OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 833 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
844 EXPECT_EQ(scriptSrc.isNone(), test.expected); | 844 EXPECT_EQ(scriptSrc.isNone(), test.expected); |
845 | 845 |
846 SourceListDirective styleSrc("form-action", test.sources, csp.get()); | 846 SourceListDirective styleSrc("form-action", test.sources, csp.get()); |
847 EXPECT_EQ(styleSrc.isNone(), test.expected); | 847 EXPECT_EQ(styleSrc.isNone(), test.expected); |
848 | 848 |
849 SourceListDirective imgSrc("frame-src", test.sources, csp.get()); | 849 SourceListDirective imgSrc("frame-src", test.sources, csp.get()); |
850 EXPECT_EQ(styleSrc.isNone(), test.expected); | 850 EXPECT_EQ(styleSrc.isNone(), test.expected); |
851 } | 851 } |
852 } | 852 } |
853 | 853 |
854 TEST_F(SourceListDirectiveTest, GetIntersectNonces) { | |
855 SourceListDirective listA( | |
856 "script-src", | |
857 "http://example.com 'nonce-abc' 'nonce-xyz' 'nonce' 'unsafe-inline'", | |
858 csp.get()); | |
859 struct TestCase { | |
860 String sources; | |
861 String expected; | |
862 String expectedReversed; | |
Mike West
2016/12/07 13:32:46
You're not using this. Did you intend to?
| |
863 } cases[] = { | |
864 {"http:", ""}, | |
865 {"'nonce-abc'", "'nonce-abc'"}, | |
866 {"'nonce-xyz'", "'nonce-xyz'"}, | |
867 {"'nonce-123'", ""}, | |
868 {"'nonce-abc' 'nonce-xyz'", "'nonce-abc' 'nonce-xyz'"}, | |
869 {"'nonce-abc' 'nonce-xyz' 'nonce'", "'nonce-abc' 'nonce-xyz'"}, | |
870 {"'nonce-abc' 'nonce-123'", "'nonce-abc'"}, | |
871 {"'nonce-123' 'nonce-123'", ""}, | |
872 {"'nonce-123' 'nonce-abc'", "'nonce-abc'"}, | |
873 {"'nonce-123' 'nonce-xyz'", "'nonce-xyz'"}, | |
874 {"'nonce-123' 'nonce-xyx'", ""}, | |
875 }; | |
876 | |
877 for (const auto& test : cases) { | |
878 SourceListDirective listB("script-src", test.sources, csp.get()); | |
879 HashSet<String> normalized = listA.getIntersectNonces(listB.m_nonces); | |
880 | |
881 SourceListDirective expectedList("script-src", test.expected, csp.get()); | |
882 HashSet<String> expected = expectedList.m_nonces; | |
883 EXPECT_EQ(normalized.size(), expected.size()); | |
884 for (const auto& nonce : normalized) { | |
885 EXPECT_TRUE(expected.contains(nonce)); | |
886 } | |
887 } | |
888 } | |
889 | |
890 TEST_F(SourceListDirectiveTest, GetIntersectHashes) { | |
891 SourceListDirective listA( | |
892 "script-src", | |
893 "http://example.com 'sha256-abc123' 'sha384-' 'sha512-321cba' 'self'", | |
894 csp.get()); | |
895 struct TestCase { | |
896 String sources; | |
897 String expected; | |
898 String expectedReversed; | |
Mike West
2016/12/07 13:32:46
Ditto. I'm a little surprised this compiled...
| |
899 } cases[] = { | |
900 {"http:", ""}, | |
901 {"'sha384-abc'", ""}, | |
902 {"'sha384-'", ""}, | |
903 {"'sha256-abc123'", "'sha256-abc123'"}, | |
904 {"'sha256-abc123' 'sha384-'", "'sha256-abc123'"}, | |
905 {"'sha256-abc123' 'sha512-321cba'", "'sha512-321cba' 'sha256-abc123'"}, | |
906 {"'sha256-abc123' 'sha384-' 'sha512-321cba'", | |
907 "'sha256-abc123' 'sha512-321cba' "}, | |
908 {"'sha256-else' 'sha384-' 'sha512-321cba'", "'sha512-321cba' "}, | |
909 {"'hash-123'", ""}, | |
910 {"'sha256-123'", ""}, | |
911 }; | |
912 | |
913 for (const auto& test : cases) { | |
914 SourceListDirective listB("script-src", test.sources, csp.get()); | |
915 HashSet<CSPHashValue> normalized = listA.getIntersectHashes(listB.m_hashes); | |
916 | |
917 SourceListDirective expectedList("script-src", test.expected, csp.get()); | |
918 HashSet<CSPHashValue> expected = expectedList.m_hashes; | |
919 EXPECT_EQ(normalized.size(), expected.size()); | |
920 for (const auto& hash : normalized) { | |
921 EXPECT_TRUE(expected.contains(hash)); | |
922 } | |
923 } | |
924 } | |
925 | |
926 TEST_F(SourceListDirectiveTest, SubsumesNoncesAndHashes) { | |
927 struct TestCase { | |
928 bool isScriptSrc; | |
929 String sourcesA; | |
930 std::vector<String> sourcesB; | |
931 bool expected; | |
932 } cases[] = { | |
933 // Check nonces. | |
934 {true, | |
935 "http://example1.com/foo/ 'unsafe-inline' 'nonce-abc'", | |
936 {"'unsafe-inline'"}, | |
937 false}, | |
938 {true, | |
939 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-abc'", | |
940 {"'nonce-abc'"}, | |
941 true}, | |
942 {true, | |
943 "http://example1.com/foo/ 'self' 'unsafe-inline'", | |
944 {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"}, | |
945 false}, | |
946 {true, | |
947 "http://example1.com/foo/ 'self' 'nonce-yay'", | |
948 {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"}, | |
949 true}, | |
950 {true, | |
951 "http://example1.com/foo/ 'self' 'nonce-abc' 'nonce-yay'", | |
952 {"'unsafe-inline' https://example.test/"}, | |
953 false}, | |
954 {true, | |
955 "http://example1.com/foo/ 'self' 'nonce-abc' 'nonce-yay'", | |
956 {"'nonce-abc' https://example1.com/foo/"}, | |
957 true}, | |
958 {true, | |
959 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' " | |
960 "'strict-dynamic'", | |
961 {"https://example.test/ 'nonce-yay'"}, | |
962 false}, | |
963 {false, | |
964 "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' " | |
965 "'strict-dynamic'", | |
966 {"'nonce-yay' https://example1.com/foo/"}, | |
967 true}, | |
968 // Check hashes. | |
969 {true, | |
970 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
971 {"http://example1.com/foo/page.html 'strict-dynamic'", | |
972 "https://example1.com/foo/ 'sha512-321cba'"}, | |
973 true}, | |
974 {true, | |
975 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
976 {"http://some-other.com/ 'strict-dynamic' 'sha512-321cba'", | |
977 "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"}, | |
978 true}, | |
979 {true, | |
980 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
981 {"http://example1.com/foo/ 'sha512-321abc' 'sha512-321cba'", | |
982 "http://example1.com/foo/ 'sha512-321abc' 'sha512-321cba'"}, | |
983 false}, | |
984 {true, | |
985 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", | |
986 {"http://example1.com/foo/ 'unsafe-inline'", | |
987 "http://example1.com/foo/ 'sha512-321cba'"}, | |
988 true}, | |
989 {true, | |
990 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc'", | |
991 {"http://example1.com/foo/ 'unsafe-inline' 'sha512-321abc'", | |
992 "http://example1.com/foo/ 'sha512-321abc'"}, | |
993 true}, | |
994 {true, | |
995 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc'", | |
996 {"'unsafe-inline' 'sha512-321abc'", | |
997 "http://example1.com/foo/ 'sha512-321abc'"}, | |
998 true}, | |
999 // Nonces and hashes together. | |
1000 {true, | |
1001 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' " | |
1002 "'nonce-abc'", | |
1003 {"'unsafe-inline' 'sha512-321abc' 'self'", | |
1004 "'unsafe-inline''sha512-321abc' https://example.test/"}, | |
1005 true}, | |
1006 {true, | |
1007 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' " | |
1008 "'nonce-abc'", | |
1009 {"'unsafe-inline' 'sha512-321abc' 'self' 'nonce-abc'", | |
1010 "'sha512-321abc' https://example.test/"}, | |
1011 true}, | |
1012 {true, | |
1013 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' " | |
1014 "'nonce-abc'", | |
1015 {"'unsafe-inline' 'sha512-321abc' 'self'", | |
1016 " 'sha512-321abc' https://example.test/ 'nonce-abc'"}, | |
1017 true}, | |
1018 {true, | |
1019 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' " | |
1020 "'nonce-abc'", | |
1021 {"'unsafe-inline' 'sha512-321abc' 'self' 'nonce-xyz'", | |
1022 "unsafe-inline' 'sha512-321abc' https://example.test/ 'nonce-xyz'"}, | |
1023 false}, | |
1024 {true, | |
1025 "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' " | |
1026 "'nonce-abc'", | |
1027 {"'unsafe-inline' 'sha512-321abc' 'self' 'sha512-xyz'", | |
1028 "unsafe-inline' 'sha512-321abc' https://example.test/ 'sha512-xyz'"}, | |
1029 false}, | |
1030 | |
1031 }; | |
1032 | |
1033 for (const auto& test : cases) { | |
1034 SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src", | |
1035 test.sourcesA, csp.get()); | |
1036 ContentSecurityPolicy* cspB = | |
1037 SetUpWithOrigin("https://another.test/image.png"); | |
1038 | |
1039 HeapVector<Member<SourceListDirective>> vectorB; | |
1040 for (const auto& sources : test.sourcesB) { | |
1041 SourceListDirective* member = new SourceListDirective( | |
1042 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | |
1043 vectorB.append(member); | |
1044 } | |
1045 | |
1046 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
1047 } | |
1048 } | |
1049 | |
854 } // namespace blink | 1050 } // namespace blink |
OLD | NEW |