OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/fetch/IntegrityMetadata.h" |
8 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/loader/DocumentLoader.h" | 10 #include "core/loader/DocumentLoader.h" |
10 #include "core/testing/DummyPageHolder.h" | 11 #include "core/testing/DummyPageHolder.h" |
| 12 #include "platform/Crypto.h" |
11 #include "platform/RuntimeEnabledFeatures.h" | 13 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/network/ContentSecurityPolicyParsers.h" | 14 #include "platform/network/ContentSecurityPolicyParsers.h" |
13 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
14 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
15 #include "platform/weborigin/SecurityOrigin.h" | 17 #include "platform/weborigin/SecurityOrigin.h" |
16 #include "public/platform/WebAddressSpace.h" | 18 #include "public/platform/WebAddressSpace.h" |
17 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
18 | 20 |
19 namespace blink { | 21 namespace blink { |
20 | 22 |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
199 } | 201 } |
200 | 202 |
201 // Tests that object-src directives are applied to a request to load a | 203 // Tests that object-src directives are applied to a request to load a |
202 // plugin, but not to subresource requests that the plugin itself | 204 // plugin, but not to subresource requests that the plugin itself |
203 // makes. https://crbug.com/603952 | 205 // makes. https://crbug.com/603952 |
204 TEST_F(ContentSecurityPolicyTest, ObjectSrc) | 206 TEST_F(ContentSecurityPolicyTest, ObjectSrc) |
205 { | 207 { |
206 KURL url(KURL(), "https://example.test"); | 208 KURL url(KURL(), "https://example.test"); |
207 csp->bindToExecutionContext(document.get()); | 209 csp->bindToExecutionContext(document.get()); |
208 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE
nforce, ContentSecurityPolicyHeaderSourceMeta); | 210 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE
nforce, ContentSecurityPolicyHeaderSourceMeta); |
209 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str
ing(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppr
essReport)); | 211 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str
ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont
entSecurityPolicy::SuppressReport)); |
210 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri
ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre
ssReport)); | 212 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri
ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte
ntSecurityPolicy::SuppressReport)); |
211 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri
ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre
ssReport)); | 213 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri
ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte
ntSecurityPolicy::SuppressReport)); |
| 214 } |
| 215 |
| 216 |
| 217 // Tests that require-sri-for that is set for scripts and styles blocks |
| 218 // requests without integrity metadata |
| 219 TEST_F(ContentSecurityPolicyTest, RequireSRIForMissingIntegrity) |
| 220 { |
| 221 KURL url(KURL(), "https://example.test"); |
| 222 csp->bindToExecutionContext(document.get()); |
| 223 csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicy
HeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
| 224 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, Str
ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont
entSecurityPolicy::SuppressReport)); |
| 225 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, Str
ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont
entSecurityPolicy::SuppressReport)); |
| 226 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, Stri
ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte
ntSecurityPolicy::SuppressReport)); |
| 227 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, Strin
g(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conten
tSecurityPolicy::SuppressReport)); |
| 228 } |
| 229 |
| 230 // Tests that require-sri-for that is set for scripts and styles allows |
| 231 // requests with integrity metadata |
| 232 TEST_F(ContentSecurityPolicyTest, RequireSRIForExistingIntegrity) |
| 233 { |
| 234 KURL url(KURL(), "https://example.test"); |
| 235 IntegrityMetadataSet integrityMetadata; |
| 236 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair(
)); |
| 237 csp->bindToExecutionContext(document.get()); |
| 238 csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicy
HeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
| 239 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, Stri
ng(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSec
urityPolicy::SuppressReport)); |
| 240 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, Stri
ng(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSec
urityPolicy::SuppressReport)); |
| 241 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, Strin
g(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecu
rityPolicy::SuppressReport)); |
212 } | 242 } |
213 | 243 |
214 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) | 244 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) |
215 { | 245 { |
216 struct TestCase { | 246 struct TestCase { |
217 const char* policy; | 247 const char* policy; |
218 const char* url; | 248 const char* url; |
219 const char* nonce; | 249 const char* nonce; |
220 bool allowed; | 250 bool allowed; |
221 } cases[] = { | 251 } cases[] = { |
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
370 policy = ContentSecurityPolicy::create(); | 400 policy = ContentSecurityPolicy::create(); |
371 policy->bindToExecutionContext(document.get()); | 401 policy->bindToExecutionContext(document.get()); |
372 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); | 402 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); |
373 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); | 403 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); |
374 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)))
; | 404 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)))
; |
375 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 405 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
376 } | 406 } |
377 } | 407 } |
378 | 408 |
379 } // namespace blink | 409 } // namespace blink |
OLD | NEW |