OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/fetch/IntegrityMetadata.h" | |
8 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/loader/DocumentLoader.h" | 10 #include "core/loader/DocumentLoader.h" |
10 #include "core/testing/DummyPageHolder.h" | 11 #include "core/testing/DummyPageHolder.h" |
12 #include "platform/Crypto.h" | |
11 #include "platform/RuntimeEnabledFeatures.h" | 13 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/network/ContentSecurityPolicyParsers.h" | 14 #include "platform/network/ContentSecurityPolicyParsers.h" |
13 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
14 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
15 #include "platform/weborigin/SecurityOrigin.h" | 17 #include "platform/weborigin/SecurityOrigin.h" |
16 #include "public/platform/WebAddressSpace.h" | 18 #include "public/platform/WebAddressSpace.h" |
17 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
18 | 20 |
19 namespace blink { | 21 namespace blink { |
20 | 22 |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
77 document->setAddressSpace(WebAddressSpacePrivate); | 79 document->setAddressSpace(WebAddressSpacePrivate); |
78 EXPECT_EQ(WebAddressSpacePrivate, document->addressSpace()); | 80 EXPECT_EQ(WebAddressSpacePrivate, document->addressSpace()); |
79 | 81 |
80 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | 82 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
81 csp->bindToExecutionContext(document.get()); | 83 csp->bindToExecutionContext(document.get()); |
82 EXPECT_EQ(WebAddressSpacePublic, document->addressSpace()); | 84 EXPECT_EQ(WebAddressSpacePublic, document->addressSpace()); |
83 } | 85 } |
84 | 86 |
85 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) | 87 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) |
86 { | 88 { |
87 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1" , ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP) ; | 89 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1" , ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
88 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea derTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | 90 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea derTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
89 | 91 |
90 KURL exampleUrl(KURL(), "http://example.com"); | 92 KURL exampleUrl(KURL(), "http://example.com"); |
91 KURL notExampleUrl(KURL(), "http://not-example.com"); | 93 KURL notExampleUrl(KURL(), "http://not-example.com"); |
92 | 94 |
93 ContentSecurityPolicy* csp2 = ContentSecurityPolicy::create(); | 95 ContentSecurityPolicy* csp2 = ContentSecurityPolicy::create(); |
94 csp2->copyStateFrom(csp.get()); | 96 csp2->copyStateFrom(csp.get()); |
95 EXPECT_FALSE(csp2->allowScriptFromSource(exampleUrl, String(), ResourceReque st::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 97 EXPECT_FALSE(csp2->allowScriptFromSource(exampleUrl, String(), ResourceReque st::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
96 EXPECT_TRUE(csp2->allowPluginType("application/x-type-1", "application/x-typ e-1", exampleUrl, ContentSecurityPolicy::SuppressReport)); | 98 EXPECT_TRUE(csp2->allowPluginType("application/x-type-1", "application/x-typ e-1", exampleUrl, ContentSecurityPolicy::SuppressReport)); |
97 EXPECT_TRUE(csp2->allowImageFromSource(exampleUrl, ResourceRequest::Redirect Status::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 99 EXPECT_TRUE(csp2->allowImageFromSource(exampleUrl, ResourceRequest::Redirect Status::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
98 EXPECT_FALSE(csp2->allowImageFromSource(notExampleUrl, ResourceRequest::Redi rectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 100 EXPECT_FALSE(csp2->allowImageFromSource(notExampleUrl, ResourceRequest::Redi rectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
199 } | 201 } |
200 | 202 |
201 // Tests that object-src directives are applied to a request to load a | 203 // Tests that object-src directives are applied to a request to load a |
202 // plugin, but not to subresource requests that the plugin itself | 204 // plugin, but not to subresource requests that the plugin itself |
203 // makes. https://crbug.com/603952 | 205 // makes. https://crbug.com/603952 |
204 TEST_F(ContentSecurityPolicyTest, ObjectSrc) | 206 TEST_F(ContentSecurityPolicyTest, ObjectSrc) |
205 { | 207 { |
206 KURL url(KURL(), "https://example.test"); | 208 KURL url(KURL(), "https://example.test"); |
207 csp->bindToExecutionContext(document.get()); | 209 csp->bindToExecutionContext(document.get()); |
208 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE nforce, ContentSecurityPolicyHeaderSourceMeta); | 210 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE nforce, ContentSecurityPolicyHeaderSourceMeta); |
209 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str ing(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppr essReport)); | 211 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont entSecurityPolicy::SuppressReport)); |
210 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre ssReport)); | 212 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte ntSecurityPolicy::SuppressReport)); |
211 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre ssReport)); | 213 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte ntSecurityPolicy::SuppressReport)); |
214 } | |
215 | |
216 // Tests that requests for scripts and styles are blocked | |
217 // if `require-sri-for` delivered in HTTP header requires integrity be present | |
218 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) | |
219 { | |
220 KURL url(KURL(), "https://example.test"); | |
221 // Enforce | |
222 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | |
223 policy->bindToExecutionContext(document.get()); | |
224 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | |
225 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
226 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
227 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
228 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker , url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedi rect, ContentSecurityPolicy::SuppressReport)); | |
229 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir ect, ContentSecurityPolicy::SuppressReport)); | |
230 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
231 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con tentSecurityPolicy::SuppressReport)); | |
232 // Report | |
233 policy = ContentSecurityPolicy::create(); | |
234 policy->bindToExecutionContext(document.get()); | |
235 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); | |
236 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
Mike West
2016/06/24 09:25:07
As noted above, this seems incorrect. Why do we de
| |
237 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
238 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
239 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker , url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedi rect, ContentSecurityPolicy::SuppressReport)); | |
240 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir ect, ContentSecurityPolicy::SuppressReport)); | |
241 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
242 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con tentSecurityPolicy::SuppressReport)); | |
243 } | |
244 | |
245 // Tests that requests for scripts and styles are allowed | |
246 // if `require-sri-for` delivered in HTTP header requires integrity be present | |
247 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderPresentIntegrity) | |
248 { | |
249 KURL url(KURL(), "https://example.test"); | |
250 IntegrityMetadataSet integrityMetadata; | |
251 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair( )); | |
252 csp->bindToExecutionContext(document.get()); | |
253 // Enforce | |
254 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | |
255 policy->bindToExecutionContext(document.get()); | |
256 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | |
257 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
258 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
259 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
260 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | |
261 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
262 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
263 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
264 // Content-Security-Policy-Report-Only is not supported in meta element, | |
265 // so nothing should be blocked | |
266 policy = ContentSecurityPolicy::create(); | |
267 policy->bindToExecutionContext(document.get()); | |
268 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); | |
269 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
270 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
271 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
272 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | |
273 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
274 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
275 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
276 } | |
277 | |
278 // Tests that requests for scripts and styles are blocked | |
279 // if `require-sri-for` delivered in meta tag requires integrity be present | |
280 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaMissingIntegrity) | |
281 { | |
282 KURL url(KURL(), "https://example.test"); | |
283 // Enforce | |
284 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | |
285 policy->bindToExecutionContext(document.get()); | |
286 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); | |
287 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
288 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
289 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
290 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker , url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedi rect, ContentSecurityPolicy::SuppressReport)); | |
291 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir ect, ContentSecurityPolicy::SuppressReport)); | |
292 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
293 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con tentSecurityPolicy::SuppressReport)); | |
294 // Content-Security-Policy-Report-Only is not supported in meta element, | |
295 // so nothing should be blocked | |
296 policy = ContentSecurityPolicy::create(); | |
297 policy->bindToExecutionContext(document.get()); | |
298 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); | |
299 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
300 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
301 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con tentSecurityPolicy::SuppressReport)); | |
302 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir ect, ContentSecurityPolicy::SuppressReport)); | |
303 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedire ct, ContentSecurityPolicy::SuppressReport)); | |
304 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co ntentSecurityPolicy::SuppressReport)); | |
305 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con tentSecurityPolicy::SuppressReport)); | |
306 } | |
307 | |
308 // Tests that requests for scripts and styles are allowed | |
309 // if `require-sri-for` delivered meta tag requires integrity be present | |
310 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaPresentIntegrity) | |
311 { | |
312 KURL url(KURL(), "https://example.test"); | |
313 IntegrityMetadataSet integrityMetadata; | |
314 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair( )); | |
315 csp->bindToExecutionContext(document.get()); | |
316 // Enforce | |
317 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | |
318 policy->bindToExecutionContext(document.get()); | |
319 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); | |
320 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
321 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
322 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
323 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | |
324 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
325 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
326 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
327 // Report | |
328 policy = ContentSecurityPolicy::create(); | |
329 policy->bindToExecutionContext(document.get()); | |
330 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); | |
331 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
332 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
333 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
334 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | |
335 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C ontentSecurityPolicy::SuppressReport)); | |
336 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content SecurityPolicy::SuppressReport)); | |
337 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS ecurityPolicy::SuppressReport)); | |
212 } | 338 } |
213 | 339 |
214 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) | 340 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) |
215 { | 341 { |
216 struct TestCase { | 342 struct TestCase { |
217 const char* policy; | 343 const char* policy; |
218 const char* url; | 344 const char* url; |
219 const char* nonce; | 345 const char* nonce; |
220 bool allowed; | 346 bool allowed; |
221 } cases[] = { | 347 } cases[] = { |
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
370 policy = ContentSecurityPolicy::create(); | 496 policy = ContentSecurityPolicy::create(); |
371 policy->bindToExecutionContext(document.get()); | 497 policy->bindToExecutionContext(document.get()); |
372 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); | 498 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); |
373 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); | 499 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); |
374 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce))) ; | 500 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce))) ; |
375 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 501 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
376 } | 502 } |
377 } | 503 } |
378 | 504 |
379 } // namespace blink | 505 } // namespace blink |
OLD | NEW |