OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/fetch/IntegrityMetadata.h" | 8 #include "core/fetch/IntegrityMetadata.h" |
9 #include "core/frame/csp/CSPDirectiveList.h" | 9 #include "core/frame/csp/CSPDirectiveList.h" |
10 #include "core/html/HTMLScriptElement.h" | 10 #include "core/html/HTMLScriptElement.h" |
(...skipping 893 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
904 response, secureOrigin.get()), | 904 response, secureOrigin.get()), |
905 test.inherits); | 905 test.inherits); |
906 | 906 |
907 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, | 907 response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, |
908 AtomicString("https://example.test")); | 908 AtomicString("https://example.test")); |
909 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | 909 EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
910 response, secureOrigin.get())); | 910 response, secureOrigin.get())); |
911 } | 911 } |
912 } | 912 } |
913 | 913 |
914 TEST_F(ContentSecurityPolicyTest, Subsumes) { | |
amalika
2016/11/28 11:56:22
Since we test subsumption on other levels + layout
| |
915 ContentSecurityPolicy* other = ContentSecurityPolicy::create(); | |
916 EXPECT_TRUE(csp->subsumes(*other)); | |
917 EXPECT_TRUE(other->subsumes(*csp)); | |
918 | |
919 csp->didReceiveHeader("default-src http://example.com;", | |
920 ContentSecurityPolicyHeaderTypeEnforce, | |
921 ContentSecurityPolicyHeaderSourceHTTP); | |
922 // If this CSP is not empty, the other must not be empty either. | |
923 EXPECT_FALSE(csp->subsumes(*other)); | |
924 EXPECT_TRUE(other->subsumes(*csp)); | |
925 | |
926 // Report-only policies do not impact subsumption. | |
927 other->didReceiveHeader("default-src http://example.com;", | |
928 ContentSecurityPolicyHeaderTypeReport, | |
929 ContentSecurityPolicyHeaderSourceHTTP); | |
930 EXPECT_FALSE(csp->subsumes(*other)); | |
931 | |
932 // CSPDirectiveLists have to subsume. | |
933 other->didReceiveHeader("default-src http://example.com https://another.com;", | |
934 ContentSecurityPolicyHeaderTypeEnforce, | |
935 ContentSecurityPolicyHeaderSourceHTTP); | |
936 EXPECT_FALSE(csp->subsumes(*other)); | |
937 | |
938 // `other` is stricter than `this`. | |
939 other->didReceiveHeader("default-src https://example.com;", | |
940 ContentSecurityPolicyHeaderTypeEnforce, | |
941 ContentSecurityPolicyHeaderSourceHTTP); | |
942 EXPECT_TRUE(csp->subsumes(*other)); | |
943 } | |
944 | |
914 } // namespace blink | 945 } // namespace blink |
OLD | NEW |