Adding Embedding-CSP HTTP header

third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp

 /*
  * Copyright (c) 2015, Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 19 matching lines @@
 
 #include "core/loader/FrameFetchContext.h"
 
 #include "core/dom/Document.h"
 #include "core/fetch/FetchInitiatorInfo.h"
 #include "core/fetch/UniqueIdentifier.h"
 #include "core/frame/FrameHost.h"
 #include "core/frame/FrameOwner.h"
 #include "core/frame/FrameView.h"
 #include "core/frame/Settings.h"
+#include "core/html/HTMLIFrameElement.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/EmptyClients.h"
 #include "core/page/Page.h"
 #include "core/testing/DummyPageHolder.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/KURL.h"
 #include "public/platform/WebAddressSpace.h"
 #include "public/platform/WebCachePolicy.h"
 #include "public/platform/WebInsecureRequestPolicy.h"
 #include "testing/gmock/include/gmock/gmock-generated-function-mockers.h"
@@ skipping 106 matching lines @@
     fetchContext =
         static_cast<FrameFetchContext*>(&documentLoader->fetcher()->context());
     owner = DummyFrameOwner::create();
     FrameFetchContext::provideDocumentToContext(*fetchContext, document.get());
   }
 
   KURL url;
   KURL mainResourceUrl;
 };
 
-class FrameFetchContextUpgradeTest : public FrameFetchContextTest {
+class FrameFetchContextModifyRequestTest : public FrameFetchContextTest {
  public:
-  FrameFetchContextUpgradeTest()
+  FrameFetchContextModifyRequestTest()
       : exampleOrigin(SecurityOrigin::create(
             KURL(ParsedURLString, "https://example.test/"))),
         secureOrigin(SecurityOrigin::create(
             KURL(ParsedURLString, "https://secureorigin.test/image.png"))) {}
 
  protected:
   void expectUpgrade(const char* input, const char* expected) {
     expectUpgrade(input, WebURLRequest::RequestContextScript,
                   WebURLRequest::FrameTypeNone, expected);
   }
 
   void expectUpgrade(const char* input,
                      WebURLRequest::RequestContext requestContext,
                      WebURLRequest::FrameType frameType,
                      const char* expected) {
     KURL inputURL(ParsedURLString, input);
     KURL expectedURL(ParsedURLString, expected);
 
     FetchRequest fetchRequest =
         FetchRequest(ResourceRequest(inputURL), FetchInitiatorInfo());
     fetchRequest.mutableResourceRequest().setRequestContext(requestContext);
     fetchRequest.mutableResourceRequest().setFrameType(frameType);
 
-    fetchContext->upgradeInsecureRequest(fetchRequest.mutableResourceRequest());
+    fetchContext->modifyRequestForCSP(fetchRequest.mutableResourceRequest());
 
     EXPECT_EQ(expectedURL.getString(),
               fetchRequest.resourceRequest().url().getString());
     EXPECT_EQ(expectedURL.protocol(),
               fetchRequest.resourceRequest().url().protocol());
     EXPECT_EQ(expectedURL.host(), fetchRequest.resourceRequest().url().host());
     EXPECT_EQ(expectedURL.port(), fetchRequest.resourceRequest().url().port());
     EXPECT_EQ(expectedURL.hasPort(),
               fetchRequest.resourceRequest().url().hasPort());
     EXPECT_EQ(expectedURL.path(), fetchRequest.resourceRequest().url().path());
   }
 
-  void expectHTTPSHeader(const char* input,
-                         WebURLRequest::FrameType frameType,
-                         bool shouldPrefer) {
+  void expectUpgradeInsecureRequestHeader(const char* input,
+                                          WebURLRequest::FrameType frameType,
+                                          bool shouldPrefer) {
     KURL inputURL(ParsedURLString, input);
 
     FetchRequest fetchRequest =
         FetchRequest(ResourceRequest(inputURL), FetchInitiatorInfo());
     fetchRequest.mutableResourceRequest().setRequestContext(
         WebURLRequest::RequestContextScript);
     fetchRequest.mutableResourceRequest().setFrameType(frameType);
 
-    fetchContext->upgradeInsecureRequest(fetchRequest.mutableResourceRequest());
+    fetchContext->modifyRequestForCSP(fetchRequest.mutableResourceRequest());
 
     EXPECT_EQ(shouldPrefer ? String("1") : String(),
               fetchRequest.resourceRequest().httpHeaderField(
                   HTTPNames::Upgrade_Insecure_Requests));
 
-    // Calling upgradeInsecureRequest more than once shouldn't affect the
+    // Calling modifyRequestForCSP more than once shouldn't affect the
     // header.
     if (shouldPrefer) {
-      fetchContext->upgradeInsecureRequest(
-          fetchRequest.mutableResourceRequest());
+      fetchContext->modifyRequestForCSP(fetchRequest.mutableResourceRequest());
       EXPECT_EQ("1", fetchRequest.resourceRequest().httpHeaderField(
                          HTTPNames::Upgrade_Insecure_Requests));
     }
   }
 
+  void expectSetEmbeddingCSPRequestHeader(
+      const char* input,
+      WebURLRequest::FrameType frameType,
+      const AtomicString& expectedEmbeddingCSP) {
+    KURL inputURL(ParsedURLString, input);
+
+    FetchRequest fetchRequest =
+        FetchRequest(ResourceRequest(inputURL), FetchInitiatorInfo());
+    fetchRequest.mutableResourceRequest().setRequestContext(
+        WebURLRequest::RequestContextScript);
+    fetchRequest.mutableResourceRequest().setFrameType(frameType);
+
+    fetchContext->modifyRequestForCSP(fetchRequest.mutableResourceRequest());
+
+    EXPECT_EQ(expectedEmbeddingCSP,
+              fetchRequest.resourceRequest().httpHeaderField(
+                  HTTPNames::Embedding_CSP));
+  }
+
+  void setFrameOwnerBasedOnFrameType(WebURLRequest::FrameType frameType,
+                                     HTMLIFrameElement* iframe,
+                                     const AtomicString& potentialValue) {
+    if (frameType != WebURLRequest::FrameTypeNested) {
+      document->frame()->setOwner(nullptr);
+      return;
+    }
+
+    iframe->setAttribute(HTMLNames::cspAttr, potentialValue);
+    document->frame()->setOwner(iframe);
+  }
+
   RefPtr<SecurityOrigin> exampleOrigin;
   RefPtr<SecurityOrigin> secureOrigin;
 };
 
-TEST_F(FrameFetchContextUpgradeTest, UpgradeInsecureResourceRequests) {
+TEST_F(FrameFetchContextModifyRequestTest, UpgradeInsecureResourceRequests) {
   struct TestCase {
     const char* original;
     const char* upgraded;
   } tests[] = {
       {"http://example.test/image.png", "https://example.test/image.png"},
       {"http://example.test:80/image.png",
        "https://example.test:443/image.png"},
       {"http://example.test:1212/image.png",
        "https://example.test:1212/image.png"},
 
@@ skipping 37 matching lines @@
     // InsecureNavigationsSet:
     document->addInsecureNavigationUpgrade(
         exampleOrigin->host().impl()->hash());
     expectUpgrade(test.original, WebURLRequest::RequestContextScript,
                   WebURLRequest::FrameTypeTopLevel, test.upgraded);
     expectUpgrade(test.original, WebURLRequest::RequestContextScript,
                   WebURLRequest::FrameTypeAuxiliary, test.upgraded);
   }
 }
 
-TEST_F(FrameFetchContextUpgradeTest, DoNotUpgradeInsecureResourceRequests) {
+TEST_F(FrameFetchContextModifyRequestTest,
+       DoNotUpgradeInsecureResourceRequests) {
   FrameFetchContext::provideDocumentToContext(*fetchContext, document.get());
   document->setSecurityOrigin(secureOrigin);
   document->setInsecureRequestPolicy(kLeaveInsecureRequestsAlone);
 
   expectUpgrade("http://example.test/image.png",
                 "http://example.test/image.png");
   expectUpgrade("http://example.test:80/image.png",
                 "http://example.test:80/image.png");
   expectUpgrade("http://example.test:1212/image.png",
                 "http://example.test:1212/image.png");
 
   expectUpgrade("https://example.test/image.png",
                 "https://example.test/image.png");
   expectUpgrade("https://example.test:80/image.png",
                 "https://example.test:80/image.png");
   expectUpgrade("https://example.test:1212/image.png",
                 "https://example.test:1212/image.png");
 
   expectUpgrade("ftp://example.test/image.png", "ftp://example.test/image.png");
   expectUpgrade("ftp://example.test:21/image.png",
                 "ftp://example.test:21/image.png");
   expectUpgrade("ftp://example.test:1212/image.png",
                 "ftp://example.test:1212/image.png");
 }
 
-TEST_F(FrameFetchContextUpgradeTest, SendHTTPSHeader) {
+TEST_F(FrameFetchContextModifyRequestTest, SendUpgradeInsecureRequestHeader) {
   struct TestCase {
     const char* toRequest;
     WebURLRequest::FrameType frameType;
     bool shouldPrefer;
   } tests[] = {
       {"http://example.test/page.html", WebURLRequest::FrameTypeAuxiliary,
        true},
       {"http://example.test/page.html", WebURLRequest::FrameTypeNested, true},
       {"http://example.test/page.html", WebURLRequest::FrameTypeNone, false},
       {"http://example.test/page.html", WebURLRequest::FrameTypeTopLevel, true},
       {"https://example.test/page.html", WebURLRequest::FrameTypeAuxiliary,
        true},
       {"https://example.test/page.html", WebURLRequest::FrameTypeNested, true},
       {"https://example.test/page.html", WebURLRequest::FrameTypeNone, false},
       {"https://example.test/page.html", WebURLRequest::FrameTypeTopLevel,
        true}};
 
   // This should work correctly both when the FrameFetchContext has a Document,
   // and when it doesn't (e.g. during main frame navigations), so run through
   // the tests both before and after providing a document to the context.
   for (const auto& test : tests) {
     document->setInsecureRequestPolicy(kLeaveInsecureRequestsAlone);
-    expectHTTPSHeader(test.toRequest, test.frameType, test.shouldPrefer);
+    expectUpgradeInsecureRequestHeader(test.toRequest, test.frameType,
+                                       test.shouldPrefer);
 
     document->setInsecureRequestPolicy(kUpgradeInsecureRequests);
-    expectHTTPSHeader(test.toRequest, test.frameType, test.shouldPrefer);
+    expectUpgradeInsecureRequestHeader(test.toRequest, test.frameType,
+                                       test.shouldPrefer);
   }
 
   FrameFetchContext::provideDocumentToContext(*fetchContext, document.get());
 
   for (const auto& test : tests) {
     document->setInsecureRequestPolicy(kLeaveInsecureRequestsAlone);
-    expectHTTPSHeader(test.toRequest, test.frameType, test.shouldPrefer);
+    expectUpgradeInsecureRequestHeader(test.toRequest, test.frameType,
+                                       test.shouldPrefer);
 
     document->setInsecureRequestPolicy(kUpgradeInsecureRequests);
-    expectHTTPSHeader(test.toRequest, test.frameType, test.shouldPrefer);
+    expectUpgradeInsecureRequestHeader(test.toRequest, test.frameType,
+                                       test.shouldPrefer);
   }
 }
 
+TEST_F(FrameFetchContextModifyRequestTest, SendEmbeddingCSPHeader) {
+  struct TestCase {
+    const char* toRequest;
+    WebURLRequest::FrameType frameType;
+  } tests[] = {
+      {"https://example.test/page.html", WebURLRequest::FrameTypeAuxiliary},
+      {"https://example.test/page.html", WebURLRequest::FrameTypeNested},
+      {"https://example.test/page.html", WebURLRequest::FrameTypeNone},
+      {"https://example.test/page.html", WebURLRequest::FrameTypeTopLevel}};
+
+  HTMLIFrameElement* iframe = HTMLIFrameElement::create(*document);
+  const AtomicString& requiredCSP = AtomicString("default-src 'none'");
+  const AtomicString& anotherRequiredCSP = AtomicString("default-src 'self'");
+
+  for (const auto& test : tests) {
+    setFrameOwnerBasedOnFrameType(test.frameType, iframe, requiredCSP);
+    expectSetEmbeddingCSPRequestHeader(
+        test.toRequest, test.frameType,
+        test.frameType == WebURLRequest::FrameTypeNested ? requiredCSP
+                                                         : nullAtom);
+
+    setFrameOwnerBasedOnFrameType(test.frameType, iframe, anotherRequiredCSP);
+    expectSetEmbeddingCSPRequestHeader(
+        test.toRequest, test.frameType,
+        test.frameType == WebURLRequest::FrameTypeNested ? anotherRequiredCSP
+                                                         : nullAtom);
+  }
+}
+
 class FrameFetchContextHintsTest : public FrameFetchContextTest {
  public:
   FrameFetchContextHintsTest() {}
 
  protected:
   void expectHeader(const char* input,
                     const char* headerName,
                     bool isPresent,
                     const char* headerValue,
                     float width = 0) {
@@ skipping 368 matching lines @@
     fetchContext->addAdditionalRequestHeaders(mainRequest, FetchMainResource);
     EXPECT_EQ(test.isExternalExpectation, mainRequest.isExternalRequest());
 
     ResourceRequest subRequest(test.url);
     fetchContext->addAdditionalRequestHeaders(subRequest, FetchSubresource);
     EXPECT_EQ(test.isExternalExpectation, subRequest.isExternalRequest());
   }
 }
 
 }  // namespace blink