Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
index db90009afb386d531ca10b3ce9c00e1f07adc903..bd5e1544f3ea23c0ccd9bc148eebf5c88798502f 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
@@ -742,4 +742,140 @@ TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { |
} |
} |
+TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) { |
+ struct TestCase { |
+ bool isScriptSrc; |
+ String sourcesA; |
+ std::vector<String> sourcesB; |
+ bool expected; |
+ } cases[] = { |
+ // A or policiesB contain `unsafe-eval`. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
+ "'unsafe-eval'", |
+ {"http://example1.com/foo/bar.html 'unsafe-eval'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'unsafe-eval'", |
+ "http://example1.com/foo/bar 'self' unsafe-eval'", |
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self'", |
+ {"http://example1.com/foo/ 'unsafe-eval'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'unsafe-eval'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-eval'", |
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
+ false}, |
+ // A or policiesB contain `unsafe-hashed-attributes`. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " |
+ "'strict-dynamic' " |
+ "'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval' " |
+ "'unsafe-hashed-attributes'", |
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
+ "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self'", |
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'", |
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
+ "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, |
+ false}, |
+ // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic` |
+ // only is effective for `script-src` directives. |
+ {false, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
+ true}, |
+ {false, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-inline'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'", |
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' " |
+ "'strict-dynamic'", |
+ "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'", |
+ "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"}, |
+ true}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-eval'", |
+ {"http://example1.com/foo/ 'strict-dynamic'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline'", |
+ {"http://example1.com/foo/ 'strict-dynamic'", |
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
+ true}, |
Mike West
2016/11/30 10:12:53
Why is this true?
The group of sources looks like
|
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", |
+ {"http://example1.com/foo/ 'strict-dynamic'", |
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
+ false}, |
+ {true, |
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' " |
+ "'strict-dynamic'", |
+ {"http://example1.com/foo/ 'strict-dynamic'", |
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
+ true}, |
+ }; |
+ |
+ for (const auto& test : cases) { |
+ SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", |
+ test.sourcesA, csp.get()); |
+ ContentSecurityPolicy* cspB = |
+ SetUpWithOrigin("https://another.test/image.png"); |
+ |
+ HeapVector<Member<SourceListDirective>> vectorB; |
+ for (const auto& sources : test.sourcesB) { |
+ SourceListDirective* member = new SourceListDirective( |
+ test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
+ vectorB.append(member); |
+ } |
+ |
+ EXPECT_EQ(A.subsumes(vectorB), test.expected); |
+ } |
+} |
+ |
} // namespace blink |