CSP: Move 'worker-src' onto 'script-src'

third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
index 48c4aaeef6020f9b283d81659efab9571798a354..120d13f1bdb5fecef2c4902eeb9e2781789d27cb 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
@@ -402,20 +402,21 @@ TEST_F(CSPDirectiveListTest, workerSrc) {
       {"default-src *; worker-src 'none'", false},
       {"default-src *; worker-src http://not.example.test", false},
       {"default-src *; worker-src https://example.test", true},
-      {"child-src *; worker-src 'none'", false},
-      {"child-src *; worker-src http://not.example.test", false},
-      {"child-src *; worker-src https://example.test", true},
-      {"default-src *; child-src *; worker-src 'none'", false},
-      {"default-src *; child-src *; worker-src http://not.example.test", false},
-      {"default-src *; child-src *; worker-src https://example.test", true},
-
-      // Fallback to child-src.
-      {"child-src 'none'", false},
-      {"child-src http://not.example.test", false},
-      {"child-src https://example.test", true},
-      {"default-src *; child-src 'none'", false},
-      {"default-src *; child-src http://not.example.test", false},
-      {"default-src *; child-src https://example.test", true},
+      {"script-src *; worker-src 'none'", false},
+      {"script-src *; worker-src http://not.example.test", false},
+      {"script-src *; worker-src https://example.test", true},
+      {"default-src *; script-src *; worker-src 'none'", false},
+      {"default-src *; script-src *; worker-src http://not.example.test",
+       false},
+      {"default-src *; script-src *; worker-src https://example.test", true},
+
+      // Fallback to script-src.
+      {"script-src 'none'", false},
+      {"script-src http://not.example.test", false},
+      {"script-src https://example.test", true},
+      {"default-src *; script-src 'none'", false},
+      {"default-src *; script-src http://not.example.test", false},
+      {"default-src *; script-src https://example.test", true},
 

[estark, 2016/11/29 22:01:16]

Maybe add
script-src 'none'; child-src *
to test that it falls back to child-src when script-src blocks it?

[Mike West, 2016/11/30 12:34:30]

Added a new test for the fallback behavior. Thanks for the suggestion!

       // Fallback to default-src.
       {"default-src 'none'", false},
@@ -517,7 +518,12 @@ TEST_F(CSPDirectiveListTest, SubsumesBasedOnCSPSourcesOnly) {
 }
 
 TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
-  enum DefaultBehaviour { Default, NoDefault, ChildAndDefault };
+  enum DefaultBehaviour {
+    Default,
+    NoDefault,
+    ChildAndDefault,
+    ScriptAndDefault
+  };
 
   struct TestCase {
     ContentSecurityPolicy::DirectiveType directive;
@@ -540,7 +546,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
       {ContentSecurityPolicy::DirectiveType::FormAction, NoDefault},
       // Directive with multiple default directives.
       {ContentSecurityPolicy::DirectiveType::FrameSrc, ChildAndDefault},
-      {ContentSecurityPolicy::DirectiveType::WorkerSrc, ChildAndDefault},
+      {ContentSecurityPolicy::DirectiveType::WorkerSrc, ScriptAndDefault},
   };
 
   // Initial set-up.
@@ -569,6 +575,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
 
     std::stringstream allExceptThis;
     std::stringstream allExceptChildSrcAndThis;
+    std::stringstream allExceptScriptSrcAndThis;
     for (const auto& subtest : cases) {
       if (subtest.directive == test.directive)
         continue;
@@ -579,12 +586,20 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
         allExceptChildSrcAndThis << directiveName << " http://" << directiveName
                                  << ".com; ";
       }
+      if (subtest.directive !=
+          ContentSecurityPolicy::DirectiveType::ScriptSrc) {
+        allExceptScriptSrcAndThis << directiveName << " http://"
+                                  << directiveName << ".com; ";
+      }
     }
     CSPDirectiveList* allExceptThisList = createList(
         allExceptThis.str().c_str(), ContentSecurityPolicyHeaderTypeEnforce);
     CSPDirectiveList* allExceptChildSrcAndThisList =
         createList(allExceptChildSrcAndThis.str().c_str(),
                    ContentSecurityPolicyHeaderTypeEnforce);
+    CSPDirectiveList* allExceptScriptSrcAndThisList =
+        createList(allExceptScriptSrcAndThis.str().c_str(),
+                   ContentSecurityPolicyHeaderTypeEnforce);
 
     switch (test.type) {
       case Default:
@@ -605,6 +620,16 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {
         EXPECT_EQ(sources.size(), 1u);
         EXPECT_EQ(sources[0]->m_host, "default-src.com");
         break;
+      case ScriptAndDefault:
+        sources = allExceptThisList->operativeDirective(test.directive)->m_list;
+        EXPECT_EQ(sources.size(), 1u);
+        EXPECT_EQ(sources[0]->m_host, "script-src.com");
+        sources =
+            allExceptScriptSrcAndThisList->operativeDirective(test.directive)
+                ->m_list;
+        EXPECT_EQ(sources.size(), 1u);
+        EXPECT_EQ(sources[0]->m_host, "default-src.com");
+        break;
     }
   }
 }