OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/fetch/IntegrityMetadata.h" |
8 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/loader/DocumentLoader.h" | 10 #include "core/loader/DocumentLoader.h" |
10 #include "core/testing/DummyPageHolder.h" | 11 #include "core/testing/DummyPageHolder.h" |
| 12 #include "platform/Crypto.h" |
11 #include "platform/RuntimeEnabledFeatures.h" | 13 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/network/ContentSecurityPolicyParsers.h" | 14 #include "platform/network/ContentSecurityPolicyParsers.h" |
13 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
14 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
15 #include "platform/weborigin/SecurityOrigin.h" | 17 #include "platform/weborigin/SecurityOrigin.h" |
16 #include "public/platform/WebAddressSpace.h" | 18 #include "public/platform/WebAddressSpace.h" |
17 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
18 | 20 |
19 namespace blink { | 21 namespace blink { |
20 | 22 |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
77 document->setAddressSpace(WebAddressSpacePrivate); | 79 document->setAddressSpace(WebAddressSpacePrivate); |
78 EXPECT_EQ(WebAddressSpacePrivate, document->addressSpace()); | 80 EXPECT_EQ(WebAddressSpacePrivate, document->addressSpace()); |
79 | 81 |
80 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader
TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | 82 csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeader
TypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
81 csp->bindToExecutionContext(document.get()); | 83 csp->bindToExecutionContext(document.get()); |
82 EXPECT_EQ(WebAddressSpacePublic, document->addressSpace()); | 84 EXPECT_EQ(WebAddressSpacePublic, document->addressSpace()); |
83 } | 85 } |
84 | 86 |
85 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) | 87 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) |
86 { | 88 { |
87 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1"
, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP)
; | 89 csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1"
, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
88 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea
derTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); | 90 csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHea
derTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
89 | 91 |
90 KURL exampleUrl(KURL(), "http://example.com"); | 92 KURL exampleUrl(KURL(), "http://example.com"); |
91 KURL notExampleUrl(KURL(), "http://not-example.com"); | 93 KURL notExampleUrl(KURL(), "http://not-example.com"); |
92 | 94 |
93 ContentSecurityPolicy* csp2 = ContentSecurityPolicy::create(); | 95 ContentSecurityPolicy* csp2 = ContentSecurityPolicy::create(); |
94 csp2->copyStateFrom(csp.get()); | 96 csp2->copyStateFrom(csp.get()); |
95 EXPECT_FALSE(csp2->allowScriptFromSource(exampleUrl, String(), ResourceReque
st::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 97 EXPECT_FALSE(csp2->allowScriptFromSource(exampleUrl, String(), ResourceReque
st::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
96 EXPECT_TRUE(csp2->allowPluginType("application/x-type-1", "application/x-typ
e-1", exampleUrl, ContentSecurityPolicy::SuppressReport)); | 98 EXPECT_TRUE(csp2->allowPluginType("application/x-type-1", "application/x-typ
e-1", exampleUrl, ContentSecurityPolicy::SuppressReport)); |
97 EXPECT_TRUE(csp2->allowImageFromSource(exampleUrl, ResourceRequest::Redirect
Status::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 99 EXPECT_TRUE(csp2->allowImageFromSource(exampleUrl, ResourceRequest::Redirect
Status::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
98 EXPECT_FALSE(csp2->allowImageFromSource(notExampleUrl, ResourceRequest::Redi
rectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); | 100 EXPECT_FALSE(csp2->allowImageFromSource(notExampleUrl, ResourceRequest::Redi
rectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
199 } | 201 } |
200 | 202 |
201 // Tests that object-src directives are applied to a request to load a | 203 // Tests that object-src directives are applied to a request to load a |
202 // plugin, but not to subresource requests that the plugin itself | 204 // plugin, but not to subresource requests that the plugin itself |
203 // makes. https://crbug.com/603952 | 205 // makes. https://crbug.com/603952 |
204 TEST_F(ContentSecurityPolicyTest, ObjectSrc) | 206 TEST_F(ContentSecurityPolicyTest, ObjectSrc) |
205 { | 207 { |
206 KURL url(KURL(), "https://example.test"); | 208 KURL url(KURL(), "https://example.test"); |
207 csp->bindToExecutionContext(document.get()); | 209 csp->bindToExecutionContext(document.get()); |
208 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE
nforce, ContentSecurityPolicyHeaderSourceMeta); | 210 csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeE
nforce, ContentSecurityPolicyHeaderSourceMeta); |
209 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str
ing(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppr
essReport)); | 211 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, Str
ing(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Cont
entSecurityPolicy::SuppressReport)); |
210 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri
ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre
ssReport)); | 212 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, Stri
ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte
ntSecurityPolicy::SuppressReport)); |
211 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri
ng(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::Suppre
ssReport)); | 213 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, Stri
ng(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Conte
ntSecurityPolicy::SuppressReport)); |
| 214 } |
| 215 |
| 216 // Tests that requests for scripts and styles are blocked |
| 217 // if `require-sri-for` delivered in HTTP header requires integrity be present |
| 218 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) |
| 219 { |
| 220 KURL url(KURL(), "https://example.test"); |
| 221 // Enforce |
| 222 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
| 223 policy->bindToExecutionContext(document.get()); |
| 224 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
| 225 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 226 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 227 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 228 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker
, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedi
rect, ContentSecurityPolicy::SuppressReport)); |
| 229 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir
ect, ContentSecurityPolicy::SuppressReport)); |
| 230 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 231 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 232 // Report |
| 233 policy = ContentSecurityPolicy::create(); |
| 234 policy->bindToExecutionContext(document.get()); |
| 235 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
| 236 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 237 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 238 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 239 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir
ect, ContentSecurityPolicy::SuppressReport)); |
| 240 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedire
ct, ContentSecurityPolicy::SuppressReport)); |
| 241 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 242 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 243 } |
| 244 |
| 245 // Tests that requests for scripts and styles are allowed |
| 246 // if `require-sri-for` delivered in HTTP header requires integrity be present |
| 247 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderPresentIntegrity) |
| 248 { |
| 249 KURL url(KURL(), "https://example.test"); |
| 250 IntegrityMetadataSet integrityMetadata; |
| 251 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair(
)); |
| 252 csp->bindToExecutionContext(document.get()); |
| 253 // Enforce |
| 254 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
| 255 policy->bindToExecutionContext(document.get()); |
| 256 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); |
| 257 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 258 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 259 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 260 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport)); |
| 261 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 262 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 263 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 264 // Content-Security-Policy-Report-Only is not supported in meta element, |
| 265 // so nothing should be blocked |
| 266 policy = ContentSecurityPolicy::create(); |
| 267 policy->bindToExecutionContext(document.get()); |
| 268 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); |
| 269 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 270 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 271 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 272 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport)); |
| 273 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 274 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 275 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 276 } |
| 277 |
| 278 // Tests that requests for scripts and styles are blocked |
| 279 // if `require-sri-for` delivered in meta tag requires integrity be present |
| 280 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaMissingIntegrity) |
| 281 { |
| 282 KURL url(KURL(), "https://example.test"); |
| 283 // Enforce |
| 284 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
| 285 policy->bindToExecutionContext(document.get()); |
| 286 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
| 287 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 288 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 289 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 290 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker
, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedi
rect, ContentSecurityPolicy::SuppressReport)); |
| 291 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir
ect, ContentSecurityPolicy::SuppressReport)); |
| 292 EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url,
String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 293 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 294 // Content-Security-Policy-Report-Only is not supported in meta element, |
| 295 // so nothing should be blocked |
| 296 policy = ContentSecurityPolicy::create(); |
| 297 policy->bindToExecutionContext(document.get()); |
| 298 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); |
| 299 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 300 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 301 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 302 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedir
ect, ContentSecurityPolicy::SuppressReport)); |
| 303 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedire
ct, ContentSecurityPolicy::SuppressReport)); |
| 304 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Co
ntentSecurityPolicy::SuppressReport)); |
| 305 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, Con
tentSecurityPolicy::SuppressReport)); |
| 306 } |
| 307 |
| 308 // Tests that requests for scripts and styles are allowed |
| 309 // if `require-sri-for` delivered meta tag requires integrity be present |
| 310 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaPresentIntegrity) |
| 311 { |
| 312 KURL url(KURL(), "https://example.test"); |
| 313 IntegrityMetadataSet integrityMetadata; |
| 314 integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair(
)); |
| 315 csp->bindToExecutionContext(document.get()); |
| 316 // Enforce |
| 317 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
| 318 policy->bindToExecutionContext(document.get()); |
| 319 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
| 320 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 321 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 322 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 323 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport)); |
| 324 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 325 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 326 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 327 // Content-Security-Policy-Report-Only is not supported in meta element, |
| 328 // so nothing should be blocked |
| 329 policy = ContentSecurityPolicy::create(); |
| 330 policy->bindToExecutionContext(document.get()); |
| 331 policy->didReceiveHeader("require-sri-for script style", ContentSecurityPoli
cyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); |
| 332 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 333 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 334 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
| 335 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport)); |
| 336 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker,
url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, C
ontentSecurityPolicy::SuppressReport)); |
| 337 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, S
tring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, Content
SecurityPolicy::SuppressReport)); |
| 338 EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, St
ring(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentS
ecurityPolicy::SuppressReport)); |
212 } | 339 } |
213 | 340 |
214 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) | 341 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) |
215 { | 342 { |
216 struct TestCase { | 343 struct TestCase { |
217 const char* policy; | 344 const char* policy; |
218 const char* url; | 345 const char* url; |
219 const char* nonce; | 346 const char* nonce; |
220 bool allowed; | 347 bool allowed; |
221 } cases[] = { | 348 } cases[] = { |
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
370 policy = ContentSecurityPolicy::create(); | 497 policy = ContentSecurityPolicy::create(); |
371 policy->bindToExecutionContext(document.get()); | 498 policy->bindToExecutionContext(document.get()); |
372 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); | 499 policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); |
373 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); | 500 policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeRe
port, ContentSecurityPolicyHeaderSourceHTTP); |
374 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)))
; | 501 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)))
; |
375 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 502 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
376 } | 503 } |
377 } | 504 } |
378 | 505 |
379 } // namespace blink | 506 } // namespace blink |
OLD | NEW |