| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
| 9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
| 11 #include "platform/weborigin/KURL.h" | 11 #include "platform/weborigin/KURL.h" |
| 12 #include "platform/weborigin/SchemeRegistry.h" | 12 #include "platform/weborigin/SchemeRegistry.h" |
| 13 #include "platform/weborigin/SecurityOrigin.h" | 13 #include "platform/weborigin/SecurityOrigin.h" |
| 14 #include "testing/gtest/include/gtest/gtest.h" | 14 #include "testing/gtest/include/gtest/gtest.h" |
| 15 | 15 |
| 16 namespace blink { | 16 namespace blink { |
| 17 | 17 |
| 18 class SourceListDirectiveTest : public ::testing::Test { | 18 class SourceListDirectiveTest : public ::testing::Test { |
| 19 public: | 19 public: |
| 20 SourceListDirectiveTest() : csp(ContentSecurityPolicy::create()) {} | 20 SourceListDirectiveTest() : csp(ContentSecurityPolicy::create()) {} |
| 21 | 21 |
| 22 protected: | 22 protected: |
| 23 struct Source { |
| 24 String scheme; |
| 25 String host; |
| 26 const int port; |
| 27 String path; |
| 28 CSPSource::WildcardDisposition hostWildcard; |
| 29 CSPSource::WildcardDisposition portWildcard; |
| 30 }; |
| 31 |
| 23 virtual void SetUp() { | 32 virtual void SetUp() { |
| 24 KURL secureURL(ParsedURLString, "https://example.test/image.png"); | 33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
| 25 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | 34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
| 26 document = Document::create(); | 35 document = Document::create(); |
| 27 document->setSecurityOrigin(secureOrigin); | 36 document->setSecurityOrigin(secureOrigin); |
| 28 csp->bindToExecutionContext(document.get()); | 37 csp->bindToExecutionContext(document.get()); |
| 29 } | 38 } |
| 30 | 39 |
| 40 bool equalSources(const Source& a, const Source& b) { |
| 41 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
| 42 a.path == b.path && a.hostWildcard == b.hostWildcard && |
| 43 a.portWildcard == b.portWildcard; |
| 44 } |
| 45 |
| 31 Persistent<ContentSecurityPolicy> csp; | 46 Persistent<ContentSecurityPolicy> csp; |
| 32 Persistent<Document> document; | 47 Persistent<Document> document; |
| 33 }; | 48 }; |
| 34 | 49 |
| 35 TEST_F(SourceListDirectiveTest, BasicMatchingNone) { | 50 TEST_F(SourceListDirectiveTest, BasicMatchingNone) { |
| 36 KURL base; | 51 KURL base; |
| 37 String sources = "'none'"; | 52 String sources = "'none'"; |
| 38 SourceListDirective sourceList("script-src", sources, csp.get()); | 53 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 39 | 54 |
| 40 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); | 55 EXPECT_FALSE(sourceList.allows(KURL(base, "http://example.com/"))); |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 206 ResourceRequest::RedirectStatus::FollowedRedirect)); | 221 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 207 EXPECT_TRUE( | 222 EXPECT_TRUE( |
| 208 sourceList.allows(KURL(base, "https://example1.com/bar/"), | 223 sourceList.allows(KURL(base, "https://example1.com/bar/"), |
| 209 ResourceRequest::RedirectStatus::FollowedRedirect)); | 224 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 210 | 225 |
| 211 EXPECT_FALSE( | 226 EXPECT_FALSE( |
| 212 sourceList.allows(KURL(base, "http://example3.com/foo/"), | 227 sourceList.allows(KURL(base, "http://example3.com/foo/"), |
| 213 ResourceRequest::RedirectStatus::FollowedRedirect)); | 228 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 214 } | 229 } |
| 215 | 230 |
| 231 TEST_F(SourceListDirectiveTest, GetIntersectCSPSources) { |
| 232 KURL base; |
| 233 String sources = |
| 234 "http://example1.com/foo/ http://*.example2.com/bar/ " |
| 235 "http://*.example3.com:*/bar/"; |
| 236 SourceListDirective sourceList("script-src", sources, csp.get()); |
| 237 struct TestCase { |
| 238 String sources; |
| 239 String expected; |
| 240 } cases[] = { |
| 241 {"http://example1.com/foo/ http://example2.com/bar/", |
| 242 "http://example1.com/foo/ http://example2.com/bar/"}, |
| 243 // Normalizing schemes. |
| 244 {"https://example1.com/foo/ http://example2.com/bar/", |
| 245 "https://example1.com/foo/ http://example2.com/bar/"}, |
| 246 {"https://example1.com/foo/ https://example2.com/bar/", |
| 247 "https://example1.com/foo/ https://example2.com/bar/"}, |
| 248 {"https://example1.com/foo/ wss://example2.com/bar/", |
| 249 "https://example1.com/foo/"}, |
| 250 // Normalizing hosts. |
| 251 {"http://*.example1.com/foo/ http://*.example2.com/bar/", |
| 252 "http://example1.com/foo/ http://*.example2.com/bar/"}, |
| 253 {"http://*.example1.com/foo/ http://foo.example2.com/bar/", |
| 254 "http://example1.com/foo/ http://foo.example2.com/bar/"}, |
| 255 // Normalizing ports. |
| 256 {"http://example1.com:80/foo/ http://example2.com/bar/", |
| 257 "http://example1.com:80/foo/ http://example2.com/bar/"}, |
| 258 {"http://example1.com/foo/ http://example2.com:90/bar/", |
| 259 "http://example1.com/foo/"}, |
| 260 {"http://example1.com:*/foo/ http://example2.com/bar/", |
| 261 "http://example1.com/foo/ http://example2.com/bar/"}, |
| 262 {"http://*.example3.com:100/bar/ http://example1.com/foo/", |
| 263 "http://example1.com/foo/ http://*.example3.com:100/bar/"}, |
| 264 // Normalizing paths. |
| 265 {"http://example1.com/ http://example2.com/", |
| 266 "http://example1.com/foo/ http://example2.com/bar/"}, |
| 267 {"http://example1.com/foo/index.html http://example2.com/bar/", |
| 268 "http://example1.com/foo/index.html http://example2.com/bar/"}, |
| 269 {"http://example1.com/bar http://example2.com/bar/", |
| 270 "http://example2.com/bar/"}, |
| 271 // Not similar to be normalized |
| 272 {"http://non-example1.com/foo/ http://non-example2.com/bar/", ""}, |
| 273 {"https://non-example1.com/foo/ wss://non-example2.com/bar/", ""}, |
| 274 }; |
| 275 |
| 276 for (const auto& test : cases) { |
| 277 SourceListDirective secondList("script-src", test.sources, csp.get()); |
| 278 HeapVector<Member<CSPSource>> normalized = |
| 279 sourceList.getIntersectCSPSources(secondList.m_list); |
| 280 SourceListDirective helperSourceList("script-src", test.expected, |
| 281 csp.get()); |
| 282 HeapVector<Member<CSPSource>> expected = helperSourceList.m_list; |
| 283 EXPECT_EQ(normalized.size(), expected.size()); |
| 284 for (size_t i = 0; i < normalized.size(); i++) { |
| 285 Source a = {normalized[i]->m_scheme, normalized[i]->m_host, |
| 286 normalized[i]->m_port, normalized[i]->m_path, |
| 287 normalized[i]->m_hostWildcard, normalized[i]->m_portWildcard}; |
| 288 Source b = {expected[i]->m_scheme, expected[i]->m_host, |
| 289 expected[i]->m_port, expected[i]->m_path, |
| 290 expected[i]->m_hostWildcard, expected[i]->m_portWildcard}; |
| 291 EXPECT_TRUE(equalSources(a, b)); |
| 292 } |
| 293 } |
| 294 } |
| 295 |
| 216 } // namespace blink | 296 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2470083002:
Part 2.1: Is policy list subsumed under subsuming policy? (Closed)
