UChar* position = characters.data();
const UChar* end = characters.end();
- String type;
+ String key, value;
- EXPECT_TRUE(SubresourceIntegrity::parseMimeType(position, end, type));
- EXPECT_EQ(expectedType, type);
+ EXPECT_TRUE(SubresourceIntegrity::parseOption(position, end, key, value));
+ EXPECT_EQ(expectedKey, key);
+ EXPECT_EQ(expectedValue, value);
}
- void expectMimeTypeFailure(const String& text)
+ void expectOptionFailure(const String& text)
{
Vector<UChar> characters;
text.appendTo(characters);
const UChar* position = characters.data();
const UChar* end = characters.end();
- String type;
+ String key, value;
- EXPECT_FALSE(SubresourceIntegrity::parseMimeType(position, end, type));
- EXPECT_TRUE(type.isEmpty());
+ EXPECT_FALSE(SubresourceIntegrity::parseOption(position, end, key, value));
Mike West 2015/05/11 03:25:28 Please also EXPECT that `key` and `value` are the
}
+
void expectParse(const char* integrityAttribute, const char* expectedDigest, HashAlgorithm expectedAlgorithm, const char* expectedType)
{
Vector<SubresourceIntegrity::IntegrityMetadata> metadataList;
@@ -137,10 +149,10 @@ protected:
}
}
- void expectParseMultipleHashes(const char* integrityAttribute, const SubresourceIntegrity::IntegrityMetadata expectedMetadatArray[], size_t expectedMetadataArraySize)
+ void expectParseMultipleHashes(const char* integrityAttribute, const SubresourceIntegrity::IntegrityMetadata expectedMetadataArray[], size_t expectedMetadataArraySize)
{
Vector<SubresourceIntegrity::IntegrityMetadata> expectedMetadataList;
- expectedMetadataList.append(expectedMetadatArray, expectedMetadataArraySize);
+ expectedMetadataList.append(expectedMetadataArray, expectedMetadataArraySize);
Vector<SubresourceIntegrity::IntegrityMetadata> metadataList;
EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIntegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document));
EXPECT_EQ(expectedMetadataList.size(), metadataList.size());
@@ -239,20 +251,34 @@ TEST_F(SubresourceIntegrityTest, ParseDigest)
expectDigestFailure("\x01\x02\x03\x04");
}
-TEST_F(SubresourceIntegrityTest, ParseMimeType)
+TEST_F(SubresourceIntegrityTest, ValidMimeType)
+{
+ expectValidMimeType("application/javascript");
+ expectValidMimeType("application/xhtml+xml");
+ expectValidMimeType("text/vnd.abc");
+ expectValidMimeType("video/x-ms-wmv");
+
+ expectInvalidMimeType("1application/javascript");
+ expectInvalidMimeType("app-lication/javascript");
+ expectInvalidMimeType("video%2Fx-ms-wmv");
+}
+
+TEST_F(SubresourceIntegrityTest, ParseOption)
{
- expectMimeType("?ct=application/javascript", "application/javascript");
- expectMimeType("?ct=application/xhtml+xml", "application/xhtml+xml");
- expectMimeType("?ct=text/vnd.abc", "text/vnd.abc");
- expectMimeType("?ct=video/x-ms-wmv", "video/x-ms-wmv");
-
- expectMimeTypeFailure("application/javascript");
- expectMimeTypeFailure("?application/javascript");
- expectMimeTypeFailure("?not-ct=application/javascript");
- expectMimeTypeFailure("?ct==application/javascript");
- expectMimeTypeFailure("?yay=boo&ct=application/javascript");
- expectMimeTypeFailure("?ct=application/javascript&yay=boo");
- expectMimeTypeFailure("?ct=video%2Fx-ms-wmv");
+ expectOption("?ct=application/javascript", "ct", "application/javascript");
+ expectOption("?ct=application/xhtml+xml", "ct", "application/xhtml+xml");
+ expectOption("?ct=text/vnd.abc", "ct", "text/vnd.abc");
+ expectOption("?ct=video/x-ms-wmv", "ct", "video/x-ms-wmv");
+ expectOption("?foo=bar", "foo", "bar");
+ expectOption("?foo=bar?baz", "foo", "bar");
+ expectOption("?foo=bar?baz=boo", "foo", "bar");
+
+ expectOptionFailure("application/javascript");
+ expectOptionFailure("?application/javascript");
+ expectOptionFailure("?ct==application/javascript");
+ expectOptionFailure("?yay=boo&ct=application/javascript");
+ expectOptionFailure("?ct=application/javascript&yay=boo");
+ expectOptionFailure("?foo=baz bar");
}
//
@@ -275,43 +301,43 @@ TEST_F(SubresourceIntegrityTest, Parsing)
"sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
HashAlgorithmSha256,
- "");
+ 0);
expectParse(
"sha-256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
HashAlgorithmSha256,
- "");
+ 0);
expectParse(
" sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= ",
"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
HashAlgorithmSha256,
- "");
+ 0);
expectParse(
"sha384-XVVXBGoYw6AJOh9J-Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr",
"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr",
HashAlgorithmSha384,
- "");
+ 0);
expectParse(
"sha-384-XVVXBGoYw6AJOh9J_Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr",
"XVVXBGoYw6AJOh9J/Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr",
HashAlgorithmSha384,
- "");
+ 0);
expectParse(
"sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
HashAlgorithmSha512,
- "");
+ 0);
expectParse(
"sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
HashAlgorithmSha512,
- "");
+ 0);
expectParse(
"sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/javascript",
@@ -319,12 +345,36 @@ TEST_F(SubresourceIntegrityTest, Parsing)
HashAlgorithmSha512,
"application/javascript");
+ expectParse(
+ "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml",
+ "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
+ HashAlgorithmSha512,
+ "application/xhtml+xml");
+
+ expectParse(
+ "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?foo=bar?ct=application/xhtml+xml",
+ "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
+ HashAlgorithmSha512,
+ "application/xhtml+xml");
+
+ expectParse(
+ "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml?foo=bar",
+ "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
+ HashAlgorithmSha512,
+ "application/xhtml+xml");
+
+ expectParse(
+ "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?baz=foz?ct=application/xhtml+xml?foo=bar",
+ "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
+ HashAlgorithmSha512,
+ "application/xhtml+xml");
+
expectParseMultipleHashes("", 0, 0);
expectParseMultipleHashes(" ", 0, 0);
const SubresourceIntegrity::IntegrityMetadata kValidSha384AndSha512[] = {
- {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", HashAlgorithmSha384, ""},
- {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", HashAlgorithmSha512, ""}
+ {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", HashAlgorithmSha384, WTF::String()},
+ {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", HashAlgorithmSha512, WTF::String()}
};
expectParseMultipleHashes(
"sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==",
@@ -332,8 +382,8 @@ TEST_F(SubresourceIntegrityTest, Parsing)
ARRAY_SIZE(kValidSha384AndSha512));
const SubresourceIntegrity::IntegrityMetadata kValidSha256AndSha256[] = {
- {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""},
- {"deadbeef", HashAlgorithmSha256, ""}
+ {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WTF::String()},
+ {"deadbeef", HashAlgorithmSha256, WTF::String()}
};
expectParseMultipleHashes(
"sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-deadbeef",
@@ -341,7 +391,7 @@ TEST_F(SubresourceIntegrityTest, Parsing)
ARRAY_SIZE(kValidSha256AndSha256));
const SubresourceIntegrity::IntegrityMetadata kValidSha256AndInvalidSha256[] = {
- {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""}
+ {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WTF::String()}
};
expectParseMultipleHashes(
"sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-!!!!",
@@ -349,12 +399,27 @@ TEST_F(SubresourceIntegrityTest, Parsing)
ARRAY_SIZE(kValidSha256AndInvalidSha256));
const SubresourceIntegrity::IntegrityMetadata kInvalidSha256AndValidSha256[] = {
- {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""}
+ {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, WTF::String()}
};
expectParseMultipleHashes(
"sha256-!!! sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
kInvalidSha256AndValidSha256,
ARRAY_SIZE(kInvalidSha256AndValidSha256));
+
+ expectParse(
+ "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar",
+ "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
+ HashAlgorithmSha256,
+ 0);
+
+ expectParse(
+ "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar?baz=foz",
+ "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
+ HashAlgorithmSha256,
+ 0);
+
+ expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar?");
+ expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo:bar");
}
TEST_F(SubresourceIntegrityTest, ParsingBase64)
@@ -363,7 +428,7 @@ TEST_F(SubresourceIntegrityTest, ParsingBase64)
"sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr",
"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr",
HashAlgorithmSha384,
- "");
+ 0);
}
//
@@ -397,6 +462,9 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)
// All parameters are fine, and because this is not cross origin, CORS is
// not needed.
expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String(), NoCors);
+
+ // Unknown options should be ignored
+ expectIntegrity(kSha256IntegrityWithUnknownOptions, kBasicScript, secureURL, secureURL, String(), NoCors);
}
TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
« Source/core/frame/SubresourceIntegrity.cpp ('K') | « Source/core/frame/SubresourceIntegrity.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698