third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp - Issue 2533313002: CSP: Move 'worker-src' onto 'script-src'

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

Issue 2533313002: CSP: Move 'worker-src' onto 'script-src' (Closed)

Patch Set: WPT. Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« third_party/WebKit/Source/core/frame/Deprecation.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

index c6586f25268af9cb81985400abe05c12c882c8a4..86f819efed137e93a3c26eb22bd2d840b3417a89 100644

--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp

@@ -407,7 +407,7 @@ TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) {

}

-TEST_F(CSPDirectiveListTest, workerSrc) {

+TEST_F(CSPDirectiveListTest, WorkerSrc) {

struct TestCase {

const char* list;

bool allowed;

@@ -418,20 +418,21 @@ TEST_F(CSPDirectiveListTest, workerSrc) {

{"default-src *; worker-src 'none'", false},

{"default-src *; worker-src http://not.example.test", false},

{"default-src *; worker-src https://example.test", true},

- {"child-src *; worker-src 'none'", false},

- {"child-src *; worker-src http://not.example.test", false},

- {"child-src *; worker-src https://example.test", true},

- {"default-src *; child-src *; worker-src 'none'", false},

- {"default-src *; child-src *; worker-src http://not.example.test", false},

- {"default-src *; child-src *; worker-src https://example.test", true},

- // Fallback to child-src.

- {"child-src 'none'", false},

- {"child-src http://not.example.test", false},

- {"child-src https://example.test", true},

- {"default-src *; child-src 'none'", false},

- {"default-src *; child-src http://not.example.test", false},

- {"default-src *; child-src https://example.test", true},

+ {"script-src *; worker-src 'none'", false},

+ {"script-src *; worker-src http://not.example.test", false},

+ {"script-src *; worker-src https://example.test", true},

+ {"default-src *; script-src *; worker-src 'none'", false},

+ {"default-src *; script-src *; worker-src http://not.example.test",

+ false},

+ {"default-src *; script-src *; worker-src https://example.test", true},

+ // Fallback to script-src.

+ {"script-src 'none'", false},

+ {"script-src http://not.example.test", false},

+ {"script-src https://example.test", true},

+ {"default-src *; script-src 'none'", false},

+ {"default-src *; script-src http://not.example.test", false},

+ {"default-src *; script-src https://example.test", true},

// Fallback to default-src.

{"default-src 'none'", false},

@@ -451,6 +452,51 @@ TEST_F(CSPDirectiveListTest, workerSrc) {

}

+TEST_F(CSPDirectiveListTest, WorkerSrcChildSrcFallback) {

+ // TODO(mkwst): Remove this test once we remove the temporary fallback

+ // behavior. https://crbug.com/662930

+ struct TestCase {

+ const char* list;

+ bool allowed;

+ } cases[] = {

+ // When 'worker-src' is not present, 'child-src' can allow a worker when

+ // present.

+ {"child-src https://example.test", true},

+ {"child-src https://not-example.test", true},

+ {"script-src https://example.test", true},

+ {"script-src https://not-example.test", false},

+ {"child-src https://example.test; script-src https://example.test", true},

+ {"child-src https://example.test; script-src https://not-example.test",

+ true},

+ {"child-src https://not-example.test; script-src https://example.test",

+ true},

+ {"child-src https://not-example.test; script-src "

+ "https://not-example.test",

+ false},

+ // If 'worker-src' is present, 'child-src' will not allow a worker.

+ {"worker-src https://example.test; child-src https://example.test", true},

+ {"worker-src https://example.test; child-src https://not-example.test",

+ true},

+ {"worker-src https://not-example.test; child-src https://example.test",

+ false},

+ {"worker-src https://not-example.test; child-src "

+ "https://not-example.test",

+ false},

+ };

+ for (const auto& test : cases) {

+ SCOPED_TRACE(test.list);

+ KURL resource = KURL(KURL(), "https://example.test/worker.js");

+ Member<CSPDirectiveList> directiveList =

+ createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);

+ EXPECT_EQ(test.allowed,

+ directiveList->allowWorkerFromSource(

+ resource, ResourceRequest::RedirectStatus::NoRedirect,

+ SecurityViolationReportingPolicy::SuppressReporting));

+ }

TEST_F(CSPDirectiveListTest, SubsumesBasedOnCSPSourcesOnly) {

CSPDirectiveList* A = createList(

"script-src http://*.one.com; img-src https://one.com "

@@ -717,7 +763,12 @@ TEST_F(CSPDirectiveListTest, SubsumesPluginTypes) {

}

TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {

- enum DefaultBehaviour { Default, NoDefault, ChildAndDefault };

+ enum DefaultBehaviour {

+ Default,

+ NoDefault,

+ ChildAndDefault,

+ ScriptAndDefault

+ };

struct TestCase {

ContentSecurityPolicy::DirectiveType directive;

@@ -740,7 +791,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {

{ContentSecurityPolicy::DirectiveType::FormAction, NoDefault},

// Directive with multiple default directives.

{ContentSecurityPolicy::DirectiveType::FrameSrc, ChildAndDefault},

- {ContentSecurityPolicy::DirectiveType::WorkerSrc, ChildAndDefault},

+ {ContentSecurityPolicy::DirectiveType::WorkerSrc, ScriptAndDefault},

};

// Initial set-up.

@@ -769,6 +820,7 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {

std::stringstream allExceptThis;

std::stringstream allExceptChildSrcAndThis;

+ std::stringstream allExceptScriptSrcAndThis;

for (const auto& subtest : cases) {

if (subtest.directive == test.directive)

continue;

@@ -779,12 +831,20 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {

allExceptChildSrcAndThis << directiveName << " http://" << directiveName

<< ".com; ";

}

+ if (subtest.directive !=

+ ContentSecurityPolicy::DirectiveType::ScriptSrc) {

+ allExceptScriptSrcAndThis << directiveName << " http://"

+ << directiveName << ".com; ";

+ }

}

CSPDirectiveList* allExceptThisList = createList(

allExceptThis.str().c_str(), ContentSecurityPolicyHeaderTypeEnforce);

CSPDirectiveList* allExceptChildSrcAndThisList =

createList(allExceptChildSrcAndThis.str().c_str(),

ContentSecurityPolicyHeaderTypeEnforce);

+ CSPDirectiveList* allExceptScriptSrcAndThisList =

+ createList(allExceptScriptSrcAndThis.str().c_str(),

+ ContentSecurityPolicyHeaderTypeEnforce);

switch (test.type) {

case Default:

@@ -805,6 +865,16 @@ TEST_F(CSPDirectiveListTest, OperativeDirectiveGivenType) {

EXPECT_EQ(sources.size(), 1u);

EXPECT_EQ(sources[0]->m_host, "default-src.com");

break;

+ case ScriptAndDefault:

+ sources = allExceptThisList->operativeDirective(test.directive)->m_list;

+ EXPECT_EQ(sources.size(), 1u);

+ EXPECT_EQ(sources[0]->m_host, "script-src.com");

+ sources =

+ allExceptScriptSrcAndThisList->operativeDirective(test.directive)

+ ->m_list;

+ EXPECT_EQ(sources.size(), 1u);

+ EXPECT_EQ(sources[0]->m_host, "default-src.com");

+ break;

}