Part 3.2: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/SourceListDirective.h"
 
 #include "core/dom/Document.h"
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/network/ResourceRequest.h"
@@ skipping 19 matching lines @@
   };
 
   virtual void SetUp() {
     KURL secureURL(ParsedURLString, "https://example.test/image.png");
     RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
     document = Document::create();
     document->setSecurityOrigin(secureOrigin);
     csp->bindToExecutionContext(document.get());
   }
 
+  ContentSecurityPolicy* SetUpWithOrigin(const char* origin) {
+    KURL url(ParsedURLString, origin);
+    RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(url));
+    Document* document = Document::create();
+    document->setSecurityOrigin(secureOrigin);
+    ContentSecurityPolicy* csp = ContentSecurityPolicy::create();
+    csp->bindToExecutionContext(document);
+    return csp;
+  }
+
   bool equalSources(const Source& a, const Source& b) {
     return a.scheme == b.scheme && a.host == b.host && a.port == b.port &&
            a.path == b.path && a.hostWildcard == b.hostWildcard &&
            a.portWildcard == b.portWildcard;
   }
 
   Persistent<ContentSecurityPolicy> csp;
   Persistent<Document> document;
 };
 
@@ skipping 380 matching lines @@
     EXPECT_EQ(required.subsumes(returned), test.expected);
 
     // If required is empty, any returned should be subsumed by it.
     SourceListDirective requiredIsEmpty("script-src", "", csp.get());
     EXPECT_TRUE(
         requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>()));
     EXPECT_TRUE(requiredIsEmpty.subsumes(returned));
   }
 }
 
+TEST_F(SourceListDirectiveTest, SubsumesWithSelfSameOrigins) {
+  SourceListDirective A("script-src",
+                        "http://example1.com/foo/ http://*.example2.com/bar/ "
+                        "http://*.example3.com:*/bar/ 'self'",
+                        csp.get());
+
+  struct TestCase {
+    std::vector<String> sourcesB;
+    String originB;
+    bool expected;
+  } cases[] = {
+      // "https://example.test/" is a secure origin for both A and B.
+      {{"'self'"}, "https://example.test/", true},
+      {{"'self' 'self' 'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "https://*.example.test/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://another.test/bar", "'self' http://*.example.test/bar",
+        "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true},
+      {{"http://example1.com/foo/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "https://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "http://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://example.com/", "https://example.com/"},
+       "https://example.test/",
+       false},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/",
+        "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"https://*.example.test/", "https://*.example.test/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"http://example.test/"}, "https://example.test/", false},
+      {{"https://example.test/"}, "https://example.test/", true},
+  };
+
+  int i = 0;
+  ContentSecurityPolicy* cspB = SetUpWithOrigin("https://example.test/");
+  for (const auto& test : cases) {
+    SCOPED_TRACE(testing::Message() << "--------------------------------------------------\n" );
+    SCOPED_TRACE(testing::Message() << "Test: " << i << ", "
+                                    << String(test.sourcesB[0]) << ", origin of B: "
+                                    << String(test.originB) << "\n");
+    SCOPED_TRACE(testing::Message() << "B self source: " << i << ", "
+                                    << cspB->getSelfSource()->m_scheme
+                                    << cspB->getSelfSource()->m_host
+                                    << cspB->getSelfSource()->m_port << "\n");
+    SCOPED_TRACE(testing::Message() << "--------------------------------------------------\n");
+    i++;
+
+    HeapVector<Member<SourceListDirective>> vectorB;
+    for (const auto& sources : test.sourcesB) {
+      SourceListDirective* member =
+          new SourceListDirective("script-src", sources, cspB);
+      vectorB.append(member);
+    }
+
+    EXPECT_EQ(test.expected, A.subsumes(vectorB));
+  }
+}
+
+TEST_F(SourceListDirectiveTest, SubsumesWithSelfDifferentOrigins) {
+  SourceListDirective A("script-src",
+                        "http://example1.com/foo/ http://*.example2.com/bar/ "
+                        "http://*.example3.com:*/bar/ 'self'",
+                        csp.get());
+
+  struct TestCase {
+    std::vector<String> sourcesB;
+    String originB;
+    bool expected;
+  } cases[] = {
+      // Origins of A and B do not match.
+      {{"https://example.test/"}, "https://other-origin.test/", false},
+      {{"'self'"}, "https://other-origin.test/", true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://other-origin.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://other-origin.test/"},
+       "https://other-origin.test/",
+       true},
+      {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true},
+      {{"'self'", "https://example.test/"}, "https://other-origin.test/", true},
+      {{"'self' https://example.test/", "https://example.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"https://example.test/", "http://example.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"'self'", "http://other-origin.test/"},
+       "https://other-origin.test/",
+       true},
+      {{"'self'", "https://non-example.test/"}, "https://other-origin.test/", true},
+      // // B's origin matches one of sources in the source list of A.
+      // {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true},
+      // {{"http://*.example2.com/bar/", "'self'"},
+      //  "http://example2.com/bar/",
+      //  true},
+      // {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"},
+      //  "http://example1.com/",
+      //  false},
+      // {{"http://*.example2.com/bar/ http://example1.com/",
+      //   "'self' http://example1.com/"},
+      //  "http://example2.com/bar/",
+      //  false},

[Mike West, 2016/12/01 13:06:15]

These tests are commented out; do they pass?

[amalika, 2016/12/01 13:27:35]

They were passing before. But I commented them out because they all have
different origins. I will put them back now that we know the above work! 

+  };
+
+  int i = 0;
+  ContentSecurityPolicy* cspB = SetUpWithOrigin("https://other-origin.test/");
+  for (const auto& test : cases) {
+    SCOPED_TRACE(testing::Message() << "--------------------------------------------------\n" );
+    SCOPED_TRACE(testing::Message() << "Test: " << i << ", "
+                                    << test.sourcesB[0] << ", origin of B: "
+                                    << test.originB << "\n");
+    SCOPED_TRACE(testing::Message() << "B self source: " << i << ", "
+                                    << cspB->getSelfSource()->m_scheme
+                                    << cspB->getSelfSource()->m_host
+                                    << cspB->getSelfSource()->m_port << "\n");
+    SCOPED_TRACE(testing::Message() << "--------------------------------------------------\n");

[Mike West, 2016/12/01 13:06:15]

This (and above) seems cleaner as one SCOPED_TRACE rather than 4.

[amalika, 2016/12/01 13:27:35]

I will remove these!

+    i++;
+
+    HeapVector<Member<SourceListDirective>> vectorB;
+    for (const auto& sources : test.sourcesB) {
+      SourceListDirective* member =
+          new SourceListDirective("script-src", sources, cspB);
+      vectorB.append(member);
+    }
+
+    EXPECT_EQ(test.expected, A.subsumes(vectorB));
+  }
+}
+
 }  // namespace blink