OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/fetch/IntegrityMetadata.h" | 8 #include "core/fetch/IntegrityMetadata.h" |
9 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
10 #include "core/html/HTMLScriptElement.h" | 10 #include "core/html/HTMLScriptElement.h" |
(...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
256 WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), | 256 WebURLRequest::RequestContextEmbed, url, String(), IntegrityMetadataSet(), |
257 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, | 257 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, |
258 ContentSecurityPolicy::SuppressReport)); | 258 ContentSecurityPolicy::SuppressReport)); |
259 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, | 259 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, |
260 String(), IntegrityMetadataSet(), | 260 String(), IntegrityMetadataSet(), |
261 ParserInserted, | 261 ParserInserted, |
262 ResourceRequest::RedirectStatus::NoRedirect, | 262 ResourceRequest::RedirectStatus::NoRedirect, |
263 ContentSecurityPolicy::SuppressReport)); | 263 ContentSecurityPolicy::SuppressReport)); |
264 } | 264 } |
265 | 265 |
| 266 TEST_F(ContentSecurityPolicyTest, ConnectSrc) { |
| 267 KURL url(KURL(), "https://example.test"); |
| 268 csp->bindToExecutionContext(document.get()); |
| 269 csp->didReceiveHeader("connect-src 'none';", |
| 270 ContentSecurityPolicyHeaderTypeEnforce, |
| 271 ContentSecurityPolicyHeaderSourceMeta); |
| 272 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextSubresource, url, |
| 273 String(), IntegrityMetadataSet(), |
| 274 ParserInserted, |
| 275 ResourceRequest::RedirectStatus::NoRedirect, |
| 276 ContentSecurityPolicy::SuppressReport)); |
| 277 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextXMLHttpRequest, |
| 278 url, String(), IntegrityMetadataSet(), |
| 279 ParserInserted, |
| 280 ResourceRequest::RedirectStatus::NoRedirect, |
| 281 ContentSecurityPolicy::SuppressReport)); |
| 282 EXPECT_FALSE(csp->allowRequest(WebURLRequest::RequestContextBeacon, url, |
| 283 String(), IntegrityMetadataSet(), |
| 284 ParserInserted, |
| 285 ResourceRequest::RedirectStatus::NoRedirect, |
| 286 ContentSecurityPolicy::SuppressReport)); |
| 287 EXPECT_FALSE(csp->allowRequest( |
| 288 WebURLRequest::RequestContextFetch, url, String(), IntegrityMetadataSet(), |
| 289 ParserInserted, ResourceRequest::RedirectStatus::NoRedirect, |
| 290 ContentSecurityPolicy::SuppressReport)); |
| 291 EXPECT_TRUE(csp->allowRequest(WebURLRequest::RequestContextPlugin, url, |
| 292 String(), IntegrityMetadataSet(), |
| 293 ParserInserted, |
| 294 ResourceRequest::RedirectStatus::NoRedirect, |
| 295 ContentSecurityPolicy::SuppressReport)); |
| 296 } |
266 // Tests that requests for scripts and styles are blocked | 297 // Tests that requests for scripts and styles are blocked |
267 // if `require-sri-for` delivered in HTTP header requires integrity be present | 298 // if `require-sri-for` delivered in HTTP header requires integrity be present |
268 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { | 299 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { |
269 KURL url(KURL(), "https://example.test"); | 300 KURL url(KURL(), "https://example.test"); |
270 // Enforce | 301 // Enforce |
271 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | 302 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
272 policy->bindToExecutionContext(document.get()); | 303 policy->bindToExecutionContext(document.get()); |
273 policy->didReceiveHeader("require-sri-for script style", | 304 policy->didReceiveHeader("require-sri-for script style", |
274 ContentSecurityPolicyHeaderTypeEnforce, | 305 ContentSecurityPolicyHeaderTypeEnforce, |
275 ContentSecurityPolicyHeaderSourceHTTP); | 306 ContentSecurityPolicyHeaderSourceHTTP); |
(...skipping 598 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
874 test.inherits); | 905 test.inherits); |
875 | 906 |
876 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, | 907 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
877 AtomicString("https://example.test")); | 908 AtomicString("https://example.test")); |
878 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | 909 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
879 response, secureOrigin.get())); | 910 response, secureOrigin.get())); |
880 } | 911 } |
881 } | 912 } |
882 | 913 |
883 } // namespace blink | 914 } // namespace blink |
OLD | NEW |