Chromium Code Reviews Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
| 9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
| (...skipping 545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 556 new SourceListDirective("script-src", sources, cspB); | 556 new SourceListDirective("script-src", sources, cspB); |
| 557 vectorB.append(member); | 557 vectorB.append(member); |
| 558 } | 558 } |
| 559 | 559 |
| 560 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 560 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
| 561 // If emptyA is empty, any vectorB should be subsumed by it. | 561 // If emptyA is empty, any vectorB should be subsumed by it. |
| 562 EXPECT_TRUE(emptyA.subsumes(vectorB)); | 562 EXPECT_TRUE(emptyA.subsumes(vectorB)); |
| 563 } | 563 } |
| 564 } | 564 } |
| 565 | 565 |
| 566 TEST_F(SourceListDirectiveTest, AllowAllInline) { | |
| 567 struct TestCase { | |
| 568 String sources; | |
| 569 bool expected; | |
| 570 } cases[] = { | |
| 571 // List does not contain 'unsafe-inline'. | |
| 572 {"http://example1.com/foo/", false}, | |
| 573 {"'sha512-321cba'", false}, | |
| 574 {"'nonce-yay'", false}, | |
| 575 {"'strict-dynamic'", false}, | |
| 576 {"'sha512-321cba' http://example1.com/foo/", false}, | |
| 577 {"http://example1.com/foo/ 'sha512-321cba'", false}, | |
| 578 {"http://example1.com/foo/ 'nonce-yay'", false}, | |
| 579 {"'sha512-321cba' 'nonce-yay'", false}, | |
| 580 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, | |
| 581 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, | |
| 582 {" 'sha512-321cba' 'nonce-yay' 'strict-dynamic'", false}, | |
| 583 // List contains 'unsafe-inline'. | |
| 584 {"'unsafe-inline'", true}, | |
| 585 {"'self' 'unsafe-inline'", true}, | |
| 586 {"'unsafe-inline' http://example1.com/foo/", true}, | |
| 587 {"'sha512-321cba' 'unsafe-inline'", false}, | |
| 588 {"'nonce-yay' 'unsafe-inline'", false}, | |
| 589 {"'strict-dynamic' 'unsafe-inline' 'nonce-yay'", false}, | |
| 590 {"'sha512-321cba' http://example1.com/foo/ 'unsafe-inline'", false}, | |
| 591 {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline'", false}, | |
| 592 {"http://example1.com/foo/ 'nonce-yay' 'unsafe-inline'", false}, | |
| 593 {"'sha512-321cba' 'nonce-yay' 'unsafe-inline'", false}, | |
| 594 {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline' 'nonce-yay'", | |
| 595 false}, | |
| 596 {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay' 'unsafe-inline'", | |
| 597 false}, | |
| 598 {" 'sha512-321cba' 'unsafe-inline' 'nonce-yay' 'strict-dynamic'", false}, | |
| 599 }; | |
| 600 | |
| 601 // Script-src and style-src differently handle presence of 'strict-dynamic'. | |
| 602 SourceListDirective scriptSrc("script-src", | |
| 603 "'strict-dynamic' 'unsafe-inline'", csp.get()); | |
| 604 EXPECT_FALSE(scriptSrc.allowAllInline()); | |
| 605 | |
| 606 SourceListDirective styleSrc("style-src", "'strict-dynamic' 'unsafe-inline'", | |
| 607 csp.get()); | |
| 608 EXPECT_TRUE(styleSrc.allowAllInline()); | |
| 609 | |
| 610 for (const auto& test : cases) { | |
| 611 SourceListDirective scriptSrc("script-src", test.sources, csp.get()); | |
| 612 EXPECT_EQ(scriptSrc.allowAllInline(), test.expected); | |
| 613 | |
| 614 SourceListDirective styleSrc("style-src", test.sources, csp.get()); | |
| 615 EXPECT_EQ(styleSrc.allowAllInline(), test.expected); | |
| 616 | |
| 617 // If source list doesn't have a valid type, it must not allow all inline. | |
| 618 SourceListDirective imgSrc("img-src", test.sources, csp.get()); | |
| 619 EXPECT_FALSE(imgSrc.allowAllInline()); | |
| 620 } | |
| 621 } | |
| 622 | |
| 623 TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { | |
| 624 struct TestCase { | |
| 625 bool isScriptSrc; | |
| 626 String sourcesA; | |
| 627 std::vector<String> sourcesB; | |
| 628 bool expected; | |
| 629 } cases[] = { | |
| 630 // `sourcesA` allows all inline behavior. | |
| 631 {false, | |
|
amalika
2016/11/28 15:22:48
Note that 'strict-dynamic' is not effective here b
| |
| 632 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
| 633 {"'unsafe-inline' http://example1.com/foo/bar.html"}, | |
| 634 true}, | |
| 635 {true, | |
| 636 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 637 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
| 638 true}, | |
| 639 {true, | |
| 640 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 641 {"http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'"}, | |
| 642 true}, | |
| 643 {true, | |
| 644 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 645 {"'unsafe-inline' 'sha512-321cba'"}, | |
| 646 true}, | |
| 647 {true, | |
| 648 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 649 {"'unsafe-inline' 'nonce-yay'"}, | |
| 650 true}, | |
| 651 {true, | |
| 652 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 653 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'"}, | |
| 654 true}, | |
| 655 {true, | |
| 656 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 657 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'", "'strict-dynamic'"}, | |
| 658 true}, | |
| 659 {true, | |
| 660 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 661 {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline' 'nonce-yay'", | |
| 662 "'strict-dynamic' 'nonce-yay'"}, | |
| 663 true}, | |
| 664 // `sourcesA` does not allow all inline behavior. | |
| 665 {false, | |
| 666 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
| 667 {"'unsafe-inline' http://example1.com/foo/bar.html"}, | |
| 668 false}, | |
| 669 {true, "http://example1.com/foo/ 'self'", {"'unsafe-inline'"}, false}, | |
| 670 {true, | |
| 671 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
| 672 {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"}, | |
| 673 true}, | |
| 674 {true, | |
| 675 "http://example1.com/foo/ 'self'", | |
| 676 {"'unsafe-inline' https://example.test/"}, | |
| 677 false}, | |
| 678 {true, | |
| 679 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
| 680 {"'unsafe-inline' https://example.test/"}, | |
| 681 false}, | |
| 682 {true, | |
| 683 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", | |
| 684 {"'unsafe-inline' 'strict-dynamic'"}, | |
| 685 true}, | |
| 686 {true, | |
| 687 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", | |
| 688 {"'unsafe-inline' 'nonce-yay'"}, | |
| 689 true}, | |
| 690 {true, | |
| 691 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
| 692 "'nonce-yay'", | |
| 693 {"'unsafe-inline' 'nonce-yay'"}, | |
| 694 true}, | |
| 695 {true, | |
| 696 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
| 697 "'nonce-yay'", | |
| 698 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
| 699 true}, | |
| 700 {true, | |
| 701 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba' " | |
| 702 "'strict-dynamic'", | |
| 703 {"'unsafe-inline' 'sha512-321cba'"}, | |
| 704 true}, | |
| 705 {true, | |
| 706 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
| 707 "'sha512-321cba'", | |
| 708 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
| 709 true}, | |
| 710 {true, | |
| 711 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
| 712 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", | |
| 713 "http://example1.com/foo/ 'unsafe-inline'"}, | |
| 714 false}, | |
| 715 {true, | |
| 716 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
| 717 {"http://example1.com/foo/ 'unsafe-inline'", | |
| 718 "http://example1.com/foo/ 'sha512-321cba'"}, | |
| 719 true}, | |
| 720 {true, | |
| 721 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
| 722 {"http://example1.com/foo/ 'unsafe-inline'", | |
| 723 "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, | |
| 724 false}, | |
| 725 {true, | |
| 726 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
| 727 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", | |
| 728 "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, | |
| 729 false}, | |
| 730 }; | |
| 731 | |
| 732 for (const auto& test : cases) { | |
| 733 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", | |
| 734 test.sourcesA, csp.get()); | |
| 735 ContentSecurityPolicy* cspB = | |
| 736 SetUpWithOrigin("https://another.test/image.png"); | |
| 737 | |
| 738 HeapVector<Member<SourceListDirective>> vectorB; | |
| 739 for (const auto& sources : test.sourcesB) { | |
| 740 SourceListDirective* member = new SourceListDirective( | |
| 741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | |
| 742 vectorB.append(member); | |
| 743 } | |
| 744 | |
| 745 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
| 746 } | |
| 747 } | |
| 748 | |
| 566 } // namespace blink | 749 } // namespace blink |
| OLD | NEW |
