OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPSource.h" | 5 #include "core/frame/csp/CSPSource.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ResourceRequest.h" | 9 #include "platform/network/ResourceRequest.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
116 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/"))); | 116 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/"))); |
117 | 117 |
118 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/"))); | 118 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/"))); |
119 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/"))); | 119 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/"))); |
120 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/"))); | 120 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/"))); |
121 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/"))); | 121 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/"))); |
122 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/"))); | 122 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/"))); |
123 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/"))); | 123 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/"))); |
124 } | 124 } |
125 | 125 |
| 126 TEST_F(CSPSourceTest, IsSimilar) { |
| 127 struct Source { |
| 128 const char* scheme; |
| 129 const char* host; |
| 130 const char* path; |
| 131 const int port; |
| 132 }; |
| 133 struct TestCase { |
| 134 const Source a; |
| 135 const Source b; |
| 136 bool isSimilar; |
| 137 } cases[] = { |
| 138 // Similar |
| 139 {{"http", "example.com", "/", 0}, {"http", "example.com", "/", 0}, true}, |
| 140 // Schemes |
| 141 {{"https", "example.com", "/", 0}, |
| 142 {"https", "example.com", "/", 0}, |
| 143 true}, |
| 144 {{"https", "example.com", "/", 0}, {"http", "example.com", "/", 0}, true}, |
| 145 {{"ws", "example.com", "/", 0}, {"wss", "example.com", "/", 0}, true}, |
| 146 // Ports |
| 147 {{"http", "example.com", "/", 90}, |
| 148 {"http", "example.com", "/", 90}, |
| 149 true}, |
| 150 {{"wss", "example.com", "/", 0}, |
| 151 {"wss", "example.com", "/", 0}, |
| 152 true}, // use default port |
| 153 {{"http", "example.com", "/", 80}, {"http", "example.com", "/", 0}, true}, |
| 154 // Paths |
| 155 {{"http", "example.com", "/", 0}, |
| 156 {"http", "example.com", "/1.html", 0}, |
| 157 true}, |
| 158 {{"http", "example.com", "/", 0}, {"http", "example.com", "", 0}, true}, |
| 159 {{"http", "example.com", "/", 0}, |
| 160 {"http", "example.com", "/a/b/", 0}, |
| 161 true}, |
| 162 {{"http", "example.com", "/a/", 0}, |
| 163 {"http", "example.com", "/a/", 0}, |
| 164 true}, |
| 165 {{"http", "example.com", "/a/", 0}, |
| 166 {"http", "example.com", "/a/b/", 0}, |
| 167 true}, |
| 168 {{"http", "example.com", "/a/", 0}, |
| 169 {"http", "example.com", "/a/b/1.html", 0}, |
| 170 true}, |
| 171 {{"http", "example.com", "/1.html", 0}, |
| 172 {"http", "example.com", "/1.html", 0}, |
| 173 true}, |
| 174 // Mixed |
| 175 {{"http", "example.com", "/1.html", 90}, |
| 176 {"http", "example.com", "/", 90}, |
| 177 true}, |
| 178 {{"https", "example.com", "/", 0}, {"http", "example.com", "/", 0}, true}, |
| 179 {{"http", "example.com", "/a/", 90}, |
| 180 {"https", "example.com", "", 90}, |
| 181 true}, |
| 182 {{"wss", "example.com", "/a/", 90}, |
| 183 {"ws", "example.com", "/a/b/", 90}, |
| 184 true}, |
| 185 {{"https", "example.com", "/a/", 90}, |
| 186 {"https", "example.com", "/a/b/", 90}, |
| 187 true}, |
| 188 // Not Similar |
| 189 {{"http", "example.com", "/a/", 0}, |
| 190 {"https", "example.com", "", 90}, |
| 191 false}, |
| 192 {{"https", "example.com", "/", 0}, |
| 193 {"https", "example.com", "/", 90}, |
| 194 false}, |
| 195 {{"http", "example.com", "/", 0}, {"http", "another.com", "/", 0}, false}, |
| 196 {{"wss", "example.com", "/", 0}, {"http", "example.com", "/", 0}, false}, |
| 197 {{"wss", "example.com", "/", 0}, {"about", "example.com", "/", 0}, false}, |
| 198 {{"http", "example.com", "/", 0}, |
| 199 {"about", "example.com", "/", 0}, |
| 200 false}, |
| 201 {{"http", "example.com", "/1.html", 0}, |
| 202 {"http", "example.com", "/2.html", 0}, |
| 203 false}, |
| 204 {{"http", "example.com", "/a/1.html", 0}, |
| 205 {"http", "example.com", "/a/b/", 0}, |
| 206 false}, |
| 207 {{"http", "example.com", "/", 443}, |
| 208 {"about", "example.com", "/", 800}, |
| 209 false}, |
| 210 }; |
| 211 |
| 212 for (const auto& test : cases) { |
| 213 CSPSource* returned = new CSPSource( |
| 214 csp.get(), test.a.scheme, test.a.host, test.a.port, test.a.path, |
| 215 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 216 |
| 217 CSPSource* required = new CSPSource( |
| 218 csp.get(), test.b.scheme, test.b.host, test.b.port, test.b.path, |
| 219 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 220 |
| 221 EXPECT_EQ(returned->isSimilar(required), test.isSimilar); |
| 222 // Verify the same test with a and b swapped. |
| 223 EXPECT_EQ(required->isSimilar(returned), test.isSimilar); |
| 224 } |
| 225 } |
| 226 |
| 227 TEST_F(CSPSourceTest, IsSubsumedByNotSimilar) { |
| 228 struct Source { |
| 229 const char* scheme; |
| 230 const char* host; |
| 231 const char* path; |
| 232 const int port; |
| 233 }; |
| 234 struct TestCase { |
| 235 const Source a; |
| 236 const Source b; |
| 237 } cases[] = { |
| 238 {{"http", "example.com", "/", 0}, {"http", "another.com", "/", 0}}, |
| 239 {{"wss", "example.com", "/", 0}, {"http", "example.com", "/", 0}}, |
| 240 {{"wss", "example.com", "/", 0}, {"about", "example.com", "/", 0}}, |
| 241 {{"http", "example.com", "/", 0}, {"about", "example.com", "/", 0}}, |
| 242 {{"http", "example.com", "/1.html", 0}, |
| 243 {"http", "example.com", "/2.html", 0}}, |
| 244 {{"http", "example.com", "/", 443}, {"about", "example.com", "/", 800}}, |
| 245 }; |
| 246 for (const auto& test : cases) { |
| 247 CSPSource* returned = new CSPSource( |
| 248 csp.get(), test.a.scheme, test.a.host, test.a.port, test.a.path, |
| 249 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 250 |
| 251 CSPSource* required = new CSPSource( |
| 252 csp.get(), test.b.scheme, test.b.host, test.b.port, test.b.path, |
| 253 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 254 |
| 255 EXPECT_FALSE(returned->isSubsumedBy(required)); |
| 256 // Verify the same test with a and b swapped. |
| 257 EXPECT_FALSE(required->isSubsumedBy(returned)); |
| 258 } |
| 259 } |
| 260 |
| 261 TEST_F(CSPSourceTest, IsSubsumedByNoWildcards) { |
| 262 struct Source { |
| 263 const char* scheme; |
| 264 const char* path; |
| 265 const int port; |
| 266 }; |
| 267 struct TestCase { |
| 268 const Source a; |
| 269 const Source b; |
| 270 bool expected; |
| 271 bool expectedWhenSwapped; |
| 272 } cases[] = { |
| 273 // Equal signals |
| 274 {{"http", "/", 0}, {"http", "/", 0}, true, true}, |
| 275 {{"https", "/", 0}, {"https", "/", 0}, true, true}, |
| 276 {{"https", "/page1.html", 0}, {"https", "/page1.html", 0}, true, true}, |
| 277 {{"http", "/", 80}, {"http", "/", 80}, true, true}, |
| 278 {{"https", "/", 80}, {"https", "/", 80}, true, true}, |
| 279 {{"https", "/page1.html", 0}, {"https", "/page1.html", 0}, true, true}, |
| 280 {{"http", "/page1.html", 80}, {"http", "/page1.html", 80}, true, true}, |
| 281 {{"https", "/page1.html", 80}, {"https", "/page1.html", 80}, true, true}, |
| 282 // One stronger signal in the first CSPSource |
| 283 {{"https", "/", 0}, {"http", "/", 0}, true, false}, |
| 284 {{"http", "/page1.html", 0}, {"http", "/", 0}, true, false}, |
| 285 {{"http", "/", 80}, |
| 286 {"http", "/", 0}, |
| 287 true, |
| 288 false}, // 80 does match to default port |
| 289 {{"http", "/", 800}, |
| 290 {"http", "/", 0}, |
| 291 false, |
| 292 false}, // 800 does not match to default port |
| 293 // Two stronger signals in the first CSPSource |
| 294 {{"https", "/page1.html", 0}, {"http", "/", 0}, true, false}, |
| 295 {{"https", "/", 80}, {"http", "/", 0}, true, false}, |
| 296 {{"http", "/page1.html", 80}, {"http", "/", 0}, true, false}, |
| 297 // Three stronger signals in the first CSPSource |
| 298 {{"https", "/page1.html", 80}, {"http", "/", 0}, true, false}, |
| 299 // Mixed signals |
| 300 {{"https", "/", 0}, {"http", "/page1.html", 0}, false, false}, |
| 301 {{"https", "/", 0}, {"http", "/", 80}, false, false}, |
| 302 {{"http", "/page1.html", 0}, {"http", "/", 80}, false, false}, |
| 303 }; |
| 304 |
| 305 for (const auto& test : cases) { |
| 306 CSPSource* returned = new CSPSource( |
| 307 csp.get(), test.a.scheme, "example.com", test.a.port, test.a.path, |
| 308 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 309 |
| 310 CSPSource* required = new CSPSource( |
| 311 csp.get(), test.b.scheme, "example.com", test.b.port, test.b.path, |
| 312 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 313 |
| 314 EXPECT_EQ(returned->isSubsumedBy(required), test.expected); |
| 315 // Verify the same test with a and b swapped. |
| 316 EXPECT_EQ(required->isSubsumedBy(returned), test.expectedWhenSwapped); |
| 317 } |
| 318 |
| 319 // When returned CSP has a wildcard but the required csp doesn't, then it is |
| 320 // not subsumed. |
| 321 for (const auto& test : cases) { |
| 322 CSPSource* returned = new CSPSource( |
| 323 csp.get(), test.a.scheme, "example.com", test.a.port, test.a.path, |
| 324 CSPSource::HasWildcard, CSPSource::NoWildcard); |
| 325 CSPSource* required = new CSPSource( |
| 326 csp.get(), test.b.scheme, "example.com", test.b.port, test.b.path, |
| 327 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 328 |
| 329 EXPECT_FALSE(returned->isSubsumedBy(required)); |
| 330 |
| 331 // If required csp also allows a wildcard in host, then the answer should be |
| 332 // as expected. |
| 333 CSPSource* required2 = new CSPSource( |
| 334 csp.get(), test.b.scheme, "example.com", test.b.port, test.b.path, |
| 335 CSPSource::HasWildcard, CSPSource::NoWildcard); |
| 336 EXPECT_EQ(returned->isSubsumedBy(required2), test.expected); |
| 337 } |
| 338 } |
| 339 |
| 340 TEST_F(CSPSourceTest, IsSubsumedByWildcards) { |
| 341 struct Wildcards { |
| 342 CSPSource::WildcardDisposition hostDispotion; |
| 343 CSPSource::WildcardDisposition portDispotion; |
| 344 }; |
| 345 struct TestCase { |
| 346 const Wildcards a; |
| 347 const Wildcards b; |
| 348 bool expected; |
| 349 } cases[] = { |
| 350 // One out of four possible wildcards. |
| 351 {{CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 352 {CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 353 false}, |
| 354 {{CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 355 {CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 356 false}, |
| 357 {{CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 358 {CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 359 true}, |
| 360 {{CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 361 {CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 362 true}, |
| 363 // Two out of four possible wildcards. |
| 364 {{CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 365 {CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 366 false}, |
| 367 {{CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 368 {CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 369 true}, |
| 370 {{CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 371 {CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 372 false}, |
| 373 {{CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 374 {CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 375 false}, |
| 376 {{CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 377 {CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 378 true}, |
| 379 {{CSPSource::NoWildcard, CSPSource::NoWildcard}, |
| 380 {CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 381 true}, |
| 382 // Three out of four possible wildcards. |
| 383 {{CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 384 {CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 385 false}, |
| 386 {{CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 387 {CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 388 false}, |
| 389 {{CSPSource::HasWildcard, CSPSource::NoWildcard}, |
| 390 {CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 391 true}, |
| 392 {{CSPSource::NoWildcard, CSPSource::HasWildcard}, |
| 393 {CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 394 true}, |
| 395 // Four out of four possible wildcards. |
| 396 {{CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 397 {CSPSource::HasWildcard, CSPSource::HasWildcard}, |
| 398 true}, |
| 399 }; |
| 400 |
| 401 // There are different cases for wildcards but now also the second CSPSource |
| 402 // has a more specific path. |
| 403 for (const auto& test : cases) { |
| 404 CSPSource* returned = |
| 405 new CSPSource(csp.get(), "http", "example.com", 0, "/", |
| 406 test.a.hostDispotion, test.a.portDispotion); |
| 407 CSPSource* required = |
| 408 new CSPSource(csp.get(), "http", "example.com", 0, "/", |
| 409 test.b.hostDispotion, test.b.portDispotion); |
| 410 EXPECT_EQ(returned->isSubsumedBy(required), test.expected); |
| 411 |
| 412 // Wildcards should not matter when required csp is stricter than returned |
| 413 // csp. |
| 414 CSPSource* required2 = |
| 415 new CSPSource(csp.get(), "https", "example.com", 0, "/", |
| 416 test.b.hostDispotion, test.b.portDispotion); |
| 417 EXPECT_FALSE(returned->isSubsumedBy(required2)); |
| 418 } |
| 419 } |
| 420 |
| 421 TEST_F(CSPSourceTest, IsSubsumedBySchemesOnly) { |
| 422 struct TestCase { |
| 423 String aScheme; |
| 424 String bScheme; |
| 425 bool expected; |
| 426 } cases[] = { |
| 427 // HTTP |
| 428 {"http", "http", true}, |
| 429 {"http", "https", false}, |
| 430 {"https", "http", true}, |
| 431 {"https", "https", true}, |
| 432 // WSS |
| 433 {"ws", "ws", true}, |
| 434 {"ws", "wss", false}, |
| 435 {"wss", "ws", true}, |
| 436 {"wss", "wss", true}, |
| 437 // Unequal |
| 438 {"ws", "http", false}, |
| 439 {"http", "ws", false}, |
| 440 {"http", "about", false}, |
| 441 }; |
| 442 for (const auto& test : cases) { |
| 443 CSPSource* returned = |
| 444 new CSPSource(csp.get(), test.aScheme, "example.com", 0, "/", |
| 445 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 446 CSPSource* required = |
| 447 new CSPSource(csp.get(), test.bScheme, "example.com", 0, "/", |
| 448 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 449 EXPECT_EQ(returned->isSubsumedBy(required), test.expected); |
| 450 } |
| 451 } |
| 452 |
126 } // namespace blink | 453 } // namespace blink |
OLD | NEW |