Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp |
index 48c4aaeef6020f9b283d81659efab9571798a354..120d13f1bdb5fecef2c4902eeb9e2781789d27cb 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp |
@@ -402,20 +402,21 @@ TEST_F(CSPDirectiveListTest, workerSrc) { |
{"default-src *; worker-src 'none'", false}, |
{"default-src *; worker-src http://not.example.test", false}, |
{"default-src *; worker-src https://example.test", true}, |
- {"child-src *; worker-src 'none'", false}, |
- {"child-src *; worker-src http://not.example.test", false}, |
- {"child-src *; worker-src https://example.test", true}, |
- {"default-src *; child-src *; worker-src 'none'", false}, |
- {"default-src *; child-src *; worker-src http://not.example.test", false}, |
- {"default-src *; child-src *; worker-src https://example.test", true}, |
- |
- // Fallback to child-src. |
- {"child-src 'none'", false}, |
- {"child-src http://not.example.test", false}, |
- {"child-src https://example.test", true}, |
- {"default-src *; child-src 'none'", false}, |
- {"default-src *; child-src http://not.example.test", false}, |
- {"default-src *; child-src https://example.test", true}, |
+ {"script-src *; worker-src 'none'", false}, |
+ {"script-src *; worker-src http://not.example.test", false}, |
+ {"script-src *; worker-src https://example.test", true}, |
+ {"default-src *; script-src *; worker-src 'none'", false}, |
+ {"default-src *; script-src *; worker-src http://not.example.test", |
+ false}, |
+ {"default-src *; script-src *; worker-src https://example.test", true}, |
+ |
+ // Fallback to script-src. |
+ {"script-src 'none'", false}, |
+ {"script-src http://not.example.test", false}, |
+ {"script-src https://example.test", true}, |
+ {"default-src *; script-src 'none'", false}, |
+ {"default-src *; script-src http://not.example.test", false}, |
+ {"default-src *; script-src https://example.test", true}, |
estark
2016/11/29 22:01:16
Maybe add
script-src 'none'; child-src *
to test t
Mike West
2016/11/30 12:34:30
Added a new test for the fallback behavior. Thanks
|
// Fallback to default-src. |
{"default-src 'none'", false}, |
@@ -517,7 +518,12 @@ TEST_F(CSPDirectiveListTest, SubsumesBasedOnCSPSourcesOnly) { |
} |
TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) { |
- enum DefaultBehaviour { Default, NoDefault, ChildAndDefault }; |
+ enum DefaultBehaviour { |
+ Default, |
+ NoDefault, |
+ ChildAndDefault, |
+ ScriptAndDefault |
+ }; |
struct TestCase { |
ContentSecurityPolicy::DirectiveType directive; |
@@ -540,7 +546,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) { |
{ContentSecurityPolicy::DirectiveType::FormAction, NoDefault}, |
// Directive with multiple default directives. |
{ContentSecurityPolicy::DirectiveType::FrameSrc, ChildAndDefault}, |
- {ContentSecurityPolicy::DirectiveType::WorkerSrc, ChildAndDefault}, |
+ {ContentSecurityPolicy::DirectiveType::WorkerSrc, ScriptAndDefault}, |
}; |
// Initial set-up. |
@@ -569,6 +575,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) { |
std::stringstream allExceptThis; |
std::stringstream allExceptChildSrcAndThis; |
+ std::stringstream allExceptScriptSrcAndThis; |
for (const auto& subtest : cases) { |
if (subtest.directive == test.directive) |
continue; |
@@ -579,12 +586,20 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) { |
allExceptChildSrcAndThis << directiveName << " http://" << directiveName |
<< ".com; "; |
} |
+ if (subtest.directive != |
+ ContentSecurityPolicy::DirectiveType::ScriptSrc) { |
+ allExceptScriptSrcAndThis << directiveName << " http://" |
+ << directiveName << ".com; "; |
+ } |
} |
CSPDirectiveList* allExceptThisList = createList( |
allExceptThis.str().c_str(), ContentSecurityPolicyHeaderTypeEnforce); |
CSPDirectiveList* allExceptChildSrcAndThisList = |
createList(allExceptChildSrcAndThis.str().c_str(), |
ContentSecurityPolicyHeaderTypeEnforce); |
+ CSPDirectiveList* allExceptScriptSrcAndThisList = |
+ createList(allExceptScriptSrcAndThis.str().c_str(), |
+ ContentSecurityPolicyHeaderTypeEnforce); |
switch (test.type) { |
case Default: |
@@ -605,6 +620,16 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) { |
EXPECT_EQ(sources.size(), 1u); |
EXPECT_EQ(sources[0]->m_host, "default-src.com"); |
break; |
+ case ScriptAndDefault: |
+ sources = allExceptThisList->operativeDirective(test.directive)->m_list; |
+ EXPECT_EQ(sources.size(), 1u); |
+ EXPECT_EQ(sources[0]->m_host, "script-src.com"); |
+ sources = |
+ allExceptScriptSrcAndThisList->operativeDirective(test.directive) |
+ ->m_list; |
+ EXPECT_EQ(sources.size(), 1u); |
+ EXPECT_EQ(sources[0]->m_host, "default-src.com"); |
+ break; |
} |
} |
} |