OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 19 matching lines...) Expand all Loading... | |
30 }; | 30 }; |
31 | 31 |
32 virtual void SetUp() { | 32 virtual void SetUp() { |
33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); | 33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | 34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
35 document = Document::create(); | 35 document = Document::create(); |
36 document->setSecurityOrigin(secureOrigin); | 36 document->setSecurityOrigin(secureOrigin); |
37 csp->bindToExecutionContext(document.get()); | 37 csp->bindToExecutionContext(document.get()); |
38 } | 38 } |
39 | 39 |
40 ContentSecurityPolicy* SetUpWithOrigin(const char* origin) { | |
41 KURL url(ParsedURLString, origin); | |
42 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(url)); | |
43 Document* document = Document::create(); | |
44 document->setSecurityOrigin(secureOrigin); | |
45 ContentSecurityPolicy* csp = ContentSecurityPolicy::create(); | |
46 csp->bindToExecutionContext(document); | |
47 return csp; | |
48 } | |
49 | |
40 bool equalSources(const Source& a, const Source& b) { | 50 bool equalSources(const Source& a, const Source& b) { |
41 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && | 51 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
42 a.path == b.path && a.hostWildcard == b.hostWildcard && | 52 a.path == b.path && a.hostWildcard == b.hostWildcard && |
43 a.portWildcard == b.portWildcard; | 53 a.portWildcard == b.portWildcard; |
44 } | 54 } |
45 | 55 |
46 Persistent<ContentSecurityPolicy> csp; | 56 Persistent<ContentSecurityPolicy> csp; |
47 Persistent<Document> document; | 57 Persistent<Document> document; |
48 }; | 58 }; |
49 | 59 |
(...skipping 380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
430 EXPECT_EQ(required.subsumes(returned), test.expected); | 440 EXPECT_EQ(required.subsumes(returned), test.expected); |
431 | 441 |
432 // If required is empty, any returned should be subsumed by it. | 442 // If required is empty, any returned should be subsumed by it. |
433 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); | 443 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); |
434 EXPECT_TRUE( | 444 EXPECT_TRUE( |
435 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); | 445 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); |
436 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); | 446 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); |
437 } | 447 } |
438 } | 448 } |
439 | 449 |
450 TEST_F(SourceListDirectiveTest, SubsumesWithSelfSameOrigins) { | |
451 SourceListDirective A("script-src", | |
452 "http://example1.com/foo/ http://*.example2.com/bar/ " | |
453 "http://*.example3.com:*/bar/ 'self'", | |
454 csp.get()); | |
455 | |
456 struct TestCase { | |
457 std::vector<String> sourcesB; | |
458 String originB; | |
459 bool expected; | |
460 } cases[] = { | |
461 // "https://example.test/" is a secure origin for both A and B. | |
462 {{"'self'"}, "https://example.test/", true}, | |
463 {{"'self' 'self' 'self'"}, "https://example.test/", true}, | |
464 {{"'self'", "'self'", "'self'"}, "https://example.test/", true}, | |
465 {{"'self'", "'self'", "https://*.example.test/"}, | |
466 "https://example.test/", | |
467 true}, | |
468 {{"'self'", "'self'", "https://*.example.test/bar/"}, | |
469 "https://example.test/", | |
470 true}, | |
471 {{"'self' https://another.test/bar", "'self' http://*.example.test/bar", | |
472 "https://*.example.test/bar/"}, | |
473 "https://example.test/", | |
474 true}, | |
475 {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true}, | |
476 {{"http://example1.com/foo/ https://example.test/"}, | |
477 "https://example.test/", | |
478 true}, | |
479 {{"http://example1.com/foo/ http://*.example2.com/bar/"}, | |
480 "https://example.test/", | |
481 true}, | |
482 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
483 "http://*.example3.com:*/bar/ https://example.test/"}, | |
484 "https://example.test/", | |
485 true}, | |
486 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
487 "http://*.example3.com:*/bar/ 'self'"}, | |
488 "https://example.test/", | |
489 true}, | |
490 {{"'self'", "'self'", "https://example.test/"}, | |
491 "https://example.test/", | |
492 true}, | |
493 {{"'self'", "https://example.test/folder/"}, | |
494 "https://example.test/", | |
495 true}, | |
496 {{"'self'", "http://example.test/folder/"}, | |
497 "https://example.test/", | |
498 true}, | |
499 {{"'self' https://example.com/", "https://example.com/"}, | |
500 "https://example.test/", | |
501 false}, | |
502 {{"http://example1.com/foo/ http://*.example2.com/bar/", | |
503 "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"}, | |
504 "https://example.test/", | |
505 true}, | |
506 {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"}, | |
507 "https://example.test/", | |
508 false}, | |
509 {{"https://*.example.test/", "https://*.example.test/ 'self'"}, | |
510 "https://example.test/", | |
511 false}, | |
512 {{"http://example.test/"}, "https://example.test/", false}, | |
513 {{"https://example.test/"}, "https://example.test/", true}, | |
514 }; | |
515 | |
516 int i = 0; | |
517 ContentSecurityPolicy* cspB = SetUpWithOrigin("https://example.test/"); | |
518 for (const auto& test : cases) { | |
519 SCOPED_TRACE(testing::Message() << "---------------------------------------- ----------\n" ); | |
520 SCOPED_TRACE(testing::Message() << "Test: " << i << ", " | |
521 << String(test.sourcesB[0]) << ", origin of B: " | |
522 << String(test.originB) << "\n"); | |
523 SCOPED_TRACE(testing::Message() << "B self source: " << i << ", " | |
524 << cspB->getSelfSource()->m_scheme | |
525 << cspB->getSelfSource()->m_host | |
526 << cspB->getSelfSource()->m_port << "\n"); | |
527 SCOPED_TRACE(testing::Message() << "---------------------------------------- ----------\n"); | |
528 i++; | |
529 | |
530 HeapVector<Member<SourceListDirective>> vectorB; | |
531 for (const auto& sources : test.sourcesB) { | |
532 SourceListDirective* member = | |
533 new SourceListDirective("script-src", sources, cspB); | |
534 vectorB.append(member); | |
535 } | |
536 | |
537 EXPECT_EQ(test.expected, A.subsumes(vectorB)); | |
538 } | |
539 } | |
540 | |
541 TEST_F(SourceListDirectiveTest, SubsumesWithSelfDifferentOrigins) { | |
542 SourceListDirective A("script-src", | |
543 "http://example1.com/foo/ http://*.example2.com/bar/ " | |
544 "http://*.example3.com:*/bar/ 'self'", | |
545 csp.get()); | |
546 | |
547 struct TestCase { | |
548 std::vector<String> sourcesB; | |
549 String originB; | |
550 bool expected; | |
551 } cases[] = { | |
552 // Origins of A and B do not match. | |
553 {{"https://example.test/"}, "https://other-origin.test/", false}, | |
554 {{"'self'"}, "https://other-origin.test/", true}, | |
555 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
556 "http://*.example3.com:*/bar/ 'self'"}, | |
557 "https://other-origin.test/", | |
558 true}, | |
559 {{"http://example1.com/foo/ http://*.example2.com/bar/ " | |
560 "http://*.example3.com:*/bar/ https://other-origin.test/"}, | |
561 "https://other-origin.test/", | |
562 true}, | |
563 {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true}, | |
564 {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, | |
565 {{"'self' https://example.test/", "https://example.test/"}, | |
566 "https://other-origin.test/", | |
567 false}, | |
568 {{"https://example.test/", "http://example.test/"}, | |
569 "https://other-origin.test/", | |
570 false}, | |
571 {{"'self'", "http://other-origin.test/"}, | |
572 "https://other-origin.test/", | |
573 true}, | |
574 {{"'self'", "https://non-example.test/"}, "https://other-origin.test/", tr ue}, | |
575 // // B's origin matches one of sources in the source list of A. | |
576 // {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true }, | |
577 // {{"http://*.example2.com/bar/", "'self'"}, | |
578 // "http://example2.com/bar/", | |
579 // true}, | |
580 // {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"}, | |
581 // "http://example1.com/", | |
582 // false}, | |
583 // {{"http://*.example2.com/bar/ http://example1.com/", | |
584 // "'self' http://example1.com/"}, | |
585 // "http://example2.com/bar/", | |
586 // false}, | |
Mike West
2016/12/01 13:06:15
These tests are commented out; do they pass?
amalika
2016/12/01 13:27:35
They were passing before. But I commented them out
| |
587 }; | |
588 | |
589 int i = 0; | |
590 ContentSecurityPolicy* cspB = SetUpWithOrigin("https://other-origin.test/"); | |
591 for (const auto& test : cases) { | |
592 SCOPED_TRACE(testing::Message() << "---------------------------------------- ----------\n" ); | |
593 SCOPED_TRACE(testing::Message() << "Test: " << i << ", " | |
594 << test.sourcesB[0] << ", origin of B: " | |
595 << test.originB << "\n"); | |
596 SCOPED_TRACE(testing::Message() << "B self source: " << i << ", " | |
597 << cspB->getSelfSource()->m_scheme | |
598 << cspB->getSelfSource()->m_host | |
599 << cspB->getSelfSource()->m_port << "\n"); | |
600 SCOPED_TRACE(testing::Message() << "---------------------------------------- ----------\n"); | |
Mike West
2016/12/01 13:06:15
This (and above) seems cleaner as one SCOPED_TRACE
amalika
2016/12/01 13:27:35
I will remove these!
| |
601 i++; | |
602 | |
603 HeapVector<Member<SourceListDirective>> vectorB; | |
604 for (const auto& sources : test.sourcesB) { | |
605 SourceListDirective* member = | |
606 new SourceListDirective("script-src", sources, cspB); | |
607 vectorB.append(member); | |
608 } | |
609 | |
610 EXPECT_EQ(test.expected, A.subsumes(vectorB)); | |
611 } | |
612 } | |
613 | |
440 } // namespace blink | 614 } // namespace blink |
OLD | NEW |