third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp - Issue 2404373003: Experimental Feature: Allow-CSP-From header

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)

Patch Set: Adding console message, moving to testharness tests, adding CSPTest Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('k') | third_party/WebKit/Source/core/loader/DocumentLoader.cpp » ('j') | third_party/WebKit/Source/core/loader/DocumentLoader.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/ContentSecurityPolicy.h"	5 #include "core/frame/csp/ContentSecurityPolicy.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/fetch/IntegrityMetadata.h"	8 #include "core/fetch/IntegrityMetadata.h"

9 #include "core/frame/csp/CSPDirectiveList.h"	9 #include "core/frame/csp/CSPDirectiveList.h"

10 #include "core/loader/DocumentLoader.h"	10 #include "core/loader/DocumentLoader.h"

(...skipping 844 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
855 ContentSecurityPolicyHeaderSourceHTTP);	855 ContentSecurityPolicyHeaderSourceHTTP);

856 policy->didReceiveHeader(test.policy2,	856 policy->didReceiveHeader(test.policy2,

857 ContentSecurityPolicyHeaderTypeReport,	857 ContentSecurityPolicyHeaderTypeReport,

858 ContentSecurityPolicyHeaderSourceHTTP);	858 ContentSecurityPolicyHeaderSourceHTTP);

859 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce),	859 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce),

860 ParserInserted));	860 ParserInserted));

861 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());	861 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());

862 }	862 }

863 }	863 }

864	864

	865 TEST_F(ContentSecurityPolicyTest, ShouldEnforceEmbeddersPolicy) {

	866 ResourceResponse response;

	867 response.setURL(KURL(ParsedURLString, "about:blank"));

	868 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,

	869 AtomicString("not a valid header"));

	870 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	871 response, secureOrigin.get()));

	872

	873 // Same origin automatically should accept required CSP.
	Mike West 2016/10/17 14:54:28 I think this test would be clearer if it didn't re I think this test would be clearer if it didn't rely so much on each piece building upon the piece before it. Really, it seems like the only thing that differs is the URL of the resource we're loading. That is, perhaps something like the following could be clearer: ``` struct TestCase { const char* resourceURL; const bool inherits; } cases[] = { // Same-origin {"https://example.test/index.html", true}, // Cross-origin {"http://example.test/index.html", false}, {"http://example.test:8443/index.html", false}, {"https://example.test:8443/index.html", false}, {"http://not.example.test/index.html", false}, {"https://not.example.test/index.html", false}, {"https://not.example.test:8443/index.html", false}, // Inherit {"about:blank", true}, {"data:text/html,yay", true}, {"blob:https://example.test/bbe708f3-defd-4852-93b6-cf94e032f08d", true}, {"filesystem:http://example.test/temporary/index.html", true}, }; for (const auto& test : cases) { // Set up response with the URL and no header. // Make some assertions about `shouldEnforceEmbeddersPolicy` // Add a header of `*` // Assert. // Switch to an invalid header. // Assert. // Switch to a cross-origin header. // Assert. // Switch to a matching header. // Assert. } ``` WDYT?
	874 response.setURL(KURL(ParsedURLString, "https://example.test/index.html"));

	875 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	876 response, secureOrigin.get()));

	877

	878 // Protocols do not match.

	879 response.setURL(KURL(ParsedURLString, "http://example.test/index.html"));

	880 EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	881 response, secureOrigin.get()));

	882

	883 // Different origin and invalid header.

	884 response.setURL(KURL(ParsedURLString, "https://different.test/index.html"));

	885 EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	886 response, secureOrigin.get()));

	887

	888 // Different origin and valid header but not equal to the embedder origin.

	889 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,

	890 AtomicString("http://example.test"));

	891 EXPECT_FALSE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	892 response, secureOrigin.get()));

	893

	894 // Different origin and valid header.

	895 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,

	896 AtomicString("https://example.test"));

	897 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	898 response, secureOrigin.get()));

	899

	900 // Star should enforce any embedder's policy.

	901 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, AtomicString("*"));

	902 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(

	903 response, secureOrigin.get()));

	904 }

	905

865 } // namespace blink	906 } // namespace blink

OLD	NEW