Chromium Code Reviews Chromium Code Reviews
Issue 2538623003:
Part 3.4: Is policy list subsumed under subsuming policy? (Closed)
| Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| index db90009afb386d531ca10b3ce9c00e1f07adc903..bd5e1544f3ea23c0ccd9bc148eebf5c88798502f 100644 |
| --- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| +++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp |
| @@ -742,4 +742,140 @@ TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) { |
| } |
| } |
| +TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) { |
| + struct TestCase { |
| + bool isScriptSrc; |
| + String sourcesA; |
| + std::vector<String> sourcesB; |
| + bool expected; |
| + } cases[] = { |
| + // A or policiesB contain `unsafe-eval`. |
| + {false, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' " |
| + "'unsafe-eval'", |
| + {"http://example1.com/foo/bar.html 'unsafe-eval'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| + {"http://example1.com/foo/ 'unsafe-inline'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| + {"http://example1.com/foo/ 'unsafe-eval'", |
| + "http://example1.com/foo/bar 'self' unsafe-eval'", |
| + "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self'", |
| + {"http://example1.com/foo/ 'unsafe-eval'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"http://example1.com/foo/ 'unsafe-eval'", |
| + "http://example1.com/foo/bar 'self' 'unsafe-eval'", |
| + "http://non-example.com/foo/ 'unsafe-eval' 'self'"}, |
| + false}, |
| + // A or policiesB contain `unsafe-hashed-attributes`. |
| + {false, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' " |
| + "'strict-dynamic' " |
| + "'unsafe-hashed-attributes'", |
| + {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
| + {"http://example1.com/foo/ 'unsafe-inline'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval' " |
| + "'unsafe-hashed-attributes'", |
| + {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'", |
| + "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
| + "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self'", |
| + {"http://example1.com/foo/ 'unsafe-hashed-attributes'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"http://example1.com/foo/ 'unsafe-hashed-attributes'", |
| + "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'", |
| + "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"}, |
| + false}, |
| + // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic` |
| + // only is effective for `script-src` directives. |
| + {false, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| + {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
| + true}, |
| + {false, |
| + "http://example1.com/foo/ 'self' 'strict-dynamic'", |
| + {"http://example1.com/foo/bar.html 'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'strict-dynamic'", |
| + {"http://example1.com/foo/ 'unsafe-inline'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'strict-dynamic'", |
| + {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'", |
| + {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' " |
| + "'strict-dynamic'", |
| + "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'", |
| + "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"}, |
| + true}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-eval'", |
| + {"http://example1.com/foo/ 'strict-dynamic'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline'", |
| + {"http://example1.com/foo/ 'strict-dynamic'", |
| + "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
| + "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
| + true}, |
|
Mike West
2016/11/30 10:12:53
Why is this true?
The group of sources looks like
|
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay'", |
| + {"http://example1.com/foo/ 'strict-dynamic'", |
| + "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
| + "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
| + false}, |
| + {true, |
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' " |
| + "'strict-dynamic'", |
| + {"http://example1.com/foo/ 'strict-dynamic'", |
| + "http://example1.com/foo/bar 'self' 'strict-dynamic'", |
| + "https://example1.com/foo/bar 'strict-dynamic' 'self'"}, |
| + true}, |
| + }; |
| + |
| + for (const auto& test : cases) { |
| + SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", |
| + test.sourcesA, csp.get()); |
| + ContentSecurityPolicy* cspB = |
| + SetUpWithOrigin("https://another.test/image.png"); |
| + |
| + HeapVector<Member<SourceListDirective>> vectorB; |
| + for (const auto& sources : test.sourcesB) { |
| + SourceListDirective* member = new SourceListDirective( |
| + test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
| + vectorB.append(member); |
| + } |
| + |
| + EXPECT_EQ(A.subsumes(vectorB), test.expected); |
| + } |
| +} |
| + |
| } // namespace blink |
