OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 19 matching lines...) Expand all Loading... |
30 }; | 30 }; |
31 | 31 |
32 virtual void SetUp() { | 32 virtual void SetUp() { |
33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); | 33 KURL secureURL(ParsedURLString, "https://example.test/image.png"); |
34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); | 34 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
35 document = Document::create(); | 35 document = Document::create(); |
36 document->setSecurityOrigin(secureOrigin); | 36 document->setSecurityOrigin(secureOrigin); |
37 csp->bindToExecutionContext(document.get()); | 37 csp->bindToExecutionContext(document.get()); |
38 } | 38 } |
39 | 39 |
| 40 ContentSecurityPolicy* SetUpWithOrigin(const String& origin) { |
| 41 KURL url(ParsedURLString, origin); |
| 42 RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(url)); |
| 43 Document* document = Document::create(); |
| 44 document->setSecurityOrigin(secureOrigin); |
| 45 ContentSecurityPolicy* csp = ContentSecurityPolicy::create(); |
| 46 csp->bindToExecutionContext(document); |
| 47 return csp; |
| 48 } |
| 49 |
40 bool equalSources(const Source& a, const Source& b) { | 50 bool equalSources(const Source& a, const Source& b) { |
41 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && | 51 return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
42 a.path == b.path && a.hostWildcard == b.hostWildcard && | 52 a.path == b.path && a.hostWildcard == b.hostWildcard && |
43 a.portWildcard == b.portWildcard; | 53 a.portWildcard == b.portWildcard; |
44 } | 54 } |
45 | 55 |
46 Persistent<ContentSecurityPolicy> csp; | 56 Persistent<ContentSecurityPolicy> csp; |
47 Persistent<Document> document; | 57 Persistent<Document> document; |
48 }; | 58 }; |
49 | 59 |
(...skipping 380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
430 EXPECT_EQ(required.subsumes(returned), test.expected); | 440 EXPECT_EQ(required.subsumes(returned), test.expected); |
431 | 441 |
432 // If required is empty, any returned should be subsumed by it. | 442 // If required is empty, any returned should be subsumed by it. |
433 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); | 443 SourceListDirective requiredIsEmpty("script-src", "", csp.get()); |
434 EXPECT_TRUE( | 444 EXPECT_TRUE( |
435 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); | 445 requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>())); |
436 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); | 446 EXPECT_TRUE(requiredIsEmpty.subsumes(returned)); |
437 } | 447 } |
438 } | 448 } |
439 | 449 |
| 450 TEST_F(SourceListDirectiveTest, SubsumesWithSelf) { |
| 451 SourceListDirective A("script-src", |
| 452 "http://example1.com/foo/ http://*.example2.com/bar/ " |
| 453 "http://*.example3.com:*/bar/ 'self'", |
| 454 csp.get()); |
| 455 |
| 456 struct TestCase { |
| 457 std::vector<const char*> sourcesB; |
| 458 const char* originB; |
| 459 bool expected; |
| 460 } cases[] = { |
| 461 // "https://example.test/" is a secure origin for both A and B. |
| 462 {{"'self'"}, "https://example.test/", true}, |
| 463 {{"'self' 'self' 'self'"}, "https://example.test/", true}, |
| 464 {{"'self'", "'self'", "'self'"}, "https://example.test/", true}, |
| 465 {{"'self'", "'self'", "https://*.example.test/"}, |
| 466 "https://example.test/", |
| 467 true}, |
| 468 {{"'self'", "'self'", "https://*.example.test/bar/"}, |
| 469 "https://example.test/", |
| 470 true}, |
| 471 {{"'self' https://another.test/bar", "'self' http://*.example.test/bar", |
| 472 "https://*.example.test/bar/"}, |
| 473 "https://example.test/", |
| 474 true}, |
| 475 {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true}, |
| 476 {{"http://example1.com/foo/ https://example.test/"}, |
| 477 "https://example.test/", |
| 478 true}, |
| 479 {{"http://example1.com/foo/ http://*.example2.com/bar/"}, |
| 480 "https://example.test/", |
| 481 true}, |
| 482 {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| 483 "http://*.example3.com:*/bar/ https://example.test/"}, |
| 484 "https://example.test/", |
| 485 true}, |
| 486 {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| 487 "http://*.example3.com:*/bar/ 'self'"}, |
| 488 "https://example.test/", |
| 489 true}, |
| 490 {{"'self'", "'self'", "https://example.test/"}, |
| 491 "https://example.test/", |
| 492 true}, |
| 493 {{"'self'", "https://example.test/folder/"}, |
| 494 "https://example.test/", |
| 495 true}, |
| 496 {{"'self'", "http://example.test/folder/"}, |
| 497 "https://example.test/", |
| 498 true}, |
| 499 {{"'self' https://example.com/", "https://example.com/"}, |
| 500 "https://example.test/", |
| 501 false}, |
| 502 {{"http://example1.com/foo/ http://*.example2.com/bar/", |
| 503 "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"}, |
| 504 "https://example.test/", |
| 505 true}, |
| 506 {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"}, |
| 507 "https://example.test/", |
| 508 false}, |
| 509 {{"https://*.example.test/", "https://*.example.test/ 'self'"}, |
| 510 "https://example.test/", |
| 511 false}, |
| 512 {{"http://example.test/"}, "https://example.test/", false}, |
| 513 {{"https://example.test/"}, "https://example.test/", true}, |
| 514 // Origins of A and B do not match. |
| 515 {{"https://example.test/"}, "https://other-origin.test/", false}, |
| 516 {{"'self'"}, "https://other-origin.test/", true}, |
| 517 {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| 518 "http://*.example3.com:*/bar/ 'self'"}, |
| 519 "https://other-origin.test/", |
| 520 true}, |
| 521 {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| 522 "http://*.example3.com:*/bar/ https://other-origin.test/"}, |
| 523 "https://other-origin.test/", |
| 524 true}, |
| 525 {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true}, |
| 526 {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, |
| 527 {{"'self' https://example.test/", "https://example.test/"}, |
| 528 "https://other-origin.test/", |
| 529 false}, |
| 530 {{"https://example.test/", "http://example.test/"}, |
| 531 "https://other-origin.test/", |
| 532 false}, |
| 533 {{"'self'", "http://other-origin.test/"}, |
| 534 "https://other-origin.test/", |
| 535 true}, |
| 536 {{"'self'", "https://non-example.test/"}, |
| 537 "https://other-origin.test/", |
| 538 true}, |
| 539 // B's origin matches one of sources in the source list of A. |
| 540 {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true}, |
| 541 {{"http://*.example2.com/bar/", "'self'"}, |
| 542 "http://example2.com/bar/", |
| 543 true}, |
| 544 {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"}, |
| 545 "http://example1.com/", |
| 546 false}, |
| 547 {{"http://*.example2.com/bar/ http://example1.com/", |
| 548 "'self' http://example1.com/"}, |
| 549 "http://example2.com/bar/", |
| 550 false}, |
| 551 }; |
| 552 |
| 553 for (const auto& test : cases) { |
| 554 ContentSecurityPolicy* cspB = SetUpWithOrigin(String(test.originB)); |
| 555 |
| 556 HeapVector<Member<SourceListDirective>> vectorB; |
| 557 for (const auto& sources : test.sourcesB) { |
| 558 SourceListDirective* member = |
| 559 new SourceListDirective("script-src", sources, cspB); |
| 560 vectorB.append(member); |
| 561 } |
| 562 |
| 563 EXPECT_EQ(test.expected, A.subsumes(vectorB)); |
| 564 } |
| 565 } |
| 566 |
440 } // namespace blink | 567 } // namespace blink |
OLD | NEW |