Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(73)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html

Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy? (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html
new file mode 100644
index 0000000000000000000000000000000000000000..7d455707828f4bf731f1a73ec03ef71ba55f3e2e
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html
@@ -0,0 +1,181 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
+</head>
+<body>
+ <script>
+ //
+ // Total of one wildcard.
+ //
+ async_test(t => {
+ required_csp = "frame-src http://c.com:* http://b.com:80";
+ returned_csp = "frame-src http://b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0");
+ }, "Wildcard in port in returned_csp vs no wildcard in port in required_csp should be 'Blocked'.");
+
+ async_test(t => {
+ required_csp = "frame-src http://c.com:* http://b.com:*";
+ returned_csp = "frame-src http://b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "1");
+ }, "Wildcard in port in returned_csp vs a wildcard in port in required_csp should be 'Allowed'.");
+
+ async_test(t => {
+ required_csp = "frame-src http://c.com:* http://b.com:80";
+ returned_csp = "frame-src http://*.b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "2");
+ }, "Wildcard in host in returned_csp vs no wildcard in host in required_csp should be 'Blocked'.");
+
+ async_test(t => {
+ required_csp = "frame-src http://c.com:* http://*.b.com:80";
+ returned_csp = "frame-src http://b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3");
+ }, "Wildcard in host in returned_csp vs a wildcard in port in required_csp should be 'Allowed'.");
+
+ //
+ // Total of two wildcards.
+ //
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://b.com:80";
+ returned_csp = "img-src http://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
+ }, "Wildcards in returned_csp are less restrictive.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:*";
+ returned_csp = "img-src http://b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5");
+ }, "Returned csp with no wildcards should be 'Allowed'.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:80";
+ returned_csp = "img-src http://*.b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6");
+ }, "'Allowed' if exact match of wildcards in hosts.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://b.com:*";
+ returned_csp = "img-src http://b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "7");
+ }, "'Allowed' if exact match of wildcards in ports.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://d.com:*";
+ returned_csp = "img-src http://b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "8");
+ }, "'Blocked' if exact match of wildcards in ports but not matching hosts.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://b.com:*";
+ returned_csp = "img-src http://*.b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "9");
+ }, "Cross wildcards so the iframe should be 'Blocked'.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:80";
+ returned_csp = "img-src http://b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "10");
+ }, "Cross wildcards again so the iframe should be 'Blocked'.");
+
+ //
+ // Total of three wildcards.
+ //
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:*";
+ returned_csp = "img-src http://b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "11");
+ }, "Two out of three wildcards in required_csp should correspond to iframe being 'Allowed'.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:*";
+ returned_csp = "img-src http://*.b.com:80";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "12");
+ }, "Two out of three wildcards in required_csp again should correspond to iframe being 'Allowed'.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:80";
+ returned_csp = "img-src http://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "13");
+ }, "Two out of three wildcards in returned_csp should correspond to iframe being 'Blocked'.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://b.com:*";
+ returned_csp = "img-src http://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "14");
+ }, "Two out of three wildcards in returned_csp again should correspond to iframe being 'Blocked'.");
+
+ //
+ // Total of four wildcards.
+ //
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:*";
+ returned_csp = "img-src http://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "15");
+ }, "Origins with wildcards in hosts and ports should be matched.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* https://*.b.com:*";
+ returned_csp = "img-src http://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "16");
+ }, "Origins with wildcards in hosts and ports should be matched but also protocols.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.d.com:*";
+ returned_csp = "img-src https://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "17");
+ }, "Not matching four wildcards.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://*.b.com:*";
+ returned_csp = "img-src https://*.b.com:*";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "18");
+ }, "Four wildcards and https in returned_csp should be 'Allowed'.");
+
+ //
+ // Total of zero wildcards.
+ //
+ async_test(t => {
+ required_csp = "img-src http://c.com:* http://b.com";
+ returned_csp = "img-src http://b.com";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "19");
+ }, "Exact match.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com:* https://b.com";
+ returned_csp = "img-src https://b.com";
+ url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "20");
+ }, "Exact match in https.");
+
+ async_test(t => {
+ required_csp = "img-src http://c.com; frame-src http://b.com";
+ returned_csp1 = "img-src http://c.com; frame-src http://b.com:*";
+ returned_csp2 = "frame-src http://b.com; img-src http://c.com:*";
+ url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp1, returned_csp2);
+ injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "21");
+ }, "Exact match in https.");
+ </script>
+</body>
+</html>
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698