OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 712 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
723 for (const auto& sources : test.sourcesB) { | 723 for (const auto& sources : test.sourcesB) { |
724 SourceListDirective* member = new SourceListDirective( | 724 SourceListDirective* member = new SourceListDirective( |
725 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | 725 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
726 vectorB.append(member); | 726 vectorB.append(member); |
727 } | 727 } |
728 | 728 |
729 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 729 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
730 } | 730 } |
731 } | 731 } |
732 | 732 |
| 733 TEST_F(SourceListDirectiveTest, SubsumesUnsafeAttributes) { |
| 734 struct TestCase { |
| 735 bool isScriptSrc; |
| 736 String sourcesA; |
| 737 std::vector<String> sourcesB; |
| 738 bool expected; |
| 739 } cases[] = { |
| 740 // A or policiesB contain `unsafe-eval`. |
| 741 {false, |
| 742 "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
| 743 "'unsafe-eval'", |
| 744 {"http://example1.com/foo/bar.html 'unsafe-eval'"}, |
| 745 true}, |
| 746 {true, |
| 747 "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| 748 {"http://example1.com/foo/ 'unsafe-inline'"}, |
| 749 false}, |
| 750 {true, |
| 751 "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| 752 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, |
| 753 false}, |
| 754 {true, |
| 755 "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| 756 {"http://example1.com/foo/ 'unsafe-eval'", |
| 757 "http://example1.com/foo/bar 'self' unsafe-eval'", |
| 758 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
| 759 true}, |
| 760 {true, |
| 761 "http://example1.com/foo/ 'self'", |
| 762 {"http://example1.com/foo/ 'unsafe-eval'"}, |
| 763 false}, |
| 764 {true, |
| 765 "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| 766 {"http://example1.com/foo/ 'unsafe-eval'", |
| 767 "http://example1.com/foo/bar 'self' 'unsafe-eval'", |
| 768 "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
| 769 false}, |
| 770 // A or policiesB contain `unsafe-hashed-attributes`. |
| 771 {false, |
| 772 "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " |
| 773 "'strict-dynamic' " |
| 774 "'unsafe-hashed-attributes'", |
| 775 {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, |
| 776 true}, |
| 777 {true, |
| 778 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
| 779 {"http://example1.com/foo/ 'unsafe-inline'"}, |
| 780 false}, |
| 781 {true, |
| 782 "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
| 783 {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, |
| 784 false}, |
| 785 {true, |
| 786 "http://example1.com/foo/ 'self' 'unsafe-eval' " |
| 787 "'unsafe-hashed-attributes'", |
| 788 {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", |
| 789 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
| 790 "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, |
| 791 true}, |
| 792 {true, |
| 793 "http://example1.com/foo/ 'self'", |
| 794 {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, |
| 795 false}, |
| 796 {true, |
| 797 "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| 798 {"http://example1.com/foo/ 'unsafe-hashed-attributes'", |
| 799 "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
| 800 "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, |
| 801 false}, |
| 802 }; |
| 803 |
| 804 ContentSecurityPolicy* cspB = |
| 805 SetUpWithOrigin("https://another.test/image.png"); |
| 806 |
| 807 for (const auto& test : cases) { |
| 808 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", |
| 809 test.sourcesA, csp.get()); |
| 810 |
| 811 HeapVector<Member<SourceListDirective>> vectorB; |
| 812 for (const auto& sources : test.sourcesB) { |
| 813 SourceListDirective* member = new SourceListDirective( |
| 814 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
| 815 vectorB.append(member); |
| 816 } |
| 817 |
| 818 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
| 819 } |
| 820 } |
| 821 |
733 } // namespace blink | 822 } // namespace blink |
OLD | NEW |