Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
index fabecda3a62e84dc3359a1806b2f8c1b3b4e7dc9..acfecf85151985e3ca398f65a166764b14f1f6d0 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
@@ -37,6 +37,16 @@ class SourceListDirectiveTest : public ::testing::Test { |
csp->bindToExecutionContext(document.get()); |
} |
+ ContentSecurityPolicy* SetUpWithOrigin(const String& origin) { |
+ KURL url(ParsedURLString, origin); |
+ RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(url)); |
+ Document* document = Document::create(); |
+ document->setSecurityOrigin(secureOrigin); |
+ ContentSecurityPolicy* csp = ContentSecurityPolicy::create(); |
+ csp->bindToExecutionContext(document); |
+ return csp; |
+ } |
+ |
bool equalSources(const Source& a, const Source& b) { |
return a.scheme == b.scheme && a.host == b.host && a.port == b.port && |
a.path == b.path && a.hostWildcard == b.hostWildcard && |
@@ -437,4 +447,121 @@ TEST_F(SourceListDirectiveTest, Subsumes) { |
} |
} |
+TEST_F(SourceListDirectiveTest, SubsumesWithSelf) { |
+ SourceListDirective A("script-src", |
+ "http://example1.com/foo/ http://*.example2.com/bar/ " |
+ "http://*.example3.com:*/bar/ 'self'", |
+ csp.get()); |
+ |
+ struct TestCase { |
+ std::vector<const char*> sourcesB; |
+ const char* originB; |
+ bool expected; |
+ } cases[] = { |
+ // "https://example.test/" is a secure origin for both A and B. |
+ {{"'self'"}, "https://example.test/", true}, |
+ {{"'self' 'self' 'self'"}, "https://example.test/", true}, |
+ {{"'self'", "'self'", "'self'"}, "https://example.test/", true}, |
+ {{"'self'", "'self'", "https://*.example.test/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self'", "'self'", "https://*.example.test/bar/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self' https://another.test/bar", "'self' http://*.example.test/bar", |
+ "https://*.example.test/bar/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true}, |
+ {{"http://example1.com/foo/ https://example.test/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
+ "http://*.example3.com:*/bar/ https://example.test/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
+ "http://*.example3.com:*/bar/ 'self'"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self'", "'self'", "https://example.test/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self'", "https://example.test/folder/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self'", "http://example.test/folder/"}, |
+ "https://example.test/", |
+ true}, |
+ {{"'self' https://example.com/", "https://example.com/"}, |
+ "https://example.test/", |
+ false}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/", |
+ "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"}, |
+ "https://example.test/", |
+ true}, |
+ {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"}, |
+ "https://example.test/", |
+ false}, |
+ {{"https://*.example.test/", "https://*.example.test/ 'self'"}, |
+ "https://example.test/", |
+ false}, |
+ {{"http://example.test/"}, "https://example.test/", false}, |
+ {{"https://example.test/"}, "https://example.test/", true}, |
+ // Origins of A and B do not match. |
+ {{"https://example.test/"}, "https://other-origin.test/", false}, |
+ {{"'self'"}, "https://other-origin.test/", true}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
+ "http://*.example3.com:*/bar/ 'self'"}, |
+ "https://other-origin.test/", |
+ true}, |
+ {{"http://example1.com/foo/ http://*.example2.com/bar/ " |
+ "http://*.example3.com:*/bar/ https://other-origin.test/"}, |
+ "https://other-origin.test/", |
+ true}, |
+ {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true}, |
+ {{"'self'", "https://example.test/"}, "https://other-origin.test/", true}, |
+ {{"'self' https://example.test/", "https://example.test/"}, |
+ "https://other-origin.test/", |
+ false}, |
+ {{"https://example.test/", "http://example.test/"}, |
+ "https://other-origin.test/", |
+ false}, |
+ {{"'self'", "http://other-origin.test/"}, |
+ "https://other-origin.test/", |
+ true}, |
+ {{"'self'", "https://non-example.test/"}, |
+ "https://other-origin.test/", |
+ true}, |
+ // B's origin matches one of sources in the source list of A. |
+ {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true}, |
+ {{"http://*.example2.com/bar/", "'self'"}, |
+ "http://example2.com/bar/", |
+ true}, |
+ {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"}, |
+ "http://example1.com/", |
+ false}, |
+ {{"http://*.example2.com/bar/ http://example1.com/", |
+ "'self' http://example1.com/"}, |
+ "http://example2.com/bar/", |
+ false}, |
+ }; |
+ |
+ for (const auto& test : cases) { |
+ ContentSecurityPolicy* cspB = SetUpWithOrigin(String(test.originB)); |
+ |
+ HeapVector<Member<SourceListDirective>> vectorB; |
+ for (const auto& sources : test.sourcesB) { |
+ SourceListDirective* member = |
+ new SourceListDirective("script-src", sources, cspB); |
+ vectorB.append(member); |
+ } |
+ |
+ EXPECT_EQ(test.expected, A.subsumes(vectorB)); |
+ } |
+} |
+ |
} // namespace blink |