Chromium Code Reviews Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
| Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| index 82361260cdf03b33341d82a1958de440f37b2871..54c2b35236f2e4e6c2778c7454ee2d129a0293be 100644 |
| --- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| +++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| @@ -563,4 +563,187 @@ TEST_F(SourceListDirectiveTest, SubsumesWithSelf) { |
| } |
| } |
| +TEST_F(SourceListDirectiveTest, AllowAllInline) { |
| + struct TestCase { |
| + String sources; |
| + bool expected; |
| + } cases[] = { |
| + // List does not contain 'unsafe-inline'. |
| + {"http://example1.com/foo/", false}, |
| + {"'sha512-321cba'", false}, |
| + {"'nonce-yay'", false}, |
| + {"'strict-dynamic'", false}, |
| + {"'sha512-321cba' http://example1.com/foo/", false}, |
| + {"http://example1.com/foo/ 'sha512-321cba'", false}, |
| + {"http://example1.com/foo/ 'nonce-yay'", false}, |
| + {"'sha512-321cba' 'nonce-yay'", false}, |
| + {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, |
| + {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, |
| + {" 'sha512-321cba' 'nonce-yay' 'strict-dynamic'", false}, |
| + // List contains 'unsafe-inline'. |
| + {"'unsafe-inline'", true}, |
| + {"'self' 'unsafe-inline'", true}, |
| + {"'unsafe-inline' http://example1.com/foo/", true}, |
| + {"'sha512-321cba' 'unsafe-inline'", false}, |
| + {"'nonce-yay' 'unsafe-inline'", false}, |
| + {"'strict-dynamic' 'unsafe-inline' 'nonce-yay'", false}, |
| + {"'sha512-321cba' http://example1.com/foo/ 'unsafe-inline'", false}, |
| + {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline'", false}, |
| + {"http://example1.com/foo/ 'nonce-yay' 'unsafe-inline'", false}, |
| + {"'sha512-321cba' 'nonce-yay' 'unsafe-inline'", false}, |
| + {"http://example1.com/foo/ 'sha512-321cba' 'unsafe-inline' 'nonce-yay'", |
| + false}, |
| + {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay' 'unsafe-inline'", |
| + false}, |
| + {" 'sha512-321cba' 'unsafe-inline' 'nonce-yay' 'strict-dynamic'", false}, |
| + }; |
| + |
| + // Script-src and style-src differently handle presence of 'strict-dynamic'. |
| + SourceListDirective scriptSrc("script-src", |
| + "'strict-dynamic' 'unsafe-inline'", csp.get()); |
| + EXPECT_FALSE(scriptSrc.allowAllInline()); |
| + |
| + SourceListDirective styleSrc("style-src", "'strict-dynamic' 'unsafe-inline'", |
| + csp.get()); |
| + EXPECT_TRUE(styleSrc.allowAllInline()); |
| + |
| + for (const auto& test : cases) { |
| + SourceListDirective scriptSrc("script-src", test.sources, csp.get()); |
| + EXPECT_EQ(scriptSrc.allowAllInline(), test.expected); |
| + |
| + SourceListDirective styleSrc("style-src", test.sources, csp.get()); |
| + EXPECT_EQ(styleSrc.allowAllInline(), test.expected); |
| + |
| + // If source list doesn't have a valid type, it must not allow all inline. |
| + SourceListDirective imgSrc("img-src", test.sources, csp.get()); |
| + EXPECT_FALSE(imgSrc.allowAllInline()); |
| + } |
| +} |
| + |
| +TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { |
| + struct TestCase { |
| + bool isScriptSrc; |
| + String sourcesA; |
| + std::vector<String> sourcesB; |
| + bool expected; |
| + } cases[] = { |
| + // `sourcesA` allows all inline behavior. |
| + {false, |
|
amalika
2016/11/28 15:22:48
Note that 'strict-dynamic' is not effective here b
|
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", |
| + {"'unsafe-inline' http://example1.com/foo/bar.html"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"http://example1.com/foo/ 'unsafe-inline'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'sha512-321cba'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'nonce-yay'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline'", "'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'nonce-yay'", "'unsafe-inline' 'nonce-yay'", |
| + "'strict-dynamic' 'nonce-yay'"}, |
| + true}, |
| + // `sourcesA` does not allow all inline behavior. |
| + {false, |
| + "http://example1.com/foo/ 'self' 'strict-dynamic'", |
| + {"'unsafe-inline' http://example1.com/foo/bar.html"}, |
| + false}, |
| + {true, "http://example1.com/foo/ 'self'", {"'unsafe-inline'"}, false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self'", |
| + {"'unsafe-inline' https://example.test/"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", |
| + {"'unsafe-inline' https://example.test/"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", |
| + {"'unsafe-inline' 'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", |
| + {"'unsafe-inline' 'nonce-yay'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
| + "'nonce-yay'", |
| + {"'unsafe-inline' 'nonce-yay'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
| + "'nonce-yay'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba' " |
| + "'strict-dynamic'", |
| + {"'unsafe-inline' 'sha512-321cba'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
| + "'sha512-321cba'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", |
| + "http://example1.com/foo/ 'unsafe-inline'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", |
| + {"http://example1.com/foo/ 'unsafe-inline'", |
| + "http://example1.com/foo/ 'sha512-321cba'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", |
| + {"http://example1.com/foo/ 'unsafe-inline'", |
| + "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", |
| + "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, |
| + false}, |
| + }; |
| + |
| + for (const auto& test : cases) { |
| + SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", |
| + test.sourcesA, csp.get()); |
| + ContentSecurityPolicy* cspB = |
| + SetUpWithOrigin("https://another.test/image.png"); |
| + |
| + HeapVector<Member<SourceListDirective>> vectorB; |
| + for (const auto& sources : test.sourcesB) { |
| + SourceListDirective* member = new SourceListDirective( |
| + test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
| + vectorB.append(member); |
| + } |
| + |
| + EXPECT_EQ(A.subsumes(vectorB), test.expected); |
| + } |
| +} |
| + |
| } // namespace blink |
