third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp - Issue 2056183002: Implement the `require-sri-for` CSP directive

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

Issue 2056183002: Implement the `require-sri-for` CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: addressed comments Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/CSPDirectiveList.h"	5 #include "core/frame/csp/CSPDirectiveList.h"

6	6

7 #include "core/frame/csp/ContentSecurityPolicy.h"	7 #include "core/frame/csp/ContentSecurityPolicy.h"

8 #include "core/frame/csp/SourceListDirective.h"	8 #include "core/frame/csp/SourceListDirective.h"

9 #include "platform/network/ContentSecurityPolicyParsers.h"	9 #include "platform/network/ContentSecurityPolicyParsers.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 165 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));	176 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));

177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));	177 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));

178	178

179 // Enforce 'style-src'	179 // Enforce 'style-src'

180 directiveList = createList(String("default-src ") + test.list, ContentSe curityPolicyHeaderTypeEnforce);	180 directiveList = createList(String("default-src ") + test.list, ContentSe curityPolicyHeaderTypeEnforce);

181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));	181 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurity Policy::SuppressReport));

182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));	182 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, S tring(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityP olicy::SuppressReport));

183 }	183 }

184 }	184 }

185	185

	186 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity)

	187 {

	188 struct TestCase {

	189 const char* list;

	190 const char* url;

	191 const WebURLRequest::RequestContext context;

	192 bool expected;

	193 } cases[] = {

	194

	195 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	196

	197 // Extra WSP

	198 { "require-sri-for script script ", "https://example.com/file", We bURLRequest::RequestContextScript, false },

	199 { "require-sri-for style script", "https://example.com/file", We bURLRequest::RequestContextStyle, false },

	200

	201 { "require-sri-for style script", "https://example.com/file", WebURLRequ est::RequestContextScript, false },

	202 { "require-sri-for style script", "https://example.com/file", WebURLRequ est::RequestContextImport, false },

	203 { "require-sri-for style script", "https://example.com/file", WebURLRequ est::RequestContextImage, true },

	204

	205

	206 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextAudio, true },

	207 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	208 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextImport, false },

	209 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextServiceWorker, false },

	210 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextSharedWorker, false },

	211 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextWorker, false },

	212 { "require-sri-for script", "https://example.com/file", WebURLRequest::R equestContextStyle, true },

	213

	214 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextAudio, true },

	215 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextScript, true },

	216 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextImport, true },

	217 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextServiceWorker, true },

	218 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextSharedWorker, true },

	219 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextWorker, true },

	220 { "require-sri-for style", "https://example.com/file", WebURLRequest::Re questContextStyle, false },

	221

	222 // Multiple tokens

	223 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextStyle, false },

	224 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextScript, false },

	225 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextImport, false },

	226 { "require-sri-for script style", "https://example.com/file", WebURLRequ est::RequestContextImage, true },

	227

	228 // Matching is case-insensitive

	229 { "require-sri-for Script", "https://example.com/file", WebURLRequest::R equestContextScript, false },

	230

	231 // Unknown tokens do not affect result

	232 { "require-sri-for blabla12 as", "https://example.com/file", WebURLReque st::RequestContextScript, true },

	233 { "require-sri-for blabla12 as script", "https://example.com/file", Web URLRequest::RequestContextScript, false },

	234 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextScript, false },

	235 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextImport, false },

	236 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextStyle, false },

	237 { "require-sri-for script style img", "https://example.com/file", WebURL Request::RequestContextImage, true },

	238

	239 // Empty token list has no effect

	240 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextScript, true },

	241 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextImport, true },

	242 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextStyle, true },

	243 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextServiceWorker, true },

	244 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextSharedWorker, true },

	245 { "require-sri-for ", "https://example.com/file", WebURLRequest::Re questContextWorker, true },

	246

	247 // Order does not matter

	248 { "require-sri-for a b script", "https://example.com/file", WebURLReques t::RequestContextScript, false },

	249 { "require-sri-for a script b", "https://example.com/file", WebURLReques t::RequestContextScript, false },

	250 };

	251

	252 for (const auto& test : cases) {

	253 KURL resource = KURL(KURL(), test.url);

	254 // Report-only

	255 Member<CSPDirectiveList> directiveList = createList(test.list, ContentSe curityPolicyHeaderTypeReport);

	256 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(tes t.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurit yPolicy::SuppressReport));

	257

	258 // Enforce

	259 directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeEnf orce);

	260 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(tes t.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurit yPolicy::SuppressReport));

	261 }

	262 }

	263

186 } // namespace blink	264 } // namespace blink

OLD	NEW