OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
8 #include "core/frame/csp/SourceListDirective.h" | 8 #include "core/frame/csp/SourceListDirective.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 417 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
428 KURL resource = KURL(KURL(), "https://example.test/worker.js"); | 428 KURL resource = KURL(KURL(), "https://example.test/worker.js"); |
429 Member<CSPDirectiveList> directiveList = | 429 Member<CSPDirectiveList> directiveList = |
430 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); | 430 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); |
431 EXPECT_EQ(test.allowed, | 431 EXPECT_EQ(test.allowed, |
432 directiveList->allowWorkerFromSource( | 432 directiveList->allowWorkerFromSource( |
433 resource, ResourceRequest::RedirectStatus::NoRedirect, | 433 resource, ResourceRequest::RedirectStatus::NoRedirect, |
434 ContentSecurityPolicy::SuppressReport)); | 434 ContentSecurityPolicy::SuppressReport)); |
435 } | 435 } |
436 } | 436 } |
437 | 437 |
438 TEST_F(CSPDirectiveListTest, SubsumesBasedOnCSPSourcesOnly) { | |
439 struct TestCase { | |
440 const std::vector<const char*> policies; | |
441 bool expected; | |
442 } cases[] = { | |
443 // The lists, which are at least as restrictive as A, are subsumed. | |
Mike West
2016/11/14 14:21:23
This test says that they're not subsumed (`false`
| |
444 {{""}, false}, | |
445 {{"script-src http://example.com"}, false}, | |
446 {{"img-src http://example.com"}, false}, | |
447 {{"script-src http://*.one.com"}, false}, | |
448 {{"img-src https://one.com http://two.com/imgs/"}, false}, | |
449 {{"default-src http://example.com"}, false}, | |
450 {{"default-src https://one.com http://two.com/imgs/"}, false}, | |
451 {{"default-src http://one.com"}, false}, | |
452 {{"script-src http://*.one.com; img-src http://two.com/"}, false}, | |
453 {{"script-src http://*.one.com", "img-src http://one.com"}, false}, | |
454 {{"script-src http://*.one.com", "script-src https://two.com"}, false}, | |
455 {{"script-src http://*.random.com", "script-src https://random.com"}, | |
456 false}, | |
457 {{"script-src http://one.com", "script-src https://random.com"}, false}, | |
458 {{"script-src http://*.random.com; default-src http://one.com " | |
459 "http://two.com/imgs/", | |
460 "default-src https://random.com"}, | |
461 false}, | |
462 // The lists, which are not as restrictive as A, are not subsumed. | |
463 {{"default-src https://one.com"}, true}, | |
464 {{"default-src http://random.com", | |
465 "default-src https://non-random.com:*"}, | |
466 true}, | |
467 {{"script-src http://*.one.com; img-src https://one.com"}, true}, | |
468 {{"script-src http://*.one.com; img-src https://one.com " | |
469 "http://two.com/imgs/"}, | |
470 true}, | |
471 {{"script-src http://*.one.com", | |
472 "img-src https://one.com http://two.com/imgs/"}, | |
473 true}, | |
474 {{"script-src http://*.random.com; default-src https://one.com " | |
475 "http://two.com/imgs/", | |
476 "default-src https://else.com"}, | |
477 true}, | |
478 {{"script-src http://*.random.com; default-src https://one.com " | |
479 "http://two.com/imgs/", | |
480 "default-src https://one.com"}, | |
481 true}, | |
482 }; | |
483 | |
484 Member<CSPDirectiveList> A = createList( | |
485 "script-src http://*.one.com; img-src https://one.com " | |
486 "http://two.com/imgs/", | |
487 ContentSecurityPolicyHeaderTypeReport); | |
Mike West
2016/11/14 14:21:23
I think we'll have more confidence in the final re
amalika
2016/11/15 13:17:18
Since we did not implement keywords yet, I did not
| |
488 | |
489 for (const auto& test : cases) { | |
490 HeapVector<Member<CSPDirectiveList>> listB; | |
491 for (const auto& policy : test.policies) { | |
492 listB.append(createList(policy, ContentSecurityPolicyHeaderTypeReport)); | |
493 } | |
494 | |
495 EXPECT_EQ(test.expected, A->subsumes(listB)); | |
496 } | |
497 } | |
Mike West
2016/11/14 14:21:23
I'd like to see more test coverage. You don't expl
| |
498 | |
438 } // namespace blink | 499 } // namespace blink |
OLD | NEW |