OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
8 #include "core/frame/csp/SourceListDirective.h" | 8 #include "core/frame/csp/SourceListDirective.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource,
String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity
Policy::SuppressReport)); | 176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource,
String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity
Policy::SuppressReport)); |
177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S
tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP
olicy::SuppressReport)); | 177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S
tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP
olicy::SuppressReport)); |
178 | 178 |
179 // Enforce 'style-src' | 179 // Enforce 'style-src' |
180 directiveList = createList(String("default-src ") + test.list, ContentSe
curityPolicyHeaderTypeEnforce); | 180 directiveList = createList(String("default-src ") + test.list, ContentSe
curityPolicyHeaderTypeEnforce); |
181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource,
String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity
Policy::SuppressReport)); | 181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource,
String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity
Policy::SuppressReport)); |
182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S
tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP
olicy::SuppressReport)); | 182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S
tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP
olicy::SuppressReport)); |
183 } | 183 } |
184 } | 184 } |
185 | 185 |
| 186 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) |
| 187 { |
| 188 struct TestCase { |
| 189 const char* list; |
| 190 const char* url; |
| 191 const WebURLRequest::RequestContext context; |
| 192 bool expected; |
| 193 } cases[] = { |
| 194 |
| 195 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextScript, false }, |
| 196 |
| 197 // Extra WSP |
| 198 { "require-sri-for script script ", "https://example.com/file", We
bURLRequest::RequestContextScript, false }, |
| 199 { "require-sri-for style script", "https://example.com/file", We
bURLRequest::RequestContextStyle, false }, |
| 200 |
| 201 { "require-sri-for style script", "https://example.com/file", WebURLRequ
est::RequestContextScript, false }, |
| 202 { "require-sri-for style script", "https://example.com/file", WebURLRequ
est::RequestContextImport, false }, |
| 203 { "require-sri-for style script", "https://example.com/file", WebURLRequ
est::RequestContextImage, true }, |
| 204 |
| 205 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextAudio, true }, |
| 206 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextScript, false }, |
| 207 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextImport, false }, |
| 208 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextServiceWorker, false }, |
| 209 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextSharedWorker, false }, |
| 210 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextWorker, false }, |
| 211 { "require-sri-for script", "https://example.com/file", WebURLRequest::R
equestContextStyle, true }, |
| 212 |
| 213 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextAudio, true }, |
| 214 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextScript, true }, |
| 215 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextImport, true }, |
| 216 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextServiceWorker, true }, |
| 217 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextSharedWorker, true }, |
| 218 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextWorker, true }, |
| 219 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re
questContextStyle, false }, |
| 220 |
| 221 // Multiple tokens |
| 222 { "require-sri-for script style", "https://example.com/file", WebURLRequ
est::RequestContextStyle, false }, |
| 223 { "require-sri-for script style", "https://example.com/file", WebURLRequ
est::RequestContextScript, false }, |
| 224 { "require-sri-for script style", "https://example.com/file", WebURLRequ
est::RequestContextImport, false }, |
| 225 { "require-sri-for script style", "https://example.com/file", WebURLRequ
est::RequestContextImage, true }, |
| 226 |
| 227 // Matching is case-insensitive |
| 228 { "require-sri-for Script", "https://example.com/file", WebURLRequest::R
equestContextScript, false }, |
| 229 |
| 230 // Unknown tokens do not affect result |
| 231 { "require-sri-for blabla12 as", "https://example.com/file", WebURLReque
st::RequestContextScript, true }, |
| 232 { "require-sri-for blabla12 as script", "https://example.com/file", Web
URLRequest::RequestContextScript, false }, |
| 233 { "require-sri-for script style img", "https://example.com/file", WebURL
Request::RequestContextScript, false }, |
| 234 { "require-sri-for script style img", "https://example.com/file", WebURL
Request::RequestContextImport, false }, |
| 235 { "require-sri-for script style img", "https://example.com/file", WebURL
Request::RequestContextStyle, false }, |
| 236 { "require-sri-for script style img", "https://example.com/file", WebURL
Request::RequestContextImage, true }, |
| 237 |
| 238 // Empty token list has no effect |
| 239 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextScript, true }, |
| 240 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextImport, true }, |
| 241 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextStyle, true }, |
| 242 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextServiceWorker, true }, |
| 243 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextSharedWorker, true }, |
| 244 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re
questContextWorker, true }, |
| 245 |
| 246 // Order does not matter |
| 247 { "require-sri-for a b script", "https://example.com/file", WebURLReques
t::RequestContextScript, false }, |
| 248 { "require-sri-for a script b", "https://example.com/file", WebURLReques
t::RequestContextScript, false }, |
| 249 }; |
| 250 |
| 251 for (const auto& test : cases) { |
| 252 KURL resource = KURL(KURL(), test.url); |
| 253 // Report-only |
| 254 Member<CSPDirectiveList> directiveList = createList(test.list, ContentSe
curityPolicyHeaderTypeReport); |
| 255 EXPECT_EQ(true, directiveList->allowRequestWithoutIntegrity(test.context
, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::
SuppressReport)); |
| 256 |
| 257 // Enforce |
| 258 directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeEnf
orce); |
| 259 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(tes
t.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurit
yPolicy::SuppressReport)); |
| 260 } |
| 261 } |
| 262 |
186 } // namespace blink | 263 } // namespace blink |
OLD | NEW |