OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
556 new SourceListDirective("script-src", sources, cspB); | 556 new SourceListDirective("script-src", sources, cspB); |
557 vectorB.append(member); | 557 vectorB.append(member); |
558 } | 558 } |
559 | 559 |
560 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 560 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
561 // If emptyA is empty, any vectorB should be subsumed by it. | 561 // If emptyA is empty, any vectorB should be subsumed by it. |
562 EXPECT_TRUE(emptyA.subsumes(vectorB)); | 562 EXPECT_TRUE(emptyA.subsumes(vectorB)); |
563 } | 563 } |
564 } | 564 } |
565 | 565 |
566 TEST_F(SourceListDirectiveTest, AllowAllInline) { | |
567 struct TestCase { | |
568 String sources; | |
569 bool expected; | |
570 } cases[] = { | |
571 // List does not contain 'unsafe-inline'. | |
572 {"http://example1.com/foo/", false}, | |
573 {"'sha512-321cba'", false}, | |
574 {"'nonce-yay'", false}, | |
575 {"'strict-dynamic'", false}, | |
576 {"'sha512-321cba' http://example1.com/foo/", false}, | |
577 {"http://example1.com/foo/ 'sha512-321cba'", false}, | |
578 {"http://example1.com/foo/ 'nonce-yay'", false}, | |
579 {"'sha512-321cba' 'nonce-yay'", false}, | |
580 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, | |
581 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, | |
582 {" 'sha512-321cba' 'nonce-yay' 'strict-dynamic'", false}, | |
583 // List contains 'unsafe-inline'. | |
584 {"'unsafe-inline'", true}, | |
585 {"'self' 'unsafe-inline'", true}, | |
586 {"'unsafe-inline' http://example1.com/foo/", true}, | |
587 {"'sha512-321cba' 'unsafe-inline'", false}, | |
588 {"'nonce-yay' 'unsafe-inline'", false}, | |
589 {"'strict-dynamic' 'unsafe-inline' 'nonce-yay'", false}, | |
590 {"'sha512-321cba' http://example1.com/foo/ 'unsafe-inline'", false}, | |
591 {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline'", false}, | |
592 {"http://example1.com/foo/ 'nonce-yay' 'unsafe-inline'", false}, | |
593 {"'sha512-321cba' 'nonce-yay' 'unsafe-inline'", false}, | |
594 {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline' 'nonce-yay'", | |
595 false}, | |
596 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay' 'unsafe-inline'", | |
597 false}, | |
598 {" 'sha512-321cba' 'unsafe-inline' 'nonce-yay' 'strict-dynamic'", false}, | |
599 }; | |
600 | |
601 // Script-src and style-src differently handle presence of 'strict-dynamic'. | |
602 SourceListDirective scriptSrc("script-src", | |
603 "'strict-dynamic' 'unsafe-inline'", csp.get()); | |
604 EXPECT_FALSE(scriptSrc.allowAllInline()); | |
605 | |
606 SourceListDirective styleSrc("style-src", "'strict-dynamic' 'unsafe-inline'", | |
607 csp.get()); | |
608 EXPECT_TRUE(styleSrc.allowAllInline()); | |
609 | |
610 for (const auto& test : cases) { | |
611 SourceListDirective scriptSrc("script-src", test.sources, csp.get()); | |
612 EXPECT_EQ(scriptSrc.allowAllInline(), test.expected); | |
613 | |
614 SourceListDirective styleSrc("style-src", test.sources, csp.get()); | |
615 EXPECT_EQ(styleSrc.allowAllInline(), test.expected); | |
616 | |
617 // If source list doesn't have a valid type, it must not allow all inline. | |
618 SourceListDirective imgSrc("img-src", test.sources, csp.get()); | |
619 EXPECT_FALSE(imgSrc.allowAllInline()); | |
620 } | |
621 } | |
622 | |
623 TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { | |
624 struct TestCase { | |
625 bool isScriptSrc; | |
626 String sourcesA; | |
627 std::vector<String> sourcesB; | |
628 bool expected; | |
629 } cases[] = { | |
630 // `sourcesA` allows all inline behavior. | |
631 {false, | |
amalika
2016/11/28 15:22:48
Note that 'strict-dynamic' is not effective here b
| |
632 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
633 {"'unsafe-inline' http://example1.com/foo/bar.html"}, | |
634 true}, | |
635 {true, | |
636 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
637 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
638 true}, | |
639 {true, | |
640 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
641 {"http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'"}, | |
642 true}, | |
643 {true, | |
644 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
645 {"'unsafe-inline' 'sha512-321cba'"}, | |
646 true}, | |
647 {true, | |
648 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
649 {"'unsafe-inline' 'nonce-yay'"}, | |
650 true}, | |
651 {true, | |
652 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
653 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'"}, | |
654 true}, | |
655 {true, | |
656 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
657 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'", "'strict-dynamic'"}, | |
658 true}, | |
659 {true, | |
660 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
661 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline' 'nonce-yay'", | |
662 "'strict-dynamic' 'nonce-yay'"}, | |
663 true}, | |
664 // `sourcesA` does not allow all inline behavior. | |
665 {false, | |
666 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
667 {"'unsafe-inline' http://example1.com/foo/bar.html"}, | |
668 false}, | |
669 {true, "http://example1.com/foo/ 'self'", {"'unsafe-inline'"}, false}, | |
670 {true, | |
671 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
672 {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"}, | |
673 true}, | |
674 {true, | |
675 "http://example1.com/foo/ 'self'", | |
676 {"'unsafe-inline' https://example.test/"}, | |
677 false}, | |
678 {true, | |
679 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
680 {"'unsafe-inline' https://example.test/"}, | |
681 false}, | |
682 {true, | |
683 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
684 {"'unsafe-inline' 'strict-dynamic'"}, | |
685 true}, | |
686 {true, | |
687 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", | |
688 {"'unsafe-inline' 'nonce-yay'"}, | |
689 true}, | |
690 {true, | |
691 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
692 "'nonce-yay'", | |
693 {"'unsafe-inline' 'nonce-yay'"}, | |
694 true}, | |
695 {true, | |
696 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
697 "'nonce-yay'", | |
698 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
699 true}, | |
700 {true, | |
701 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba' " | |
702 "'strict-dynamic'", | |
703 {"'unsafe-inline' 'sha512-321cba'"}, | |
704 true}, | |
705 {true, | |
706 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
707 "'sha512-321cba'", | |
708 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
709 true}, | |
710 {true, | |
711 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
712 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", | |
713 "http://example1.com/foo/ 'unsafe-inline'"}, | |
714 false}, | |
715 {true, | |
716 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
717 {"http://example1.com/foo/ 'unsafe-inline'", | |
718 "http://example1.com/foo/ 'sha512-321cba'"}, | |
719 true}, | |
720 {true, | |
721 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
722 {"http://example1.com/foo/ 'unsafe-inline'", | |
723 "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, | |
724 false}, | |
725 {true, | |
726 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
727 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", | |
728 "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, | |
729 false}, | |
730 }; | |
731 | |
732 for (const auto& test : cases) { | |
733 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", | |
734 test.sourcesA, csp.get()); | |
735 ContentSecurityPolicy* cspB = | |
736 SetUpWithOrigin("https://another.test/image.png"); | |
737 | |
738 HeapVector<Member<SourceListDirective>> vectorB; | |
739 for (const auto& sources : test.sourcesB) { | |
740 SourceListDirective* member = new SourceListDirective( | |
741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | |
742 vectorB.append(member); | |
743 } | |
744 | |
745 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
746 } | |
747 } | |
748 | |
566 } // namespace blink | 749 } // namespace blink |
OLD | NEW |