Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(312)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

Issue 2056183002: Implement the `require-sri-for` CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Set integrity metadata to stylesheet request before allowRequest() is invoked Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
index 424b8a529428f590ea4b3a7e9fe239027ca45d1a..627ab633dcfd886c014beb9b3f1401a4e17edd8a 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
@@ -183,4 +183,81 @@ TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce)
}
}
+TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity)
+{
+ struct TestCase {
+ const char* list;
+ const char* url;
+ const WebURLRequest::RequestContext context;
+ bool expected;
+ } cases[] = {
+
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+
+ // Extra WSP
+ { "require-sri-for script script ", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for style script", "https://example.com/file", WebURLRequest::RequestContextStyle, false },
+
+ { "require-sri-for style script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for style script", "https://example.com/file", WebURLRequest::RequestContextImport, false },
+ { "require-sri-for style script", "https://example.com/file", WebURLRequest::RequestContextImage, true },
+
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextAudio, true },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextImport, false },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextServiceWorker, false },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextSharedWorker, false },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextWorker, false },
+ { "require-sri-for script", "https://example.com/file", WebURLRequest::RequestContextStyle, true },
+
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextAudio, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextScript, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextImport, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextServiceWorker, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextSharedWorker, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextWorker, true },
+ { "require-sri-for style", "https://example.com/file", WebURLRequest::RequestContextStyle, false },
+
+ // Multiple tokens
+ { "require-sri-for script style", "https://example.com/file", WebURLRequest::RequestContextStyle, false },
+ { "require-sri-for script style", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for script style", "https://example.com/file", WebURLRequest::RequestContextImport, false },
+ { "require-sri-for script style", "https://example.com/file", WebURLRequest::RequestContextImage, true },
+
+ // Matching is case-insensitive
+ { "require-sri-for Script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+
+ // Unknown tokens do not affect result
+ { "require-sri-for blabla12 as", "https://example.com/file", WebURLRequest::RequestContextScript, true },
+ { "require-sri-for blabla12 as script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for script style img", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for script style img", "https://example.com/file", WebURLRequest::RequestContextImport, false },
+ { "require-sri-for script style img", "https://example.com/file", WebURLRequest::RequestContextStyle, false },
+ { "require-sri-for script style img", "https://example.com/file", WebURLRequest::RequestContextImage, true },
+
+ // Empty token list has no effect
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextScript, true },
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextImport, true },
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextStyle, true },
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextServiceWorker, true },
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextSharedWorker, true },
+ { "require-sri-for ", "https://example.com/file", WebURLRequest::RequestContextWorker, true },
+
+ // Order does not matter
+ { "require-sri-for a b script", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ { "require-sri-for a script b", "https://example.com/file", WebURLRequest::RequestContextScript, false },
+ };
+
+ for (const auto& test : cases) {
+ KURL resource = KURL(KURL(), test.url);
+ // Report-only
+ Member<CSPDirectiveList> directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeReport);
+ EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+
+ // Enforce
+ directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);
+ EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+ }
+}
+
} // namespace blink
« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698