third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp - Issue 2519103005: Part 3.2: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2519103005: Part 3.2: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Adding more tests Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/SourceListDirective.h"	5 #include "core/frame/csp/SourceListDirective.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/frame/csp/CSPSource.h"	8 #include "core/frame/csp/CSPSource.h"

9 #include "core/frame/csp/ContentSecurityPolicy.h"	9 #include "core/frame/csp/ContentSecurityPolicy.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 19 matching lines...) Expand all Loading...
30 };	30 };

31	31

32 virtual void SetUp() {	32 virtual void SetUp() {

33 KURL secureURL(ParsedURLString, "https://example.test/image.png");	33 KURL secureURL(ParsedURLString, "https://example.test/image.png");

34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));	34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));

35 document = Document::create();	35 document = Document::create();

36 document->setSecurityOrigin(secureOrigin);	36 document->setSecurityOrigin(secureOrigin);

37 csp->bindToExecutionContext(document.get());	37 csp->bindToExecutionContext(document.get());

38 }	38 }

39	39

	40 ContentSecurityPolicy* SetUpWithOrigin(const String& origin) {

	41 KURL secureURL(ParsedURLString, origin);

	42 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));

	43 document = Document::create();

	44 document->setSecurityOrigin(secureOrigin);

	45 ContentSecurityPolicy* csp = ContentSecurityPolicy::create();

	46 csp->bindToExecutionContext(document.get());

	47 return csp;

	48 }

	49

40 bool equalSources(const Source& a, const Source& b) {	50 bool equalSources(const Source& a, const Source& b) {

41 return a.scheme == b.scheme && a.host == b.host && a.port == b.port &&	51 return a.scheme == b.scheme && a.host == b.host && a.port == b.port &&

42 a.path == b.path && a.hostWildcard == b.hostWildcard &&	52 a.path == b.path && a.hostWildcard == b.hostWildcard &&

43 a.portWildcard == b.portWildcard;	53 a.portWildcard == b.portWildcard;

44 }	54 }

45	55

46 Persistent<ContentSecurityPolicy> csp;	56 Persistent<ContentSecurityPolicy> csp;

47 Persistent<Document> document;	57 Persistent<Document> document;

48 };	58 };

49	59

(...skipping 326 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
376 EXPECT_EQ(required.subsumes(returned), test.expected);	386 EXPECT_EQ(required.subsumes(returned), test.expected);

377	387

378 // If required is empty, any returned should be subsumed by it.	388 // If required is empty, any returned should be subsumed by it.

379 SourceListDirective requiredIsEmpty("script-src", "", csp.get());	389 SourceListDirective requiredIsEmpty("script-src", "", csp.get());

380 EXPECT_TRUE(	390 EXPECT_TRUE(

381 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>()));	391 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>()));

382 EXPECT_TRUE(requiredIsEmpty.subsumes(returned));	392 EXPECT_TRUE(requiredIsEmpty.subsumes(returned));

383 }	393 }

384 }	394 }

385	395

	396 TEST_F(SourceListDirectiveTest, SubsumesWithSelf) {

	397 SourceListDirective A("script-src",

	398 "http://example1.com/foo/ http://*.example2.com/bar/ "

	399 "http://.example3.com:/bar/ 'self'",

	400 csp.get());

	401

	402 struct TestCase {

	403 std::vector<String> sourcesB;

	404 const String& originB;

	405 bool expected;

	406 } cases[] = {

	407 // `self` of A and B match.
	Mike West 2016/11/23 11:22:02 Might be worth noting somewhere here that `'self'` Might be worth noting somewhere here that `'self'` will be "https://example.test/". amalika 2016/11/23 14:09:53 Added! Show quoted text On 2016/11/23 at 11:22:02, Mike West (slow) wrote: > Might be worth noting somewhere here that `'self'` will be "https://example.test/". Added!
	408 {{"'self'"}, "https://example.test/", true},

	409 {{"'self' 'self' 'self'"}, "https://example.test/", true},

	410 {{"'self'", "'self'", "'self'"}, "https://example.test/", true},

	411 {{"'self'", "'self'", "https://*.example.test/"},
	Mike West 2016/11/23 11:22:02 `.example.text` doesn't match `example.test`, doe `.example.text` doesn't match `example.test`, does it? amalika 2016/11/23 14:09:53 It is a vector of policies and since `self` is `ex Show quoted text On 2016/11/23 at 11:22:02, Mike West (slow) wrote: > `*.example.text` doesn't match `example.test`, does it? It is a vector of policies and since `self` is `example.test` w/o a wildcard, normalized policy will be w/o a wildcard either even though one of the policies has a wildcard.
	412 "https://example.test/",

	413 true},

	414 {{"'self'", "'self'", "https://*.example.test/bar/"},

	415 "https://example.test/",

	416 true},

	417 {{"'self' https://another.test/bar", "'self' http://*.example.test/bar",

	418 "https://*.example.test/bar/"},

	419 "https://example.test/",

	420 true},

	421 {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true},

	422 {{"http://example1.com/foo/ https://example.test/"},

	423 "https://example.test/",

	424 true},

	425 {{"http://example1.com/foo/ http://*.example2.com/bar/"},

	426 "https://example.test/",

	427 true},

	428 {{"http://example1.com/foo/ http://*.example2.com/bar/ "

	429 "http://.example3.com:/bar/ https://example.test/"},

	430 "https://example.test/",

	431 true},

	432 {{"http://example1.com/foo/ http://*.example2.com/bar/ "

	433 "http://.example3.com:/bar/ 'self'"},

	434 "https://example.test/",

	435 true},

	436 {{"'self'", "'self'", "https://example.test/"},

	437 "https://example.test/",

	438 true},

	439 {{"'self'", "https://example.test/folder/"},

	440 "https://example.test/",

	441 true},

	442 {{"'self'", "http://example.test/folder/"},

	443 "https://example.test/",

	444 true},

	445 {{"'self' https://example.com/", "https://example.com/"},

	446 "https://example.test/",

	447 false},

	448 {{"http://example1.com/foo/ http://*.example2.com/bar/",

	449 "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"},

	450 "https://example.test/",

	451 true},

	452 {{"http://.example1.com/foo/", "http://.example1.com/foo/ 'self'"},

	453 "https://example.test/",

	454 false},

	455 {{"https://.example.test/", "https://.example.test/ 'self'"},

	456 "https://example.test/",

	457 false},

	458 {{"http://example.test/"}, "https://example.test/", false},

	459 // `self` of A and B do not match.

	460 {{"'self'"}, "https://other-origin.test/", false},

	461 {{"https://example.test/"}, "https://other-origin.test/", true},

	462 {{"http://example1.com/foo/ http://*.example2.com/bar/ "

	463 "http://.example3.com:/bar/ 'self'"},

	464 "https://other-origin.test/",

	465 false},

	466 {{"http://example1.com/foo/ http://*.example2.com/bar/ "

	467 "http://.example3.com:/bar/ https://other-origin.test/"},

	468 "https://other-origin.test/",

	469 false},

	470 {{"http://example1.com/foo/ 'self'"},

	471 "https://other-origin.test/",

	472 false},

	473 {{"'self'", "http://other-origin.test/"},

	474 "https://other-origin.test/",

	475 false},

	476 {{"'self'", "https://example.test/"}, "https://other-origin.test/", true},

	477 // B's origin matches one of sources in the source list of A.

	478 {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true},

	479 {{"http://*.example2.com/bar/", "'self'"},

	480 "http://example2.com/bar/",

	481 true},

	482 {{"'self' http://.example1.com/foo/", "http://.example1.com/foo/"},

	483 "http://example1.com/",

	484 false},

	485 {{"http://*.example2.com/bar/ http://example1.com/",

	486 "'self' http://example1.com/"},

	487 "http://example2.com/bar/",

	488 false},

	489 };

	490

	491 SourceListDirective emptyA("script-src", "", csp.get());

	492 // Empty SourceListDirective must subsume empty vector of

	493 // SourceListDirectives.

	494 EXPECT_TRUE(emptyA.subsumes(HeapVector<Member<SourceListDirective>>()));

	495

	496 for (const auto& test : cases) {

	497 ContentSecurityPolicy* cspB = SetUpWithOrigin(test.originB);

	498

	499 HeapVector<Member<SourceListDirective>> vectorB;

	500 for (const auto& sources : test.sourcesB) {

	501 SourceListDirective* member =

	502 new SourceListDirective("script-src", sources, cspB);

	503 vectorB.append(member);

	504 }

	505

	506 EXPECT_EQ(A.subsumes(vectorB), test.expected);

	507 // If emptyA is empty, any vectorB should be subsumed by it.

	508 EXPECT_TRUE(emptyA.subsumes(vectorB));

	509 }

	510 }

	511

386 } // namespace blink	512 } // namespace blink

OLD	NEW

« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »