OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/fetch/IntegrityMetadata.h" | |
8 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/loader/DocumentLoader.h" | 10 #include "core/loader/DocumentLoader.h" |
10 #include "core/testing/DummyPageHolder.h" | 11 #include "core/testing/DummyPageHolder.h" |
12 #include "platform/Crypto.h" | |
11 #include "platform/RuntimeEnabledFeatures.h" | 13 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/network/ContentSecurityPolicyParsers.h" | 14 #include "platform/network/ContentSecurityPolicyParsers.h" |
13 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
14 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
15 #include "platform/weborigin/SecurityOrigin.h" | 17 #include "platform/weborigin/SecurityOrigin.h" |
16 #include "public/platform/WebAddressSpace.h" | 18 #include "public/platform/WebAddressSpace.h" |
17 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
18 | 20 |
19 namespace blink { | 21 namespace blink { |
20 | 22 |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
199 } | 201 } |
200 | 202 |
201 // Tests that object-src directives are applied to a request to load a | 203 // Tests that object-src directives are applied to a request to load a |
202 // plugin, but not to subresource requests that the plugin itself | 204 // plugin, but not to subresource requests that the plugin itself |
203 // makes. https://crbug.com/603952 | 205 // makes. https://crbug.com/603952 |
204 TEST_F(ContentSecurityPolicyTest, ObjectSrc) | 206 TEST_F(ContentSecurityPolicyTest, ObjectSrc) |
205 { | 207 { |
206 KURL url(KURL(), "https://example.test"); | 208 KURL url(KURL(), "https://example.test"); |
207 csp->bindToExecutionContext(document.get()); | 209 csp->bindToExecutionContext(document.get()); |
208 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE nforce, ContentSecurityPolicyHeaderSourceMeta); | 210 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE nforce, ContentSecurityPolicyHeaderSourceMeta); |
209 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str ing(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppr essReport)); | 211 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont entSecurityPolicy::SuppressReport)); |
210 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre ssReport)); | 212 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte ntSecurityPolicy::SuppressReport)); |
211 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre ssReport)); | 213 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte ntSecurityPolicy::SuppressReport)); |
214 } | |
215 | |
216 | |
217 // Tests that require-sri-for that is set for scripts and styles blocks | |
218 // requests without integrity metadata | |
219 TEST_F(ContentSecurityPolicyTest, RequireSRIForMissingIntegrity) | |
220 { | |
221 KURL url(KURL(), "https://example.test"); | |
222 csp->bindToExecutionContext(document.get()); | |
223 csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicy HeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); | |
Mike West
2016/06/20 08:11:37
Please add some report-only tests as well.
| |
224 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, Str ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont entSecurityPolicy::SuppressReport)); | |
225 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, Str ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont entSecurityPolicy::SuppressReport)); | |
226 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, Stri ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte ntSecurityPolicy::SuppressReport)); | |
227 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, Strin g(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conten tSecurityPolicy::SuppressReport)); | |
228 } | |
229 | |
230 // Tests that require-sri-for that is set for scripts and styles allows | |
231 // requests with integrity metadata | |
232 TEST_F(ContentSecurityPolicyTest, RequireSRIForExistingIntegrity) | |
233 { | |
234 KURL url(KURL(), "https://example.test"); | |
235 IntegrityMetadataSet integrityMetadata; | |
236 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair( )); | |
237 csp->bindToExecutionContext(document.get()); | |
238 csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicy HeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); | |
239 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, Stri ng(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSec urityPolicy::SuppressReport)); | |
240 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, Stri ng(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSec urityPolicy::SuppressReport)); | |
241 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, Strin g(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecu rityPolicy::SuppressReport)); | |
212 } | 242 } |
213 | 243 |
214 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) | 244 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) |
215 { | 245 { |
216 struct TestCase { | 246 struct TestCase { |
217 const char* policy; | 247 const char* policy; |
218 const char* url; | 248 const char* url; |
219 const char* nonce; | 249 const char* nonce; |
220 bool allowed; | 250 bool allowed; |
221 } cases[] = { | 251 } cases[] = { |
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
370 policy = ContentSecurityPolicy::create(); | 400 policy = ContentSecurityPolicy::create(); |
371 policy->bindToExecutionContext(document.get()); | 401 policy->bindToExecutionContext(document.get()); |
372 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); | 402 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); |
373 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); | 403 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe port, ContentSecurityPolicyHeaderSourceHTTP); |
374 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce))) ; | 404 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce))) ; |
375 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 405 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
376 } | 406 } |
377 } | 407 } |
378 | 408 |
379 } // namespace blink | 409 } // namespace blink |
OLD | NEW |