OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 19 matching lines...) Expand all Loading... | |
30 }; | 30 }; |
31 | 31 |
32 virtual void SetUp() { | 32 virtual void SetUp() { |
33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); | 33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | 34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
35 document = Document::create(); | 35 document = Document::create(); |
36 document->setSecurityOrigin(secureOrigin); | 36 document->setSecurityOrigin(secureOrigin); |
37 csp->bindToExecutionContext(document.get()); | 37 csp->bindToExecutionContext(document.get()); |
38 } | 38 } |
39 | 39 |
40 ContentSecurityPolicy* SetUpWithOrigin(const String& origin) { | |
41 KURL secureURL(ParsedURLString, origin); | |
42 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | |
43 document = Document::create(); | |
44 document->setSecurityOrigin(secureOrigin); | |
45 ContentSecurityPolicy* csp = ContentSecurityPolicy::create(); | |
46 csp->bindToExecutionContext(document.get()); | |
47 return csp; | |
48 } | |
49 | |
40 bool equalSources(const Source& a, const Source& b) { | 50 bool equalSources(const Source& a, const Source& b) { |
41 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && | 51 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
42 a.path == b.path && a.hostWildcard == b.hostWildcard && | 52 a.path == b.path && a.hostWildcard == b.hostWildcard && |
43 a.portWildcard == b.portWildcard; | 53 a.portWildcard == b.portWildcard; |
44 } | 54 } |
45 | 55 |
46 Persistent<ContentSecurityPolicy> csp; | 56 Persistent<ContentSecurityPolicy> csp; |
47 Persistent<Document> document; | 57 Persistent<Document> document; |
48 }; | 58 }; |
49 | 59 |
(...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
376 EXPECT_EQ(required.subsumes(returned), test.expected); | 386 EXPECT_EQ(required.subsumes(returned), test.expected); |
377 | 387 |
378 // If required is empty, any returned should be subsumed by it. | 388 // If required is empty, any returned should be subsumed by it. |
379 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); | 389 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); |
380 EXPECT_TRUE( | 390 EXPECT_TRUE( |
381 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); | 391 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); |
382 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); | 392 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); |
383 } | 393 } |
384 } | 394 } |
385 | 395 |
396 TEST_F(SourceListDirectiveTest, SubsumesWithSelf) { | |
397 SourceListDirective A("script-src", | |
398 "http://example1.com/foo/ http://*.example2.com/bar/ " | |
399 "http://*.example3.com:*/bar/ 'self'", | |
400 csp.get()); | |
401 | |
402 struct TestCase { | |
403 std::vector<String> sourcesB; | |
404 const String& originB; | |
405 bool expected; | |
406 } cases[] = { | |
407 // `self` of A and B match. | |
Mike West
2016/11/23 11:22:02
Might be worth noting somewhere here that `'self'`
amalika
2016/11/23 14:09:53
Added!
| |
408 {{"'self'"}, "https://example.test/", true}, | |
409 {{"'self' 'self' 'self'"}, "https://example.test/", true}, | |
410 {{"'self'", "'self'", "'self'"}, "https://example.test/", true}, | |
411 {{"'self'", "'self'", "https://*.example.test/"}, | |
Mike West
2016/11/23 11:22:02
`*.example.text` doesn't match `example.test`, doe
amalika
2016/11/23 14:09:53
It is a vector of policies and since `self` is `ex
| |
412 "https://example.test/", | |
413 true}, | |
414 {{"'self'", "'self'", "https://*.example.test/bar/"}, | |
415 "https://example.test/", | |
416 true}, | |
417 {{"'self' https://another.test/bar", "'self' http://*.example.test/bar", | |
418 "https://*.example.test/bar/"}, | |
419 "https://example.test/", | |
420 true}, | |
421 {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true}, | |
422 {{"http://example1.com/foo/ https://example.test/"}, | |
423 "https://example.test/", | |
424 true}, | |
425 {{"http://example1.com/foo/ http://*.example2.com/bar/"}, | |
426 "https://example.test/", | |
427 true}, | |
428 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
429 "http://*.example3.com:*/bar/ https://example.test/"}, | |
430 "https://example.test/", | |
431 true}, | |
432 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
433 "http://*.example3.com:*/bar/ 'self'"}, | |
434 "https://example.test/", | |
435 true}, | |
436 {{"'self'", "'self'", "https://example.test/"}, | |
437 "https://example.test/", | |
438 true}, | |
439 {{"'self'", "https://example.test/folder/"}, | |
440 "https://example.test/", | |
441 true}, | |
442 {{"'self'", "http://example.test/folder/"}, | |
443 "https://example.test/", | |
444 true}, | |
445 {{"'self' https://example.com/", "https://example.com/"}, | |
446 "https://example.test/", | |
447 false}, | |
448 {{"http://example1.com/foo/ http://*.example2.com/bar/", | |
449 "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"}, | |
450 "https://example.test/", | |
451 true}, | |
452 {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"}, | |
453 "https://example.test/", | |
454 false}, | |
455 {{"https://*.example.test/", "https://*.example.test/ 'self'"}, | |
456 "https://example.test/", | |
457 false}, | |
458 {{"http://example.test/"}, "https://example.test/", false}, | |
459 // `self` of A and B do not match. | |
460 {{"'self'"}, "https://other-origin.test/", false}, | |
461 {{"https://example.test/"}, "https://other-origin.test/", true}, | |
462 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
463 "http://*.example3.com:*/bar/ 'self'"}, | |
464 "https://other-origin.test/", | |
465 false}, | |
466 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
467 "http://*.example3.com:*/bar/ https://other-origin.test/"}, | |
468 "https://other-origin.test/", | |
469 false}, | |
470 {{"http://example1.com/foo/ 'self'"}, | |
471 "https://other-origin.test/", | |
472 false}, | |
473 {{"'self'", "http://other-origin.test/"}, | |
474 "https://other-origin.test/", | |
475 false}, | |
476 {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, | |
477 // B's origin matches one of sources in the source list of A. | |
478 {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true}, | |
479 {{"http://*.example2.com/bar/", "'self'"}, | |
480 "http://example2.com/bar/", | |
481 true}, | |
482 {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"}, | |
483 "http://example1.com/", | |
484 false}, | |
485 {{"http://*.example2.com/bar/ http://example1.com/", | |
486 "'self' http://example1.com/"}, | |
487 "http://example2.com/bar/", | |
488 false}, | |
489 }; | |
490 | |
491 SourceListDirective emptyA("script-src", "", csp.get()); | |
492 // Empty SourceListDirective must subsume empty vector of | |
493 // SourceListDirectives. | |
494 EXPECT_TRUE(emptyA.subsumes(HeapVector<Member<SourceListDirective>>())); | |
495 | |
496 for (const auto& test : cases) { | |
497 ContentSecurityPolicy* cspB = SetUpWithOrigin(test.originB); | |
498 | |
499 HeapVector<Member<SourceListDirective>> vectorB; | |
500 for (const auto& sources : test.sourcesB) { | |
501 SourceListDirective* member = | |
502 new SourceListDirective("script-src", sources, cspB); | |
503 vectorB.append(member); | |
504 } | |
505 | |
506 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
507 // If emptyA is empty, any vectorB should be subsumed by it. | |
508 EXPECT_TRUE(emptyA.subsumes(vectorB)); | |
509 } | |
510 } | |
511 | |
386 } // namespace blink | 512 } // namespace blink |
OLD | NEW |