OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 724 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
735 for (const auto& sources : test.sourcesB) { | 735 for (const auto& sources : test.sourcesB) { |
736 SourceListDirective* member = new SourceListDirective( | 736 SourceListDirective* member = new SourceListDirective( |
737 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | 737 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
738 vectorB.append(member); | 738 vectorB.append(member); |
739 } | 739 } |
740 | 740 |
741 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 741 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
742 } | 742 } |
743 } | 743 } |
744 | 744 |
745 TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) { | |
746 struct TestCase { | |
747 bool isScriptSrc; | |
748 String sourcesA; | |
749 std::vector<String> sourcesB; | |
750 bool expected; | |
751 } cases[] = { | |
752 // A or policiesB contain `unsafe-eval`. | |
753 {false, | |
754 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " | |
755 "'unsafe-eval'", | |
756 {"http://example1.com/foo/bar.html 'unsafe-eval'"}, | |
757 true}, | |
758 {true, | |
759 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
760 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
761 false}, | |
762 {true, | |
763 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
764 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, | |
765 false}, | |
766 {true, | |
767 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
768 {"http://example1.com/foo/ 'unsafe-eval'", | |
769 "http://example1.com/foo/bar 'self' unsafe-eval'", | |
770 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, | |
771 true}, | |
772 {true, | |
773 "http://example1.com/foo/ 'self'", | |
774 {"http://example1.com/foo/ 'unsafe-eval'"}, | |
775 false}, | |
776 {true, | |
777 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
778 {"http://example1.com/foo/ 'unsafe-eval'", | |
779 "http://example1.com/foo/bar 'self' 'unsafe-eval'", | |
780 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, | |
781 false}, | |
782 // A or policiesB contain `unsafe-hashed-attributes`. | |
783 {false, | |
784 "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " | |
785 "'strict-dynamic' " | |
786 "'unsafe-hashed-attributes'", | |
787 {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, | |
788 true}, | |
789 {true, | |
790 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", | |
791 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
792 false}, | |
793 {true, | |
794 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", | |
795 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, | |
796 false}, | |
797 {true, | |
798 "http://example1.com/foo/ 'self' 'unsafe-eval' " | |
799 "'unsafe-hashed-attributes'", | |
800 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", | |
801 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", | |
802 "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, | |
803 true}, | |
804 {true, | |
805 "http://example1.com/foo/ 'self'", | |
806 {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, | |
807 false}, | |
808 {true, | |
809 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
810 {"http://example1.com/foo/ 'unsafe-hashed-attributes'", | |
811 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", | |
812 "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, | |
813 false}, | |
814 // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic` | |
815 // only is effective for `script-src` directives. | |
816 {false, | |
817 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
818 {"http://example1.com/foo/bar.html 'strict-dynamic'"}, | |
819 true}, | |
820 {false, | |
821 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
822 {"http://example1.com/foo/bar.html 'strict-dynamic'"}, | |
823 true}, | |
824 {true, | |
825 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
826 {"http://example1.com/foo/ 'unsafe-inline'"}, | |
827 false}, | |
828 {true, | |
829 "http://example1.com/foo/ 'self' 'strict-dynamic'", | |
830 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, | |
831 true}, | |
832 {true, | |
833 "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'", | |
834 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' " | |
835 "'strict-dynamic'", | |
836 "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'", | |
837 "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"}, | |
838 true}, | |
839 {true, | |
840 "http://example1.com/foo/ 'self' 'unsafe-eval'", | |
841 {"http://example1.com/foo/ 'strict-dynamic'"}, | |
842 false}, | |
843 {true, | |
844 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
845 {"http://example1.com/foo/ 'strict-dynamic'", | |
846 "http://example1.com/foo/bar 'self' 'strict-dynamic'", | |
847 "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, | |
848 true}, | |
Mike West
2016/11/30 10:12:53
Why is this true?
The group of sources looks like
| |
849 {true, | |
850 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", | |
851 {"http://example1.com/foo/ 'strict-dynamic'", | |
852 "http://example1.com/foo/bar 'self' 'strict-dynamic'", | |
853 "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, | |
854 false}, | |
855 {true, | |
856 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' " | |
857 "'strict-dynamic'", | |
858 {"http://example1.com/foo/ 'strict-dynamic'", | |
859 "http://example1.com/foo/bar 'self' 'strict-dynamic'", | |
860 "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, | |
861 true}, | |
862 }; | |
863 | |
864 for (const auto& test : cases) { | |
865 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", | |
866 test.sourcesA, csp.get()); | |
867 ContentSecurityPolicy* cspB = | |
868 SetUpWithOrigin("https://another.test/image.png"); | |
869 | |
870 HeapVector<Member<SourceListDirective>> vectorB; | |
871 for (const auto& sources : test.sourcesB) { | |
872 SourceListDirective* member = new SourceListDirective( | |
873 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | |
874 vectorB.append(member); | |
875 } | |
876 | |
877 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
878 } | |
879 } | |
880 | |
745 } // namespace blink | 881 } // namespace blink |
OLD | NEW |