Chromium Code Reviews Chromium Code Reviews
Issue 1126343003:
Ignore unknown options to subresource integrity (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| Index: Source/core/frame/SubresourceIntegrityTest.cpp |
| diff --git a/Source/core/frame/SubresourceIntegrityTest.cpp b/Source/core/frame/SubresourceIntegrityTest.cpp |
| index 399183632de3854a3ce229b6603c3a0a9787659e..6dee8719a24ffbac63354532deadc3ed3b34fe8b 100644 |
| --- a/Source/core/frame/SubresourceIntegrityTest.cpp |
| +++ b/Source/core/frame/SubresourceIntegrityTest.cpp |
| @@ -24,6 +24,7 @@ namespace blink { |
| static const char kBasicScript[] = "alert('test');"; |
| static const char kSha256Integrity[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4="; |
| static const char kSha256IntegrityLenientSyntax[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4="; |
| +static const char kSha256IntegrityWithUnknownOptions[] = "sha256-GAF48QOoxRvu0gZAmQivUdJPyBacqznBAXwnkfpmQX4=?foo=bar?baz=foz"; |
|
Mike West
2015/05/11 03:25:29
Could you add another test with a single option?
jww
2015/05/11 05:39:08
Done.
|
| static const char kSha384Integrity[] = "sha384-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; |
| static const char kSha512Integrity[] = "sha512-TXkJw18PqlVlEUXXjeXbGetop1TKB3wYQIp1_ihxCOFGUfG9TYOaA1MlkpTAqSV6yaevLO8Tj5pgH1JmZ--ItA=="; |
| static const char kSha384IntegrityLabeledAs256[] = "sha256-nep3XpvhUxpCMOVXIFPecThAqdY_uVeiD4kXSqXpx0YJUWU4fTTaFgciTuZk7fmE"; |
| @@ -100,31 +101,32 @@ protected: |
| EXPECT_TRUE(digest.isEmpty()); |
| } |
| - void expectMimeType(const String& text, const char* expectedType) |
| + void expectOption(const String& text, const char* expectedKey, const char* expectedValue) |
| { |
| Vector<UChar> characters; |
| text.appendTo(characters); |
| const UChar* position = characters.data(); |
| const UChar* end = characters.end(); |
| - String type; |
| + String key, value; |
| - EXPECT_TRUE(SubresourceIntegrity::parseMimeType(position, end, type)); |
| - EXPECT_EQ(expectedType, type); |
| + EXPECT_TRUE(SubresourceIntegrity::parseOption(position, end, key, value)); |
| + EXPECT_EQ(expectedKey, key); |
| + EXPECT_EQ(expectedValue, value); |
| } |
| - void expectMimeTypeFailure(const String& text) |
| + void expectOptionFailure(const String& text) |
| { |
| Vector<UChar> characters; |
| text.appendTo(characters); |
| const UChar* position = characters.data(); |
| const UChar* end = characters.end(); |
| - String type; |
| + String key, value; |
| - EXPECT_FALSE(SubresourceIntegrity::parseMimeType(position, end, type)); |
| - EXPECT_TRUE(type.isEmpty()); |
| + EXPECT_FALSE(SubresourceIntegrity::parseOption(position, end, key, value)); |
| } |
| - void expectParse(const char* integrityAttribute, const char* expectedDigest, HashAlgorithm expectedAlgorithm, const char* expectedType) |
| + |
| + void expectParse(const char* integrityAttribute, const char* expectedDigest, HashAlgorithm expectedAlgorithm) |
| { |
| Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; |
| @@ -133,14 +135,13 @@ protected: |
| if (metadataList.size() > 0) { |
| EXPECT_EQ(expectedDigest, metadataList[0].digest); |
| EXPECT_EQ(expectedAlgorithm, metadataList[0].algorithm); |
| - EXPECT_EQ(expectedType, metadataList[0].type); |
| } |
| } |
| - void expectParseMultipleHashes(const char* integrityAttribute, const SubresourceIntegrity::IntegrityMetadata expectedMetadatArray[], size_t expectedMetadataArraySize) |
| + void expectParseMultipleHashes(const char* integrityAttribute, const SubresourceIntegrity::IntegrityMetadata expectedMetadataArray[], size_t expectedMetadataArraySize) |
| { |
| Vector<SubresourceIntegrity::IntegrityMetadata> expectedMetadataList; |
| - expectedMetadataList.append(expectedMetadatArray, expectedMetadataArraySize); |
| + expectedMetadataList.append(expectedMetadataArray, expectedMetadataArraySize); |
| Vector<SubresourceIntegrity::IntegrityMetadata> metadataList; |
| EXPECT_EQ(SubresourceIntegrity::IntegrityParseValidResult, SubresourceIntegrity::parseIntegrityAttribute(integrityAttribute, metadataList, *document)); |
| EXPECT_EQ(expectedMetadataList.size(), metadataList.size()); |
| @@ -148,7 +149,6 @@ protected: |
| for (size_t i = 0; i < metadataList.size(); i++) { |
| EXPECT_EQ(expectedMetadataList[i].digest, metadataList[i].digest); |
| EXPECT_EQ(expectedMetadataList[i].algorithm, metadataList[i].algorithm); |
| - EXPECT_EQ(expectedMetadataList[i].type, metadataList[i].type); |
| } |
| } |
| } |
| @@ -173,16 +173,16 @@ protected: |
| NoCors |
| }; |
| - void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors) |
| + void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, CorsStatus corsStatus = WithCors) |
| { |
| scriptElement->setAttribute(HTMLNames::integrityAttr, integrity); |
| - EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get())); |
| + EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, *createTestResource(url, requestorUrl, corsStatus).get())); |
| } |
| - void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors) |
| + void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, CorsStatus corsStatus = WithCors) |
| { |
| scriptElement->setAttribute(HTMLNames::integrityAttr, integrity); |
| - EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get())); |
| + EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, *createTestResource(url, requestorUrl, corsStatus).get())); |
| } |
| ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowOriginUrl, CorsStatus corsStatus) |
| @@ -239,20 +239,26 @@ TEST_F(SubresourceIntegrityTest, ParseDigest) |
| expectDigestFailure("\x01\x02\x03\x04"); |
| } |
| -TEST_F(SubresourceIntegrityTest, ParseMimeType) |
| +TEST_F(SubresourceIntegrityTest, ParseOption) |
| { |
| - expectMimeType("?ct=application/javascript", "application/javascript"); |
| - expectMimeType("?ct=application/xhtml+xml", "application/xhtml+xml"); |
| - expectMimeType("?ct=text/vnd.abc", "text/vnd.abc"); |
| - expectMimeType("?ct=video/x-ms-wmv", "video/x-ms-wmv"); |
| - |
| - expectMimeTypeFailure("application/javascript"); |
| - expectMimeTypeFailure("?application/javascript"); |
| - expectMimeTypeFailure("?not-ct=application/javascript"); |
| - expectMimeTypeFailure("?ct==application/javascript"); |
| - expectMimeTypeFailure("?yay=boo&ct=application/javascript"); |
| - expectMimeTypeFailure("?ct=application/javascript&yay=boo"); |
| - expectMimeTypeFailure("?ct=video%2Fx-ms-wmv"); |
| + expectOption("?ct=application/javascript", "ct", "application/javascript"); |
| + expectOption("?ct=application/xhtml+xml", "ct", "application/xhtml+xml"); |
| + expectOption("?ct=text/vnd.abc", "ct", "text/vnd.abc"); |
| + expectOption("?ct=video/x-ms-wmv", "ct", "video/x-ms-wmv"); |
| + expectOption("?foo=bar", "foo", "bar"); |
| + expectOption("?foo=bar?baz", "foo", "bar"); |
| + expectOption("?foo=bar?baz=boo", "foo", "bar"); |
| + expectOption("?foo=", "foo", ""); |
| + expectOption("?foo=?baz=bar", "foo", ""); |
| + |
| + expectOptionFailure("application/javascript"); |
| + expectOptionFailure("?application/javascript"); |
| + expectOptionFailure("?ct==application/javascript"); |
| + expectOptionFailure("?yay=boo&ct=application/javascript"); |
| + expectOptionFailure("?ct=application/javascript&yay=boo"); |
| + expectOptionFailure("?foo=baz bar"); |
| + expectOptionFailure("?=bar"); |
| + expectOptionFailure("?="); |
| } |
| // |
| @@ -274,57 +280,69 @@ TEST_F(SubresourceIntegrityTest, Parsing) |
| expectParse( |
| "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| - HashAlgorithmSha256, |
| - ""); |
| + HashAlgorithmSha256); |
| expectParse( |
| "sha-256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| - HashAlgorithmSha256, |
| - ""); |
| + HashAlgorithmSha256); |
| expectParse( |
| " sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= ", |
| "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| - HashAlgorithmSha256, |
| - ""); |
| + HashAlgorithmSha256); |
| expectParse( |
| "sha384-XVVXBGoYw6AJOh9J-Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr", |
| "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| - HashAlgorithmSha384, |
| - ""); |
| + HashAlgorithmSha384); |
| expectParse( |
| "sha-384-XVVXBGoYw6AJOh9J_Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup_tA1v5GPr", |
| "XVVXBGoYw6AJOh9J/Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| - HashAlgorithmSha384, |
| - ""); |
| + HashAlgorithmSha384); |
| expectParse( |
| "sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| - HashAlgorithmSha512, |
| - ""); |
| + HashAlgorithmSha512); |
| expectParse( |
| "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| - HashAlgorithmSha512, |
| - ""); |
| + HashAlgorithmSha512); |
| expectParse( |
| "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/javascript", |
| "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| - HashAlgorithmSha512, |
| - "application/javascript"); |
| + HashAlgorithmSha512); |
| + |
| + expectParse( |
| + "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml", |
| + "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| + HashAlgorithmSha512); |
| + |
| + expectParse( |
| + "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?foo=bar?ct=application/xhtml+xml", |
| + "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| + HashAlgorithmSha512); |
| + |
| + expectParse( |
| + "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?ct=application/xhtml+xml?foo=bar", |
| + "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| + HashAlgorithmSha512); |
| + |
| + expectParse( |
| + "sha-512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ-07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==?baz=foz?ct=application/xhtml+xml?foo=bar", |
| + "tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| + HashAlgorithmSha512); |
| expectParseMultipleHashes("", 0, 0); |
| expectParseMultipleHashes(" ", 0, 0); |
| const SubresourceIntegrity::IntegrityMetadata kValidSha384AndSha512[] = { |
| - {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", HashAlgorithmSha384, ""}, |
| - {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", HashAlgorithmSha512, ""} |
| + {"XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", HashAlgorithmSha384}, |
| + {"tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", HashAlgorithmSha512} |
| }; |
| expectParseMultipleHashes( |
| "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr sha512-tbUPioKbVBplr0b1ucnWB57SJWt4x9dOE0Vy2mzCXvH3FepqDZ+07yMK81ytlg0MPaIrPAjcHqba5csorDWtKg==", |
| @@ -332,8 +350,8 @@ TEST_F(SubresourceIntegrityTest, Parsing) |
| ARRAY_SIZE(kValidSha384AndSha512)); |
| const SubresourceIntegrity::IntegrityMetadata kValidSha256AndSha256[] = { |
| - {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""}, |
| - {"deadbeef", HashAlgorithmSha256, ""} |
| + {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256}, |
| + {"deadbeef", HashAlgorithmSha256} |
| }; |
| expectParseMultipleHashes( |
| "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-deadbeef", |
| @@ -341,7 +359,7 @@ TEST_F(SubresourceIntegrityTest, Parsing) |
| ARRAY_SIZE(kValidSha256AndSha256)); |
| const SubresourceIntegrity::IntegrityMetadata kValidSha256AndInvalidSha256[] = { |
| - {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""} |
| + {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256} |
| }; |
| expectParseMultipleHashes( |
| "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha256-!!!!", |
| @@ -349,12 +367,25 @@ TEST_F(SubresourceIntegrityTest, Parsing) |
| ARRAY_SIZE(kValidSha256AndInvalidSha256)); |
| const SubresourceIntegrity::IntegrityMetadata kInvalidSha256AndValidSha256[] = { |
| - {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256, ""} |
| + {"BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", HashAlgorithmSha256} |
| }; |
| expectParseMultipleHashes( |
| "sha256-!!! sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| kInvalidSha256AndValidSha256, |
| ARRAY_SIZE(kInvalidSha256AndValidSha256)); |
| + |
| + expectParse( |
| + "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar", |
| + "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| + HashAlgorithmSha256); |
| + |
| + expectParse( |
| + "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar?baz=foz", |
| + "BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=", |
| + HashAlgorithmSha256); |
| + |
| + expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo=bar?"); |
| + expectParseFailure("sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=?foo:bar"); |
| } |
| TEST_F(SubresourceIntegrityTest, ParsingBase64) |
| @@ -362,8 +393,7 @@ TEST_F(SubresourceIntegrityTest, ParsingBase64) |
| expectParse( |
| "sha384-XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| "XVVXBGoYw6AJOh9J+Z8pBDMVVPfkBpngexkA7JqZu8d5GENND6TEIup/tA1v5GPr", |
| - HashAlgorithmSha384, |
| - ""); |
| + HashAlgorithmSha384); |
| } |
| // |
| @@ -396,7 +426,10 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) |
| // All parameters are fine, and because this is not cross origin, CORS is |
| // not needed. |
| - expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String(), NoCors); |
| + expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, NoCors); |
| + |
| + // Unknown options should be ignored |
| + expectIntegrity(kSha256IntegrityWithUnknownOptions, kBasicScript, secureURL, secureURL, NoCors); |
| } |
| TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) |
| @@ -419,7 +452,7 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) |
| // This check should fail because, unlike in the |
| // CheckSubresourceIntegrityInSecureOrigin case, this is cross origin |
| // (secure origin requesting a resource on an insecure origin) |
| - expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureURL, String(), NoCors); |
| + expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureURL, NoCors); |
| } |
| } // namespace blink |
