| Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| index 2e76d9eee6ab4cb829d9c427e7084ce023a1c9fd..84a605a7de340b2b949491165d584a99d9a4fe78 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
|
| @@ -730,4 +730,93 @@ TEST_F(SourceListDirectiveTest, SubsumesAllowAllInline) {
|
| }
|
| }
|
|
|
| +TEST_F(SourceListDirectiveTest, SubsumesUnsafeAttributes) {
|
| + struct TestCase {
|
| + bool isScriptSrc;
|
| + String sourcesA;
|
| + std::vector<String> sourcesB;
|
| + bool expected;
|
| + } cases[] = {
|
| + // A or policiesB contain `unsafe-eval`.
|
| + {false,
|
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' "
|
| + "'unsafe-eval'",
|
| + {"http://example1.com/foo/bar.html 'unsafe-eval'"},
|
| + true},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-eval'",
|
| + {"http://example1.com/foo/ 'unsafe-inline'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-eval'",
|
| + {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-eval'",
|
| + {"http://example1.com/foo/ 'unsafe-eval'",
|
| + "http://example1.com/foo/bar 'self' unsafe-eval'",
|
| + "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
|
| + true},
|
| + {true,
|
| + "http://example1.com/foo/ 'self'",
|
| + {"http://example1.com/foo/ 'unsafe-eval'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-inline'",
|
| + {"http://example1.com/foo/ 'unsafe-eval'",
|
| + "http://example1.com/foo/bar 'self' 'unsafe-eval'",
|
| + "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
|
| + false},
|
| + // A or policiesB contain `unsafe-hashed-attributes`.
|
| + {false,
|
| + "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' "
|
| + "'strict-dynamic' "
|
| + "'unsafe-hashed-attributes'",
|
| + {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"},
|
| + true},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
|
| + {"http://example1.com/foo/ 'unsafe-inline'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
|
| + {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-eval' "
|
| + "'unsafe-hashed-attributes'",
|
| + {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",
|
| + "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
|
| + "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"},
|
| + true},
|
| + {true,
|
| + "http://example1.com/foo/ 'self'",
|
| + {"http://example1.com/foo/ 'unsafe-hashed-attributes'"},
|
| + false},
|
| + {true,
|
| + "http://example1.com/foo/ 'self' 'unsafe-inline'",
|
| + {"http://example1.com/foo/ 'unsafe-hashed-attributes'",
|
| + "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
|
| + "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"},
|
| + false},
|
| + };
|
| +
|
| + ContentSecurityPolicy* cspB =
|
| + SetUpWithOrigin("https://another.test/image.png");
|
| +
|
| + for (const auto& test : cases) {
|
| + SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",
|
| + test.sourcesA, csp.get());
|
| +
|
| + HeapVector<Member<SourceListDirective>> vectorB;
|
| + for (const auto& sources : test.sourcesB) {
|
| + SourceListDirective* member = new SourceListDirective(
|
| + test.isScriptSrc ? "script-src" : "style-src", sources, cspB);
|
| + vectorB.append(member);
|
| + }
|
| +
|
| + EXPECT_EQ(A.subsumes(vectorB), test.expected);
|
| + }
|
| +}
|
| +
|
| } // namespace blink
|
|
|
Chromium Code Reviews
Issue 2538623003:
Part 3.4: Is policy list subsumed under subsuming policy? (Closed)
