third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp - Issue 2538623003: Part 3.4: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2538623003: Part 3.4: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: More test cases Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/SourceListDirective.h"	5 #include "core/frame/csp/SourceListDirective.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/frame/csp/CSPSource.h"	8 #include "core/frame/csp/CSPSource.h"

9 #include "core/frame/csp/ContentSecurityPolicy.h"	9 #include "core/frame/csp/ContentSecurityPolicy.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 724 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
735 for (const auto& sources : test.sourcesB) {	735 for (const auto& sources : test.sourcesB) {

736 SourceListDirective* member = new SourceListDirective(	736 SourceListDirective* member = new SourceListDirective(

737 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);	737 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);

738 vectorB.append(member);	738 vectorB.append(member);

739 }	739 }

740	740

741 EXPECT_EQ(A.subsumes(vectorB), test.expected);	741 EXPECT_EQ(A.subsumes(vectorB), test.expected);

742 }	742 }

743 }	743 }

744	744

	745 TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) {

	746 struct TestCase {

	747 bool isScriptSrc;

	748 String sourcesA;

	749 std::vector<String> sourcesB;

	750 bool expected;

	751 } cases[] = {

	752 // A or policiesB contain `unsafe-eval`.

	753 {false,

	754 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' "

	755 "'unsafe-eval'",

	756 {"http://example1.com/foo/bar.html 'unsafe-eval'"},

	757 true},

	758 {true,

	759 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	760 {"http://example1.com/foo/ 'unsafe-inline'"},

	761 false},

	762 {true,

	763 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	764 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"},

	765 false},

	766 {true,

	767 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	768 {"http://example1.com/foo/ 'unsafe-eval'",

	769 "http://example1.com/foo/bar 'self' unsafe-eval'",

	770 "http://non-example.com/foo/ 'unsafe-eval' 'self'"},

	771 true},

	772 {true,

	773 "http://example1.com/foo/ 'self'",

	774 {"http://example1.com/foo/ 'unsafe-eval'"},

	775 false},

	776 {true,

	777 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	778 {"http://example1.com/foo/ 'unsafe-eval'",

	779 "http://example1.com/foo/bar 'self' 'unsafe-eval'",

	780 "http://non-example.com/foo/ 'unsafe-eval' 'self'"},

	781 false},

	782 // A or policiesB contain `unsafe-hashed-attributes`.

	783 {false,

	784 "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' "

	785 "'strict-dynamic' "

	786 "'unsafe-hashed-attributes'",

	787 {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"},

	788 true},

	789 {true,

	790 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",

	791 {"http://example1.com/foo/ 'unsafe-inline'"},

	792 false},

	793 {true,

	794 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",

	795 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"},

	796 false},

	797 {true,

	798 "http://example1.com/foo/ 'self' 'unsafe-eval' "

	799 "'unsafe-hashed-attributes'",

	800 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",

	801 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",

	802 "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"},

	803 true},

	804 {true,

	805 "http://example1.com/foo/ 'self'",

	806 {"http://example1.com/foo/ 'unsafe-hashed-attributes'"},

	807 false},

	808 {true,

	809 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	810 {"http://example1.com/foo/ 'unsafe-hashed-attributes'",

	811 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",

	812 "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"},

	813 false},

	814 // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic`

	815 // only is effective for `script-src` directives.

	816 {false,

	817 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	818 {"http://example1.com/foo/bar.html 'strict-dynamic'"},

	819 true},

	820 {false,

	821 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	822 {"http://example1.com/foo/bar.html 'strict-dynamic'"},

	823 true},

	824 {true,

	825 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	826 {"http://example1.com/foo/ 'unsafe-inline'"},

	827 false},

	828 {true,

	829 "http://example1.com/foo/ 'self' 'strict-dynamic'",

	830 {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"},

	831 true},

	832 {true,

	833 "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'",

	834 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' "

	835 "'strict-dynamic'",

	836 "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'",

	837 "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"},

	838 true},

	839 {true,

	840 "http://example1.com/foo/ 'self' 'unsafe-eval'",

	841 {"http://example1.com/foo/ 'strict-dynamic'"},

	842 false},

	843 {true,

	844 "http://example1.com/foo/ 'self' 'unsafe-inline'",

	845 {"http://example1.com/foo/ 'strict-dynamic'",

	846 "http://example1.com/foo/bar 'self' 'strict-dynamic'",

	847 "https://example1.com/foo/bar 'strict-dynamic' 'self'"},

	848 true},
	Mike West 2016/11/30 10:12:53 Why is this true? The group of sources looks like Why is this true? The group of sources looks like it boils down to something like `https://example1.com/foo/bar 'strict-dynamic'`. That allows a different set of sources than `http://example1.com/foo/ 'self' 'unsafe-inline'`, as `'strict-dynamic'` means that a script loaded from `https://example1.com/foo/bar/script.js` could load `https://evil.com/script.js`.
	849 {true,

	850 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'",

	851 {"http://example1.com/foo/ 'strict-dynamic'",

	852 "http://example1.com/foo/bar 'self' 'strict-dynamic'",

	853 "https://example1.com/foo/bar 'strict-dynamic' 'self'"},

	854 false},

	855 {true,

	856 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' "

	857 "'strict-dynamic'",

	858 {"http://example1.com/foo/ 'strict-dynamic'",

	859 "http://example1.com/foo/bar 'self' 'strict-dynamic'",

	860 "https://example1.com/foo/bar 'strict-dynamic' 'self'"},

	861 true},

	862 };

	863

	864 for (const auto& test : cases) {

	865 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",

	866 test.sourcesA, csp.get());

	867 ContentSecurityPolicy* cspB =

	868 SetUpWithOrigin("https://another.test/image.png");

	869

	870 HeapVector<Member<SourceListDirective>> vectorB;

	871 for (const auto& sources : test.sourcesB) {

	872 SourceListDirective* member = new SourceListDirective(

	873 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);

	874 vectorB.append(member);

	875 }

	876

	877 EXPECT_EQ(A.subsumes(vectorB), test.expected);

	878 }

	879 }

	880

745 } // namespace blink	881 } // namespace blink

OLD	NEW

« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »