Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(457)

Unified Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2538623003: Part 3.4: Is policy list subsumed under subsuming policy? (Closed)
Patch Set: More test cases Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
index db90009afb386d531ca10b3ce9c00e1f07adc903..bd5e1544f3ea23c0ccd9bc148eebf5c88798502f 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
@@ -742,4 +742,140 @@ TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) {
}
}
+TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) {
+ struct TestCase {
+ bool isScriptSrc;
+ String sourcesA;
+ std::vector<String> sourcesB;
+ bool expected;
+ } cases[] = {
+ // A or policiesB contain `unsafe-eval`.
+ {false,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' "
+ "'unsafe-eval'",
+ {"http://example1.com/foo/bar.html 'unsafe-eval'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval'",
+ {"http://example1.com/foo/ 'unsafe-inline'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval'",
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval'",
+ {"http://example1.com/foo/ 'unsafe-eval'",
+ "http://example1.com/foo/bar 'self' unsafe-eval'",
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self'",
+ {"http://example1.com/foo/ 'unsafe-eval'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline'",
+ {"http://example1.com/foo/ 'unsafe-eval'",
+ "http://example1.com/foo/bar 'self' 'unsafe-eval'",
+ "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
+ false},
+ // A or policiesB contain `unsafe-hashed-attributes`.
+ {false,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' "
+ "'strict-dynamic' "
+ "'unsafe-hashed-attributes'",
+ {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+ {"http://example1.com/foo/ 'unsafe-inline'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+ {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval' "
+ "'unsafe-hashed-attributes'",
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
+ "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self'",
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline'",
+ {"http://example1.com/foo/ 'unsafe-hashed-attributes'",
+ "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
+ "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"},
+ false},
+ // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic`
+ // only is effective for `script-src` directives.
+ {false,
+ "http://example1.com/foo/ 'self' 'unsafe-eval'",
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"},
+ true},
+ {false,
+ "http://example1.com/foo/ 'self' 'strict-dynamic'",
+ {"http://example1.com/foo/bar.html 'strict-dynamic'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'strict-dynamic'",
+ {"http://example1.com/foo/ 'unsafe-inline'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'strict-dynamic'",
+ {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'",
+ {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' "
+ "'strict-dynamic'",
+ "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'",
+ "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-eval'",
+ {"http://example1.com/foo/ 'strict-dynamic'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline'",
+ {"http://example1.com/foo/ 'strict-dynamic'",
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'",
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"},
+ true},
Mike West 2016/11/30 10:12:53 Why is this true? The group of sources looks like
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'",
+ {"http://example1.com/foo/ 'strict-dynamic'",
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'",
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' "
+ "'strict-dynamic'",
+ {"http://example1.com/foo/ 'strict-dynamic'",
+ "http://example1.com/foo/bar 'self' 'strict-dynamic'",
+ "https://example1.com/foo/bar 'strict-dynamic' 'self'"},
+ true},
+ };
+
+ for (const auto& test : cases) {
+ SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",
+ test.sourcesA, csp.get());
+ ContentSecurityPolicy* cspB =
+ SetUpWithOrigin("https://another.test/image.png");
+
+ HeapVector<Member<SourceListDirective>> vectorB;
+ for (const auto& sources : test.sourcesB) {
+ SourceListDirective* member = new SourceListDirective(
+ test.isScriptSrc ? "script-src" : "style-src", sources, cspB);
+ vectorB.append(member);
+ }
+
+ EXPECT_EQ(A.subsumes(vectorB), test.expected);
+ }
+}
+
} // namespace blink
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698