Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
index 21a4aa270bc72260d78ae8fe64298f24e2dfa822..e9d6851fbf039403e473152e1df380df4fdc248c 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp |
@@ -5,9 +5,11 @@ |
#include "core/frame/csp/ContentSecurityPolicy.h" |
#include "core/dom/Document.h" |
+#include "core/fetch/IntegrityMetadata.h" |
#include "core/frame/csp/CSPDirectiveList.h" |
#include "core/loader/DocumentLoader.h" |
#include "core/testing/DummyPageHolder.h" |
+#include "platform/Crypto.h" |
#include "platform/RuntimeEnabledFeatures.h" |
#include "platform/network/ContentSecurityPolicyParsers.h" |
#include "platform/network/ResourceRequest.h" |
@@ -206,9 +208,64 @@ TEST_F(ContentSecurityPolicyTest, ObjectSrc) |
KURL url(KURL(), "https://example.test"); |
csp->bindToExecutionContext(document.get()); |
csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
- EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
- EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
- EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+} |
+ |
+ |
+// Tests that require-sri-for that is set for scripts and styles blocks |
+// requests without integrity metadata |
+TEST_F(ContentSecurityPolicyTest, RequireSRIForMissingIntegrity) |
+{ |
+ KURL url(KURL(), "https://example.test"); |
+ csp->bindToExecutionContext(document.get()); |
+ // Enforce |
+ csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ // Report |
+ csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
Mike West
2016/06/21 07:29:36
Right now, you're applying both report-only and en
Sergey Shekyan
2016/06/22 06:25:14
I split them and added another set of tests for po
Mike West
2016/06/24 09:25:06
That shouldn't be the case. That is, `script-src '
|
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+} |
+ |
+// Tests that require-sri-for that is set for scripts and styles allows |
+// requests with integrity metadata |
+TEST_F(ContentSecurityPolicyTest, RequireSRIForPresentIntegrity) |
+{ |
+ KURL url(KURL(), "https://example.test"); |
+ IntegrityMetadataSet integrityMetadata; |
+ integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair()); |
+ csp->bindToExecutionContext(document.get()); |
+ // Enforce |
+ csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ // Report |
+ csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta); |
Mike West
2016/06/21 07:29:36
Ditto.
Sergey Shekyan
2016/06/22 06:25:14
Acknowledged.
|
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
+ EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); |
} |
TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy) |