Chromium Code Reviews Chromium Code Reviews
Issue 2519103005:
Part 3.2: Is policy list subsumed under subsuming policy? (Closed)
| Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| index fabecda3a62e84dc3359a1806b2f8c1b3b4e7dc9..bfa0946f4a93b2028d04a2bed47737a17126ee18 100644 |
| --- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| +++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| @@ -37,6 +37,16 @@ class SourceListDirectiveTest : public ::testing::Test { |
| csp->bindToExecutionContext(document.get()); |
| } |
| + ContentSecurityPolicy* SetUpWithOrigin(const String& origin) { |
| + KURL secureURL(ParsedURLString, origin); |
| + RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL)); |
| + Document* document = Document::create(); |
| + document->setSecurityOrigin(secureOrigin); |
| + ContentSecurityPolicy* csp = ContentSecurityPolicy::create(); |
| + csp->setupSelf(*SecurityOrigin::createFromString(origin)); |
| + return csp; |
| + } |
| + |
| bool equalSources(const Source& a, const Source& b) { |
| return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
| a.path == b.path && a.hostWildcard == b.hostWildcard && |
| @@ -437,4 +447,118 @@ TEST_F(SourceListDirectiveTest, Subsumes) { |
| } |
| } |
| +TEST_F(SourceListDirectiveTest, SubsumesWithSelf) { |
| + SourceListDirective A("script-src", |
| + "http://example1.com/foo/ http://*.example2.com/bar/ " |
| + "http://*.example3.com:*/bar/ 'self'", |
| + csp.get()); |
| + |
| + struct TestCase { |
| + std::vector<String> sourcesB; |
| + const String& originB; |
| + bool expected; |
| + } cases[] = { |
| + // "https://example.test/" is a secure origin for both A and B. |
| + {{"'self'"}, "https://example.test/", true}, |
| + {{"'self' 'self' 'self'"}, "https://example.test/", true}, |
| + {{"'self'", "'self'", "'self'"}, "https://example.test/", true}, |
| + {{"'self'", "'self'", "https://*.example.test/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self'", "'self'", "https://*.example.test/bar/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self' https://another.test/bar", "'self' http://*.example.test/bar", |
| + "https://*.example.test/bar/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true}, |
| + {{"http://example1.com/foo/ https://example.test/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| + "http://*.example3.com:*/bar/ https://example.test/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| + "http://*.example3.com:*/bar/ 'self'"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self'", "'self'", "https://example.test/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self'", "https://example.test/folder/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self'", "http://example.test/folder/"}, |
| + "https://example.test/", |
| + true}, |
| + {{"'self' https://example.com/", "https://example.com/"}, |
| + "https://example.test/", |
| + false}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/", |
| + "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"}, |
| + "https://example.test/", |
| + true}, |
| + {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"}, |
| + "https://example.test/", |
| + false}, |
| + {{"https://*.example.test/", "https://*.example.test/ 'self'"}, |
| + "https://example.test/", |
| + false}, |
| + {{"http://example.test/"}, "https://example.test/", false}, |
| + // Origins of A and B do not match. |
| + {{"'self'"}, "https://other-origin.test/", true}, |
| + {{"https://example.test/"}, "https://other-origin.test/", false}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| + "http://*.example3.com:*/bar/ 'self'"}, |
| + "https://other-origin.test/", |
| + true}, |
| + {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
| + "http://*.example3.com:*/bar/ https://other-origin.test/"}, |
| + "https://other-origin.test/", |
| + true}, |
| + {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true}, |
| + {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, |
| + {{"'self' https://example.test/", "https://example.test/"}, |
| + "https://other-origin.test/", |
| + false}, |
| + {{"https://example.test/", "http://example.test/"}, |
| + "https://other-origin.test/", |
| + false}, |
| + {{"'self'", "http://other-origin.test/"}, |
| + "https://other-origin.test/", |
| + true}, |
| + {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, |
| + // B's origin matches one of sources in the source list of A. |
| + {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true}, |
| + {{"http://*.example2.com/bar/", "'self'"}, |
| + "http://example2.com/bar/", |
| + true}, |
| + {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"}, |
| + "http://example1.com/", |
| + false}, |
| + {{"http://*.example2.com/bar/ http://example1.com/", |
| + "'self' http://example1.com/"}, |
| + "http://example2.com/bar/", |
| + false}, |
| + }; |
| + |
| + for (const auto& test : cases) { |
| + ContentSecurityPolicy* cspB = SetUpWithOrigin(test.originB); |
|
Mike West
2016/11/30 13:24:20
It will be easier to debug the failing bot if you
|
| + |
| + HeapVector<Member<SourceListDirective>> vectorB; |
| + for (const auto& sources : test.sourcesB) { |
| + SourceListDirective* member = |
| + new SourceListDirective("script-src", sources, cspB); |
| + vectorB.append(member); |
| + } |
| + |
| + EXPECT_EQ(A.subsumes(vectorB), test.expected); |
| + } |
| +} |
| + |
| } // namespace blink |
