| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/fetch/IntegrityMetadata.h" | 8 #include "core/fetch/IntegrityMetadata.h" |
| 9 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
| 10 #include "core/html/HTMLScriptElement.h" | 10 #include "core/html/HTMLScriptElement.h" |
| (...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 256 WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), | 256 WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), |
| 257 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, | 257 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, |
| 258 ContentSecurityPolicy::SuppressReport)); | 258 ContentSecurityPolicy::SuppressReport)); |
| 259 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, | 259 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, |
| 260 String(), IntegrityMetadataSet(), | 260 String(), IntegrityMetadataSet(), |
| 261 ParserInserted, | 261 ParserInserted, |
| 262 ResourceRequest::RedirectStatus::NoRedirect, | 262 ResourceRequest::RedirectStatus::NoRedirect, |
| 263 ContentSecurityPolicy::SuppressReport)); | 263 ContentSecurityPolicy::SuppressReport)); |
| 264 } | 264 } |
| 265 | 265 |
| 266 TEST_F(ContentSecurityPolicyTest, ConnectSrc) { |
| 267 KURL url(KURL(), "https://example.test"); |
| 268 csp->bindToExecutionContext(document.get()); |
| 269 csp->didReceiveHeader("connect-src 'none';", |
| 270 ContentSecurityPolicyHeaderTypeEnforce, |
| 271 ContentSecurityPolicyHeaderSourceMeta); |
| 272 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSubresource, url, |
| 273 String(), IntegrityMetadataSet(), |
| 274 ParserInserted, |
| 275 ResourceRequest::RedirectStatus::NoRedirect, |
| 276 ContentSecurityPolicy::SuppressReport)); |
| 277 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextXMLHttpRequest, |
| 278 url, String(), IntegrityMetadataSet(), |
| 279 ParserInserted, |
| 280 ResourceRequest::RedirectStatus::NoRedirect, |
| 281 ContentSecurityPolicy::SuppressReport)); |
| 282 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextBeacon, url, |
| 283 String(), IntegrityMetadataSet(), |
| 284 ParserInserted, |
| 285 ResourceRequest::RedirectStatus::NoRedirect, |
| 286 ContentSecurityPolicy::SuppressReport)); |
| 287 EXPECT_FALSE(csp->allowRequest( |
| 288 WebURLRequest::RequestContextFetch, url, String(), IntegrityMetadataSet(), |
| 289 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, |
| 290 ContentSecurityPolicy::SuppressReport)); |
| 291 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, |
| 292 String(), IntegrityMetadataSet(), |
| 293 ParserInserted, |
| 294 ResourceRequest::RedirectStatus::NoRedirect, |
| 295 ContentSecurityPolicy::SuppressReport)); |
| 296 } |
| 266 // Tests that requests for scripts and styles are blocked | 297 // Tests that requests for scripts and styles are blocked |
| 267 // if `require-sri-for` delivered in HTTP header requires integrity be present | 298 // if `require-sri-for` delivered in HTTP header requires integrity be present |
| 268 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { | 299 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { |
| 269 KURL url(KURL(), "https://example.test"); | 300 KURL url(KURL(), "https://example.test"); |
| 270 // Enforce | 301 // Enforce |
| 271 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | 302 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
| 272 policy->bindToExecutionContext(document.get()); | 303 policy->bindToExecutionContext(document.get()); |
| 273 policy->didReceiveHeader("require-sri-for script style", | 304 policy->didReceiveHeader("require-sri-for script style", |
| 274 ContentSecurityPolicyHeaderTypeEnforce, | 305 ContentSecurityPolicyHeaderTypeEnforce, |
| 275 ContentSecurityPolicyHeaderSourceHTTP); | 306 ContentSecurityPolicyHeaderSourceHTTP); |
| (...skipping 598 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 874 test.inherits); | 905 test.inherits); |
| 875 | 906 |
| 876 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, | 907 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
| 877 AtomicString("https://example.test")); | 908 AtomicString("https://example.test")); |
| 878 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | 909 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
| 879 response, secureOrigin.get())); | 910 response, secureOrigin.get())); |
| 880 } | 911 } |
| 881 } | 912 } |
| 882 | 913 |
| 883 } // namespace blink | 914 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2491903002:
Apply connect-src for link preload with no `as` value (Closed)
