Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(411)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Issue 2046523005: Introduce WebInsecureRequestPolicy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('k') | third_party/WebKit/public/blink_headers.gypi » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
index 21a4aa270bc72260d78ae8fe64298f24e2dfa822..5f03cd79b894e39506cfa2c76efe9fddb5533feb 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
@@ -14,6 +14,7 @@
#include "platform/weborigin/KURL.h"
#include "platform/weborigin/SecurityOrigin.h"
#include "public/platform/WebAddressSpace.h"
+#include "public/platform/WebInsecureRequestPolicy.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace blink {
@@ -40,24 +41,51 @@ protected:
Persistent<Document> document;
};
-TEST_F(ContentSecurityPolicyTest, ParseUpgradeInsecureRequestsEnabled)
+TEST_F(ContentSecurityPolicyTest, ParseInsecureRequestPolicy)
{
- csp->didReceiveHeader("upgrade-insecure-requests", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
- EXPECT_EQ(SecurityContext::InsecureRequestsUpgrade, csp->getInsecureRequestsPolicy());
+ struct TestCase {
+ const char* header;
+ WebInsecureRequestPolicy expectedPolicy;
+ SecurityContext::InsecureRequestsPolicy expectedDocumentPolicy;
+ bool expectedStrictMode;
+ } cases[] = {
+ { "default-src 'none'", 0, SecurityContext::InsecureRequestsDoNotUpgrade, false },
+ { "upgrade-insecure-requests", kUpgradeInsecureRequests, SecurityContext::InsecureRequestsUpgrade, false },
+ { "block-all-mixed-content", kBlockAllMixedContent, SecurityContext::InsecureRequestsDoNotUpgrade, true },
+ { "upgrade-insecure-requests; block-all-mixed-content", kUpgradeInsecureRequests | kBlockAllMixedContent, SecurityContext::InsecureRequestsUpgrade, true },
+ { "upgrade-insecure-requests, block-all-mixed-content", kUpgradeInsecureRequests | kBlockAllMixedContent, SecurityContext::InsecureRequestsUpgrade, true }
+ };
- csp->bindToExecutionContext(document.get());
- EXPECT_EQ(SecurityContext::InsecureRequestsUpgrade, document->getInsecureRequestsPolicy());
- EXPECT_TRUE(document->insecureNavigationsToUpgrade()->contains(secureOrigin->host().impl()->hash()));
-}
+ // Enforced
+ for (const auto& test : cases) {
+ SCOPED_TRACE(testing::Message() << "[Enforce] Header: `" << test.header << "`");
+ csp = ContentSecurityPolicy::create();
+ csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
+ EXPECT_EQ(test.expectedPolicy, csp->getInsecureRequestPolicy());
-TEST_F(ContentSecurityPolicyTest, ParseMonitorInsecureRequestsEnabled)
-{
- csp->didReceiveHeader("upgrade-insecure-requests", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
- EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, csp->getInsecureRequestsPolicy());
+ document = Document::create();
+ document->setSecurityOrigin(secureOrigin);
+ csp->bindToExecutionContext(document.get());
+ EXPECT_EQ(test.expectedDocumentPolicy, document->getInsecureRequestsPolicy());
+ EXPECT_EQ(test.expectedStrictMode, document->shouldEnforceStrictMixedContentChecking());
+ EXPECT_EQ(test.expectedDocumentPolicy == SecurityContext::InsecureRequestsUpgrade,
+ document->insecureNavigationsToUpgrade()->contains(secureOrigin->host().impl()->hash()));
+ }
- csp->bindToExecutionContext(document.get());
- EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, document->getInsecureRequestsPolicy());
- EXPECT_FALSE(document->insecureNavigationsToUpgrade()->contains(secureOrigin->host().impl()->hash()));
+ // Report-Only
+ for (const auto& test : cases) {
+ SCOPED_TRACE(testing::Message() << "[Report-Only] Header: `" << test.header << "`");
+ csp = ContentSecurityPolicy::create();
+ csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
+ EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->getInsecureRequestPolicy());
+
+ document = Document::create();
+ document->setSecurityOrigin(secureOrigin);
+ csp->bindToExecutionContext(document.get());
+ EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, document->getInsecureRequestsPolicy());
+ EXPECT_FALSE(document->shouldEnforceStrictMixedContentChecking());
+ EXPECT_FALSE(document->insecureNavigationsToUpgrade()->contains(secureOrigin->host().impl()->hash()));
+ }
}
TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled)
« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('k') | third_party/WebKit/public/blink_headers.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698