third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp - Issue 2056183002: Implement the `require-sri-for` CSP directive

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Issue 2056183002: Implement the `require-sri-for` CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Set integrity metadata to stylesheet request before allowRequest() is invoked Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('k') | third_party/WebKit/Source/core/html/HTMLLinkElement.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

index 21a4aa270bc72260d78ae8fe64298f24e2dfa822..4d8cbcca199fdcda872f547beffda7ae7d1d611f 100644

--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

@@ -5,9 +5,11 @@

#include "core/frame/csp/ContentSecurityPolicy.h"

#include "core/dom/Document.h"

+#include "core/fetch/IntegrityMetadata.h"

#include "core/frame/csp/CSPDirectiveList.h"

#include "core/loader/DocumentLoader.h"

#include "core/testing/DummyPageHolder.h"

+#include "platform/Crypto.h"

#include "platform/RuntimeEnabledFeatures.h"

#include "platform/network/ContentSecurityPolicyParsers.h"

#include "platform/network/ResourceRequest.h"

@@ -84,8 +86,8 @@ TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled)

TEST_F(ContentSecurityPolicyTest, CopyStateFrom)

{

- csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);

- csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);

+ csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);

+ csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);

KURL exampleUrl(KURL(), "http://example.com");

KURL notExampleUrl(KURL(), "http://not-example.com");

@@ -206,9 +208,133 @@ TEST_F(ContentSecurityPolicyTest, ObjectSrc)

KURL url(KURL(), "https://example.test");

csp->bindToExecutionContext(document.get());

csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta);

- EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

- EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

- EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+// Tests that requests for scripts and styles are blocked

+// if `require-sri-for` delivered in HTTP header requires integrity be present

+TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity)

+ KURL url(KURL(), "https://example.test");

+ // Enforce

+ Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create();

+ policy->bindToExecutionContext(document.get());

+ policy->didReceiveHeader("require-sri-for script style", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ // Report

+ policy = ContentSecurityPolicy::create();

+ policy->bindToExecutionContext(document.get());

+ policy->didReceiveHeader("require-sri-for script style", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

Mike West 2016/06/24 09:25:07 As noted above, this seems incorrect. Why do we de

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_FALSE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+// Tests that requests for scripts and styles are allowed

+// if `require-sri-for` delivered in HTTP header requires integrity be present

+TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderPresentIntegrity)

+ KURL url(KURL(), "https://example.test");

+ IntegrityMetadataSet integrityMetadata;

+ integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair());

+ csp->bindToExecutionContext(document.get());

+ // Enforce

+ Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create();

+ policy->bindToExecutionContext(document.get());

+ policy->didReceiveHeader("require-sri-for script style", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextScript, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImport, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextStyle, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ EXPECT_TRUE(policy->allowRequest(WebURLRequest::RequestContextImage, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

+ // Content-Security-Policy-Report-Only is not supported in meta element,

+ // so nothing should be blocked