third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp - Issue 2538623003: Part 3.4: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2538623003: Part 3.4: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/SourceListDirective.h"	5 #include "core/frame/csp/SourceListDirective.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/frame/csp/CSPSource.h"	8 #include "core/frame/csp/CSPSource.h"

9 #include "core/frame/csp/ContentSecurityPolicy.h"	9 #include "core/frame/csp/ContentSecurityPolicy.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 728 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
739 for (const auto& sources : test.sourcesB) {	739 for (const auto& sources : test.sourcesB) {

740 SourceListDirective* member = new SourceListDirective(	740 SourceListDirective* member = new SourceListDirective(

741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);	741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);

742 vectorB.append(member);	742 vectorB.append(member);

743 }	743 }

744	744

745 EXPECT_EQ(A.subsumes(vectorB), test.expected);	745 EXPECT_EQ(A.subsumes(vectorB), test.expected);

746 }	746 }

747 }	747 }

748	748

	749 TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) {

	750 struct TestCase {

	751 bool isScriptSrc;

	752 String sourcesA;

	753 std::vector<String> sourcesB;

	754 bool expected;

	755 } cases[] = {

	756 // A or policiesB contain `unsafe-eval`.

	757 {false,

	758 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' "

	759 "'unsafe-eval'",

	760 {"http://example1.com/foo/bar.html 'unsafe-eval'"},

	761 true},

	762 {true,

	763 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	764 {"http://example1.com/foo/ 'unsafe-inline'"},

	765 false},

	766 {true,

	767 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	768 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"},

	769 false},

	770 {true,

	771 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	772 {"http://example1.com/foo/ 'unsafe-eval'",

	773 "http://example1.com/foo/bar 'self' unsafe-eval'",

	774 "http://non-example.com/foo/ 'unsafe-eval' 'self'"},

	775 true},

	776 {true,

	777 "http://example1.com/foo/ 'self'",

	778 {"http://example1.com/foo/ 'unsafe-eval'"},

	779 false},

	780 {true,

	781 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	782 {"http://example1.com/foo/ 'unsafe-eval'",

	783 "http://example1.com/foo/bar 'self' 'unsafe-eval'",

	784 "http://non-example.com/foo/ 'unsafe-eval' 'self'"},

	785 false},

	786 // A or policiesB contain `unsafe-hashed-attributes`.

	787 {false,

	788 "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' "

	789 "'strict-dynamic' "

	790 "'unsafe-hashed-attributes'",

	791 {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"},

	792 true},

	793 {true,

	794 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",

	795 {"http://example1.com/foo/ 'unsafe-inline'"},

	796 false},

	797 {true,

	798 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",

	799 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"},

	800 false},

	801 {true,

	802 "http://example1.com/foo/ 'self' 'unsafe-eval' "

	803 "'unsafe-hashed-attributes'",

	804 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",

	805 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",

	806 "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"},

	807 true},

	808 {true,

	809 "http://example1.com/foo/ 'self'",

	810 {"http://example1.com/foo/ 'unsafe-hashed-attributes'"},

	811 false},

	812 {true,

	813 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	814 {"http://example1.com/foo/ 'unsafe-hashed-attributes'",

	815 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",

	816 "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"},

	817 false},

	818 // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic`

	819 // only is effective for `script-src` directives.

	820 {false,

	821 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	822 {"http://example1.com/foo/bar.html 'strict-dynamic'"},

	823 true},

	824 {false,

	825 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	826 {"http://example1.com/foo/bar.html 'strict-dynamic'"},

	827 true},

	828 {true,

	829 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	830 {"http://example1.com/foo/ 'unsafe-inline'"},

	831 false},

	832 {true,

	833 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	834 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"},

	835 true},

	836 {true,

	837 "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'",

	838 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' "

	839 "'strict-dynamic'",

	840 "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'",

	841 "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"},

	842 true},

	843 {true,

	844 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	845 {"http://example1.com/foo/ 'strict-dynamic'"},

	846 false},

	847 {true,

	848 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	849 {"http://example1.com/foo/ 'strict-dynamic'",

	850 "http://example1.com/foo/bar 'self' 'strict-dynamic'",

	851 "https://example1.com/foo/bar 'strict-dynamic' 'self'"},

	852 true},
	amalika 2016/11/29 10:46:03 Just wanted to check with you: This is a desired b Just wanted to check with you: This is a desired behavior: if Embedding-CSP allows `unsafe-inline` but returned csp specifies `strict-dynamic`, the subsumption should be true? i.e. `unsafe-inline` allows not parser-inserted scripts. Mike West 2016/11/29 12:05:48 Hrm. I don't think that's correct, as `strict-dyna Show quoted text On 2016/11/29 at 10:46:03, amalika wrote: > Just wanted to check with you: > This is a desired behavior: if Embedding-CSP allows `unsafe-inline` but returned csp specifies `strict-dynamic`, the subsumption should be true? i.e. `unsafe-inline` allows not parser-inserted scripts. Hrm. I don't think that's correct, as `strict-dynamic` might allow more than the rest of the requested CSP. That is, `'unsafe-inline' 'nonce-a'` doesn't seem to subsume `'nonce-a' 'strict-dynamic'`, as the latter allows the nonced script to load anything, while the former doesn't. I think it's true that `'unsafe-inline'` would subsume `'unsafe-inline' 'strict-dynamic'`, but only because the latter doesn't allow anything. :) amalika 2016/11/29 13:37:45 From my understanding, then this example would be Show quoted text On 2016/11/29 at 12:05:48, Mike West (slow) wrote: > On 2016/11/29 at 10:46:03, amalika wrote: > > Just wanted to check with you: > > This is a desired behavior: if Embedding-CSP allows `unsafe-inline` but returned csp specifies `strict-dynamic`, the subsumption should be true? i.e. `unsafe-inline` allows not parser-inserted scripts. > > Hrm. I don't think that's correct, as `strict-dynamic` might allow more than the rest of the requested CSP. That is, `'unsafe-inline' 'nonce-a'` doesn't seem to subsume `'nonce-a' 'strict-dynamic'`, as the latter allows the nonced script to load anything, while the former doesn't. > > I think it's true that `'unsafe-inline'` would subsume `'unsafe-inline' 'strict-dynamic'`, but only because the latter doesn't allow anything. :) From my understanding, then this example would be `true`? Then I think the logic right now is correct. The check now is `!m_allowDynamic && !allowAllInline() && allowDynamicOther`, so the embedding csp does not subsume the returned csp when the former does not allow all inline behavior (i.e. there are hashes/nonces) and does not specify `strict-dynamic`, while the latter does: - "'unsafe-inline'" subsumes "'strict-dynamic'" - "'unsafe-inline' 'nonce-123'" does not subsume "'strict-dynamic'" - "'unsafe-inline' 'nonce-123' 'strict-dynamic'" subsumes "'strict-dynamic'". I added these tests right after this one.
	853 };

	854

	855 for (const auto& test : cases) {

	856 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",

	857 test.sourcesA, csp.get());

	858 ContentSecurityPolicy* cspB =

	859 SetUpWithOrigin("https://another.test/image.png");

	860

	861 HeapVector<Member<SourceListDirective>> vectorB;

	862 for (const auto& sources : test.sourcesB) {

	863 SourceListDirective* member = new SourceListDirective(

	864 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);

	865 vectorB.append(member);

	866 }

	867

	868 EXPECT_EQ(A.subsumes(vectorB), test.expected);

	869 }

	870 }

	871

749 } // namespace blink	872 } // namespace blink

OLD	NEW

« third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »