third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp - Issue 2056183002: Implement the `require-sri-for` CSP directive

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

Issue 2056183002: Implement the `require-sri-for` CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed comments except those related to Layout Tests Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/CSPDirectiveList.h"	5 #include "core/frame/csp/CSPDirectiveList.h"

6	6

7 #include "core/frame/csp/ContentSecurityPolicy.h"	7 #include "core/frame/csp/ContentSecurityPolicy.h"

8 #include "core/frame/csp/SourceListDirective.h"	8 #include "core/frame/csp/SourceListDirective.h"

9 #include "platform/network/ContentSecurityPolicyParsers.h"	9 #include "platform/network/ContentSecurityPolicyParsers.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 165 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));	176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));

177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));	177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));

178	178

179 // Enforce 'style-src'	179 // Enforce 'style-src'

180 directiveList = createList(String("default-src ") + test.list, ContentSe curityPolicyHeaderTypeEnforce);	180 directiveList = createList(String("default-src ") + test.list, ContentSe curityPolicyHeaderTypeEnforce);

181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));	181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));

182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));	182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));

183 }	183 }

184 }	184 }

185	185

	186 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity)

	187 {

	188 struct TestCase {

	189 const char* list;

	190 const char* url;

	191 const WebURLRequest::RequestContext context;

	192 bool expected;

	193 } cases[] = {

	194

	195 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	196 { "require-sri-for script script", "https://example.com/file", WebU RLRequest::RequestContextScript, false },

	197 { "require-sri-for style script", "https://example.com/file", WebUR LRequest::RequestContextStyle, false },

	198 { "require-sri-for style script", "https://example.com/file", WebUR LRequest::RequestContextScript, false },

	199 { "require-sri-for style script", "https://example.com/file", WebUR LRequest::RequestContextImport, false },

	200 { "require-sri-for style script", "https://example.com/file", WebUR LRequest::RequestContextImage, true },

	201

	202

	203 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextAudio, true },

	204 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	205 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextImport, false },

	206 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextStyle, true },

	207

	208 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextAudio, true },

	209 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextScript, true },

	210 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextImport, true },

	211 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextStyle, false },

	212

	213 // Multiple tokens

	214 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextStyle, false },

	215 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextScript, false },

	216 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextImport, false },

	217 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextImage, true },

	218

	219 // Matching is case-insensitive

	220 { "require-sri-for Script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	221

	222 // Unknown tokens do not affect result

	223 { "require-sri-for blabla12 as", "https://example.com/file", WebURLReque st::RequestContextScript, true },

	224 { "require-sri-for blabla12 as script", "https://example.com/file", Web URLRequest::RequestContextScript, false },

	225 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextScript, false },

	226 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextImport, false },

	227 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextStyle, false },

	228 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextImage, true },

	229

	230 // Empty token list has no effect

	231 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextScript, true },

	232

	233 // Order does not matter

	234 { "require-sri-for a b script", "https://example.com/file", WebURLReques t::RequestContextScript, false },

	235 { "require-sri-for a script b", "https://example.com/file", WebURLReques t::RequestContextScript, false },

	236 };

	237

	238 for (const auto& test : cases) {

	239 KURL resource = KURL(KURL(), test.url);

	240 // Report-only

	241 Member<CSPDirectiveList> directiveList = createList(test.list, ContentSe curityPolicyHeaderTypeReport);

	242 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(tes t.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurit yPolicy::SuppressReport));

	243

	244 // Enforce

	245 directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeEnf orce);

	246 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(tes t.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurit yPolicy::SuppressReport));

	247 }

	248 }

	249

186 } // namespace blink	250 } // namespace blink

OLD	NEW