Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(18)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html

Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy? (Closed)
Patch Set: Rebasing on master Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <script src="/resources/testharness.js"></script>
5 <script src="/resources/testharnessreport.js"></script>
6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></ script>
7 </head>
8 <body>
9 <script>
10 //
11 // Total of one wildcard.
12 //
13 async_test(t => {
14 required_csp = "frame-src http://c.com:* http://b.com:80";
15 returned_csp = "frame-src http://b.com:*";
16 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
17 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0");
18 }, "Wildcard in port in returned_csp vs no wildcard in port in required_ csp should be 'Blocked'.");
19
20 async_test(t => {
21 required_csp = "frame-src http://c.com:* http://b.com:*";
22 returned_csp = "frame-src http://b.com:80";
23 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
24 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "1");
25 }, "Wildcard in port in returned_csp vs a wildcard in port in required_c sp should be 'Allowed'.");
26
27 async_test(t => {
28 required_csp = "frame-src http://c.com:* http://b.com:80";
29 returned_csp = "frame-src http://*.b.com:80";
30 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
31 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "2");
32 }, "Wildcard in host in returned_csp vs no wildcard in host in required_ csp should be 'Blocked'.");
33
34 async_test(t => {
35 required_csp = "frame-src http://c.com:* http://*.b.com:80";
36 returned_csp = "frame-src http://b.com:80";
37 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
38 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3");
39 }, "Wildcard in host in returned_csp vs a wildcard in port in required_c sp should be 'Allowed'.");
40
41 //
42 // Total of two wildcards.
43 //
44 async_test(t => {
45 required_csp = "img-src http://c.com:* http://b.com:80";
46 returned_csp = "img-src http://*.b.com:*";
47 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
48 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
49 }, "Wildcards in returned_csp are less restrictive.");
50
51 async_test(t => {
52 required_csp = "img-src http://c.com:* http://*.b.com:*";
53 returned_csp = "img-src http://b.com:80";
54 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
55 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5");
56 }, "Returned csp with no wildcards should be 'Allowed'.");
57
58 async_test(t => {
59 required_csp = "img-src http://c.com:* http://*.b.com:80";
60 returned_csp = "img-src http://*.b.com:80";
61 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
62 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6");
63 }, "'Allowed' if exact match of wildcards in hosts.");
64
65 async_test(t => {
66 required_csp = "img-src http://c.com:* http://b.com:*";
67 returned_csp = "img-src http://b.com:*";
68 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
69 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "7");
70 }, "'Allowed' if exact match of wildcards in ports.");
71
72 async_test(t => {
73 required_csp = "img-src http://c.com:* http://d.com:*";
74 returned_csp = "img-src http://b.com:*";
75 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
76 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "8");
77 }, "'Blocked' if exact match of wildcards in ports but not matching host s.");
78
79 async_test(t => {
80 required_csp = "img-src http://c.com:* http://b.com:*";
81 returned_csp = "img-src http://*.b.com:80";
82 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
83 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "9");
84 }, "Cross wildcards so the iframe should be 'Blocked'.");
85
86 async_test(t => {
87 required_csp = "img-src http://c.com:* http://*.b.com:80";
88 returned_csp = "img-src http://b.com:*";
89 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
90 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "10");
91 }, "Cross wildcards again so the iframe should be 'Blocked'.");
92
93 //
94 // Total of three wildcards.
95 //
96 async_test(t => {
97 required_csp = "img-src http://c.com:* http://*.b.com:*";
98 returned_csp = "img-src http://b.com:*";
99 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
100 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "11");
101 }, "Two out of three wildcards in required_csp should correspond to ifra me being 'Allowed'.");
102
103 async_test(t => {
104 required_csp = "img-src http://c.com:* http://*.b.com:*";
105 returned_csp = "img-src http://*.b.com:80";
106 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
107 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "12");
108 }, "Two out of three wildcards in required_csp again should correspond t o iframe being 'Allowed'.");
109
110 async_test(t => {
111 required_csp = "img-src http://c.com:* http://*.b.com:80";
112 returned_csp = "img-src http://*.b.com:*";
113 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
114 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "13");
115 }, "Two out of three wildcards in returned_csp should correspond to ifra me being 'Blocked'.");
116
117 async_test(t => {
118 required_csp = "img-src http://c.com:* http://b.com:*";
119 returned_csp = "img-src http://*.b.com:*";
120 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
121 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "14");
122 }, "Two out of three wildcards in returned_csp again should correspond t o iframe being 'Blocked'.");
123
124 //
125 // Total of four wildcards.
126 //
127 async_test(t => {
128 required_csp = "img-src http://c.com:* http://*.b.com:*";
129 returned_csp = "img-src http://*.b.com:*";
130 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
131 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "15");
132 }, "Origins with wildcards in hosts and ports should be matched.");
133
134 async_test(t => {
135 required_csp = "img-src http://c.com:* https://*.b.com:*";
136 returned_csp = "img-src http://*.b.com:*";
137 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
138 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "16");
139 }, "Origins with wildcards in hosts and ports should be matched but also protocols.");
140
141 async_test(t => {
142 required_csp = "img-src http://c.com:* http://*.d.com:*";
143 returned_csp = "img-src https://*.b.com:*";
144 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
145 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "17");
146 }, "Not matching four wildcards.");
147
148 async_test(t => {
149 required_csp = "img-src http://c.com:* http://*.b.com:*";
150 returned_csp = "img-src https://*.b.com:*";
151 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
152 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "18");
153 }, "Four wildcards and https in returned_csp should be 'Allowed'.");
154
155 //
156 // Total of zero wildcards.
157 //
158 async_test(t => {
159 required_csp = "img-src http://c.com:* http://b.com";
160 returned_csp = "img-src http://b.com";
161 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
162 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "19");
163 }, "Exact match.");
164
165 async_test(t => {
166 required_csp = "img-src http://c.com:* https://b.com";
167 returned_csp = "img-src https://b.com";
168 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
169 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "20");
170 }, "Exact match in https.");
171
172 async_test(t => {
173 required_csp = "img-src http://c.com; frame-src http://b.com";
174 returned_csp1 = "img-src http://c.com; frame-src http://b.com:*";
175 returned_csp2 = "frame-src http://b.com; img-src http://c.com:*";
176 url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp1, returned _csp2);
177 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "21");
178 }, "Exact match in https.");
179 </script>
180 </body>
181 </html>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698