CSP: Move 'worker-src' onto 'script-src'

third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/frame/csp/SourceListDirective.h"
 #include "platform/loader/fetch/ResourceRequest.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
@@ skipping 389 matching lines @@
     directiveList =
         createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);
     EXPECT_EQ(
         test.expected,
         directiveList->allowRequestWithoutIntegrity(
             test.context, resource, ResourceRequest::RedirectStatus::NoRedirect,
             SecurityViolationReportingPolicy::SuppressReporting));
   }
 }
 
-TEST_F(CSPDirectiveListTest, workerSrc) {
+TEST_F(CSPDirectiveListTest, WorkerSrc) {
   struct TestCase {
     const char* list;
     bool allowed;
   } cases[] = {
       {"worker-src 'none'", false},
       {"worker-src http://not.example.test", false},
       {"worker-src https://example.test", true},
       {"default-src *; worker-src 'none'", false},
       {"default-src *; worker-src http://not.example.test", false},
       {"default-src *; worker-src https://example.test", true},
-      {"child-src *; worker-src 'none'", false},
-      {"child-src *; worker-src http://not.example.test", false},
-      {"child-src *; worker-src https://example.test", true},
-      {"default-src *; child-src *; worker-src 'none'", false},
-      {"default-src *; child-src *; worker-src http://not.example.test", false},
-      {"default-src *; child-src *; worker-src https://example.test", true},
+      {"script-src *; worker-src 'none'", false},
+      {"script-src *; worker-src http://not.example.test", false},
+      {"script-src *; worker-src https://example.test", true},
+      {"default-src *; script-src *; worker-src 'none'", false},
+      {"default-src *; script-src *; worker-src http://not.example.test",
+       false},
+      {"default-src *; script-src *; worker-src https://example.test", true},
 
-      // Fallback to child-src.
-      {"child-src 'none'", false},
-      {"child-src http://not.example.test", false},
-      {"child-src https://example.test", true},
-      {"default-src *; child-src 'none'", false},
-      {"default-src *; child-src http://not.example.test", false},
-      {"default-src *; child-src https://example.test", true},
+      // Fallback to script-src.
+      {"script-src 'none'", false},
+      {"script-src http://not.example.test", false},
+      {"script-src https://example.test", true},
+      {"default-src *; script-src 'none'", false},
+      {"default-src *; script-src http://not.example.test", false},
+      {"default-src *; script-src https://example.test", true},
 
       // Fallback to default-src.
       {"default-src 'none'", false},
       {"default-src http://not.example.test", false},
       {"default-src https://example.test", true},
   };
 
   for (const auto& test : cases) {
     SCOPED_TRACE(test.list);
     KURL resource = KURL(KURL(), "https://example.test/worker.js");
     Member<CSPDirectiveList> directiveList =
         createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);
     EXPECT_EQ(test.allowed,
               directiveList->allowWorkerFromSource(
                   resource, ResourceRequest::RedirectStatus::NoRedirect,
                   SecurityViolationReportingPolicy::SuppressReporting));
   }
 }
 
+TEST_F(CSPDirectiveListTest, WorkerSrcChildSrcFallback) {
+  // TODO(mkwst): Remove this test once we remove the temporary fallback
+  // behavior. https://crbug.com/662930
+  struct TestCase {
+    const char* list;
+    bool allowed;
+  } cases[] = {
+      // When 'worker-src' is not present, 'child-src' can allow a worker when
+      // present.
+      {"child-src https://example.test", true},
+      {"child-src https://not-example.test", true},
+      {"script-src https://example.test", true},
+      {"script-src https://not-example.test", false},
+      {"child-src https://example.test; script-src https://example.test", true},
+      {"child-src https://example.test; script-src https://not-example.test",
+       true},
+      {"child-src https://not-example.test; script-src https://example.test",
+       true},
+      {"child-src https://not-example.test; script-src "
+       "https://not-example.test",
+       false},
+
+      // If 'worker-src' is present, 'child-src' will not allow a worker.
+      {"worker-src https://example.test; child-src https://example.test", true},
+      {"worker-src https://example.test; child-src https://not-example.test",
+       true},
+      {"worker-src https://not-example.test; child-src https://example.test",
+       false},
+      {"worker-src https://not-example.test; child-src "
+       "https://not-example.test",
+       false},
+  };
+
+  for (const auto& test : cases) {
+    SCOPED_TRACE(test.list);
+    KURL resource = KURL(KURL(), "https://example.test/worker.js");
+    Member<CSPDirectiveList> directiveList =
+        createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);
+    EXPECT_EQ(test.allowed,
+              directiveList->allowWorkerFromSource(
+                  resource, ResourceRequest::RedirectStatus::NoRedirect,
+                  SecurityViolationReportingPolicy::SuppressReporting));
+  }
+}
+
 TEST_F(CSPDirectiveListTest, SubsumesBasedOnCSPSourcesOnly) {
   CSPDirectiveList* A = createList(
       "script-src http://*.one.com; img-src https://one.com "
       "http://two.com/imgs/",
       ContentSecurityPolicyHeaderTypeEnforce);
 
   struct TestCase {
     const std::vector<const char*> policies;
     bool expected;
     bool expectedFirstPolicyOpposite;
@@ skipping 246 matching lines @@
     HeapVector<Member<CSPDirectiveList>> listB;
     for (const auto& policyB : test.policiesB)
       listB.push_back(
           createList(policyB, ContentSecurityPolicyHeaderTypeEnforce));
 
     EXPECT_EQ(test.expected, A->subsumes(listB));
   }
 }
 
 TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
-  enum DefaultBehaviour { Default, NoDefault, ChildAndDefault };
+  enum DefaultBehaviour {
+    Default,
+    NoDefault,
+    ChildAndDefault,
+    ScriptAndDefault
+  };
 
   struct TestCase {
     ContentSecurityPolicy::DirectiveType directive;
     const DefaultBehaviour type;
   } cases[] = {
       // Directives with default directive.
       {ContentSecurityPolicy::DirectiveType::ChildSrc, Default},
       {ContentSecurityPolicy::DirectiveType::ConnectSrc, Default},
       {ContentSecurityPolicy::DirectiveType::FontSrc, Default},
       {ContentSecurityPolicy::DirectiveType::ImgSrc, Default},
       {ContentSecurityPolicy::DirectiveType::ManifestSrc, Default},
       {ContentSecurityPolicy::DirectiveType::MediaSrc, Default},
       {ContentSecurityPolicy::DirectiveType::ObjectSrc, Default},
       {ContentSecurityPolicy::DirectiveType::ScriptSrc, Default},
       {ContentSecurityPolicy::DirectiveType::StyleSrc, Default},
       // Directives with no default directive.
       {ContentSecurityPolicy::DirectiveType::BaseURI, NoDefault},
       {ContentSecurityPolicy::DirectiveType::DefaultSrc, NoDefault},
       {ContentSecurityPolicy::DirectiveType::FrameAncestors, NoDefault},
       {ContentSecurityPolicy::DirectiveType::FormAction, NoDefault},
       // Directive with multiple default directives.
       {ContentSecurityPolicy::DirectiveType::FrameSrc, ChildAndDefault},
-      {ContentSecurityPolicy::DirectiveType::WorkerSrc, ChildAndDefault},
+      {ContentSecurityPolicy::DirectiveType::WorkerSrc, ScriptAndDefault},
   };
 
   // Initial set-up.
   std::stringstream allDirectives;
   for (const auto& test : cases) {
     const char* name = ContentSecurityPolicy::getDirectiveName(test.directive);
     allDirectives << name << " http://" << name << ".com; ";
   }
   CSPDirectiveList* allDirectivesList = createList(
       allDirectives.str().c_str(), ContentSecurityPolicyHeaderTypeEnforce);
   CSPDirectiveList* empty =
       createList("", ContentSecurityPolicyHeaderTypeEnforce);
 
   for (const auto& test : cases) {
     const char* name = ContentSecurityPolicy::getDirectiveName(test.directive);
     // When CSPDirectiveList is empty, then `null` should be returned for any
     // type.
     EXPECT_FALSE(empty->operativeDirective(test.directive));
 
     // When all directives present, then given a type that directive value
     // should be returned.
     HeapVector<Member<CSPSource>> sources =
         allDirectivesList->operativeDirective(test.directive)->m_list;
     EXPECT_EQ(sources.size(), 1u);
     EXPECT_TRUE(sources[0]->m_host.startsWith(name));
 
     std::stringstream allExceptThis;
     std::stringstream allExceptChildSrcAndThis;
+    std::stringstream allExceptScriptSrcAndThis;
     for (const auto& subtest : cases) {
       if (subtest.directive == test.directive)
         continue;
       const char* directiveName =
           ContentSecurityPolicy::getDirectiveName(subtest.directive);
       allExceptThis << directiveName << " http://" << directiveName << ".com; ";
       if (subtest.directive != ContentSecurityPolicy::DirectiveType::ChildSrc) {
         allExceptChildSrcAndThis << directiveName << " http://" << directiveName
                                  << ".com; ";
       }
+      if (subtest.directive !=
+          ContentSecurityPolicy::DirectiveType::ScriptSrc) {
+        allExceptScriptSrcAndThis << directiveName << " http://"
+                                  << directiveName << ".com; ";
+      }
     }
     CSPDirectiveList* allExceptThisList = createList(
         allExceptThis.str().c_str(), ContentSecurityPolicyHeaderTypeEnforce);
     CSPDirectiveList* allExceptChildSrcAndThisList =
         createList(allExceptChildSrcAndThis.str().c_str(),
                    ContentSecurityPolicyHeaderTypeEnforce);
+    CSPDirectiveList* allExceptScriptSrcAndThisList =
+        createList(allExceptScriptSrcAndThis.str().c_str(),
+                   ContentSecurityPolicyHeaderTypeEnforce);
 
     switch (test.type) {
       case Default:
         sources = allExceptThisList->operativeDirective(test.directive)->m_list;
         EXPECT_EQ(sources.size(), 1u);
         EXPECT_EQ(sources[0]->m_host, "default-src.com");
         break;
       case NoDefault:
         EXPECT_FALSE(allExceptThisList->operativeDirective(test.directive));
         break;
       case ChildAndDefault:
         sources = allExceptThisList->operativeDirective(test.directive)->m_list;
         EXPECT_EQ(sources.size(), 1u);
         EXPECT_EQ(sources[0]->m_host, "child-src.com");
         sources =
             allExceptChildSrcAndThisList->operativeDirective(test.directive)
                 ->m_list;
         EXPECT_EQ(sources.size(), 1u);
         EXPECT_EQ(sources[0]->m_host, "default-src.com");
         break;
+      case ScriptAndDefault:
+        sources = allExceptThisList->operativeDirective(test.directive)->m_list;
+        EXPECT_EQ(sources.size(), 1u);
+        EXPECT_EQ(sources[0]->m_host, "script-src.com");
+        sources =
+            allExceptScriptSrcAndThisList->operativeDirective(test.directive)
+                ->m_list;
+        EXPECT_EQ(sources.size(), 1u);
+        EXPECT_EQ(sources[0]->m_host, "default-src.com");
+        break;
     }
   }
 }
 
 TEST_F(CSPDirectiveListTest, GetSourceVector) {
   const std::vector<const char*> policies = {
       // Policy 1
       "default-src https://default-src.com",
       // Policy 2
       "child-src http://child-src.com",
@@ skipping 134 matching lines @@
         CSPDirectiveList::getSourceVector(test.directive, policyVector).size(),
         udpatedTotal);
     EXPECT_EQ(CSPDirectiveList::getSourceVector(
                   ContentSecurityPolicy::DirectiveType::ChildSrc, policyVector)
                   .size(),
               expectedChildSrc);
   }
 }
 
 }  // namespace blink