OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 728 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
739 for (const auto& sources : test.sourcesB) { | 739 for (const auto& sources : test.sourcesB) { |
740 SourceListDirective* member = new SourceListDirective( | 740 SourceListDirective* member = new SourceListDirective( |
741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | 741 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
742 vectorB.append(member); | 742 vectorB.append(member); |
743 } | 743 } |
744 | 744 |
745 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 745 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
746 } | 746 } |
747 } | 747 } |
748 | 748 |
749 TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) { | |
750 struct TestCase { | |
751 bool isScriptSrc; | |
752 String sourcesA; | |
753 std::vector<String> sourcesB; | |
754 bool expected; | |
755 } cases[] = { | |
756 // A or policiesB contain `unsafe-eval`. | |
757 {false, | |
758 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
759 "'unsafe-eval'", | |
760 {"http://example1.com/foo/bar.html 'unsafe-eval'"}, | |
761 true}, | |
762 {true, | |
763 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
764 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
765 false}, | |
766 {true, | |
767 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
768 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, | |
769 false}, | |
770 {true, | |
771 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
772 {"http://example1.com/foo/ 'unsafe-eval'", | |
773 "http://example1.com/foo/bar 'self' unsafe-eval'", | |
774 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, | |
775 true}, | |
776 {true, | |
777 "http://example1.com/foo/ 'self'", | |
778 {"http://example1.com/foo/ 'unsafe-eval'"}, | |
779 false}, | |
780 {true, | |
781 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
782 {"http://example1.com/foo/ 'unsafe-eval'", | |
783 "http://example1.com/foo/bar 'self' 'unsafe-eval'", | |
784 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, | |
785 false}, | |
786 // A or policiesB contain `unsafe-hashed-attributes`. | |
787 {false, | |
788 "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " | |
789 "'strict-dynamic' " | |
790 "'unsafe-hashed-attributes'", | |
791 {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, | |
792 true}, | |
793 {true, | |
794 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", | |
795 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
796 false}, | |
797 {true, | |
798 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", | |
799 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, | |
800 false}, | |
801 {true, | |
802 "http://example1.com/foo/ 'self' 'unsafe-eval' " | |
803 "'unsafe-hashed-attributes'", | |
804 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", | |
805 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", | |
806 "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, | |
807 true}, | |
808 {true, | |
809 "http://example1.com/foo/ 'self'", | |
810 {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, | |
811 false}, | |
812 {true, | |
813 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
814 {"http://example1.com/foo/ 'unsafe-hashed-attributes'", | |
815 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", | |
816 "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, | |
817 false}, | |
818 // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic` | |
819 // only is effective for `script-src` directives. | |
820 {false, | |
821 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
822 {"http://example1.com/foo/bar.html 'strict-dynamic'"}, | |
823 true}, | |
824 {false, | |
825 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
826 {"http://example1.com/foo/bar.html 'strict-dynamic'"}, | |
827 true}, | |
828 {true, | |
829 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
830 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
831 false}, | |
832 {true, | |
833 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
834 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
835 true}, | |
836 {true, | |
837 "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'", | |
838 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' " | |
839 "'strict-dynamic'", | |
840 "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'", | |
841 "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"}, | |
842 true}, | |
843 {true, | |
844 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
845 {"http://example1.com/foo/ 'strict-dynamic'"}, | |
846 false}, | |
847 {true, | |
848 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
849 {"http://example1.com/foo/ 'strict-dynamic'", | |
850 "http://example1.com/foo/bar 'self' 'strict-dynamic'", | |
851 "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, | |
852 true}, | |
amalika
2016/11/29 10:46:03
Just wanted to check with you:
This is a desired b
Mike West
2016/11/29 12:05:48
Hrm. I don't think that's correct, as `strict-dyna
amalika
2016/11/29 13:37:45
From my understanding, then this example would be
| |
853 }; | |
854 | |
855 for (const auto& test : cases) { | |
856 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", | |
857 test.sourcesA, csp.get()); | |
858 ContentSecurityPolicy* cspB = | |
859 SetUpWithOrigin("https://another.test/image.png"); | |
860 | |
861 HeapVector<Member<SourceListDirective>> vectorB; | |
862 for (const auto& sources : test.sourcesB) { | |
863 SourceListDirective* member = new SourceListDirective( | |
864 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | |
865 vectorB.append(member); | |
866 } | |
867 | |
868 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
869 } | |
870 } | |
871 | |
749 } // namespace blink | 872 } // namespace blink |
OLD | NEW |