Implement the `require-sri-for` CSP directive

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
index 21a4aa270bc72260d78ae8fe64298f24e2dfa822..e9d6851fbf039403e473152e1df380df4fdc248c 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
@@ -5,9 +5,11 @@
 #include "core/frame/csp/ContentSecurityPolicy.h"
 
 #include "core/dom/Document.h"
+#include "core/fetch/IntegrityMetadata.h"
 #include "core/frame/csp/CSPDirectiveList.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/testing/DummyPageHolder.h"
+#include "platform/Crypto.h"
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
 #include "platform/network/ResourceRequest.h"
@@ -206,9 +208,64 @@ TEST_F(ContentSecurityPolicyTest, ObjectSrc)
     KURL url(KURL(), "https://example.test");
     csp->bindToExecutionContext(document.get());
     csp->didReceiveHeader("object-src 'none';", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta);
-    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
-    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
-    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextObject, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+}
+
+
+// Tests that require-sri-for that is set for scripts and styles blocks
+// requests without integrity metadata
+TEST_F(ContentSecurityPolicyTest, RequireSRIForMissingIntegrity)
+{
+    KURL url(KURL(), "https://example.test");
+    csp->bindToExecutionContext(document.get());
+    // Enforce
+    csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta);
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    // Report
+    csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta);
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));

[Mike West, 2016/06/21 07:29:36]

Right now, you're applying both report-only and enforce to the same
ContentSecurityPolicy object, so you're not actually testing that the
report-only header in isolation. Please split them up.

[Sergey Shekyan, 2016/06/22 06:25:14]

I split them and added another set of tests for policy delivered through meta.
But I am not sure what report-only tests here, because allowRequest behaves the
same way both for enforce and report. 

[Mike West, 2016/06/24 09:25:06]

That shouldn't be the case. That is, `script-src 'none'` has no effect in
report-only mode beyond sending the report: it should return `true` for
`allowRequest`, whereas it should return `false` if in enforce-mode. Similarly,
`allowRequest` should basically always return `true` when `require-sri-for` is
in report-only mode.

+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), IntegrityMetadataSet(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+}
+
+// Tests that require-sri-for that is set for scripts and styles allows
+// requests with integrity metadata
+TEST_F(ContentSecurityPolicyTest, RequireSRIForPresentIntegrity)
+{
+    KURL url(KURL(), "https://example.test");
+    IntegrityMetadataSet integrityMetadata;
+    integrityMetadata.add(IntegrityMetadata("1234", HashAlgorithmSha384).toPair());
+    csp->bindToExecutionContext(document.get());
+    // Enforce
+    csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceMeta);
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    // Report
+    csp->didReceiveHeader("require-sri-for script style;", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceMeta);

[Mike West, 2016/06/21 07:29:36]

Ditto.

[Sergey Shekyan, 2016/06/22 06:25:14]

Acknowledged.

+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextScript, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImport, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextStyle, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextServiceWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextSharedWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextWorker, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
+    EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextImage, url, String(), integrityMetadata, ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
 }
 
 TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy)