Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
index 54c2b35236f2e4e6c2778c7454ee2d129a0293be..1e1676778a73bbb23fe337fc5d9df895bdcb536e 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
@@ -746,4 +746,127 @@ TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { |
} |
} |
+TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) { |
+ struct TestCase { |
+ bool isScriptSrc; |
+ String sourcesA; |
+ std::vector<String> sourcesB; |
+ bool expected; |
+ } cases[] = { |
+ // A or policiesB contain `unsafe-eval`. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
+ "'unsafe-eval'", |
+ {"http://example1.com/foo/bar.html 'unsafe-eval'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-eval'", |
+ "http://example1.com/foo/bar 'self' unsafe-eval'", |
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self'", |
+ {"http://example1.com/foo/ 'unsafe-eval'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'unsafe-eval'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-eval'", |
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
+ false}, |
+ // A or policiesB contain `unsafe-hashed-attributes`. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " |
+ "'strict-dynamic' " |
+ "'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval' " |
+ "'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
+ "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self'", |
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
+ "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, |
+ false}, |
+ // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic` |
+ // only is effective for `script-src` directives. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
+ true}, |
+ {false, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' " |
+ "'strict-dynamic'", |
+ "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'", |
+ "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'strict-dynamic'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'strict-dynamic'", |
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
+ true}, |
amalika
2016/11/29 10:46:03
Just wanted to check with you:
This is a desired b
Mike West
2016/11/29 12:05:48
Hrm. I don't think that's correct, as `strict-dyna
amalika
2016/11/29 13:37:45
From my understanding, then this example would be
|
+ }; |
+ |
+ for (const auto& test : cases) { |
+ SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", |
+ test.sourcesA, csp.get()); |
+ ContentSecurityPolicy* cspB = |
+ SetUpWithOrigin("https://another.test/image.png"); |
+ |
+ HeapVector<Member<SourceListDirective>> vectorB; |
+ for (const auto& sources : test.sourcesB) { |
+ SourceListDirective* member = new SourceListDirective( |
+ test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
+ vectorB.append(member); |
+ } |
+ |
+ EXPECT_EQ(A.subsumes(vectorB), test.expected); |
+ } |
+} |
+ |
} // namespace blink |