Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(353)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2545063002: Part 3.6: Is policy list subsumed under subsuming policy? (Closed)
Patch Set: Intersect Tests Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
index 0e1fcc34adae68fd354a3501fc0c6cacfaf702bb..e0810de2d4cbda19cbcf064a36b601b57a8c94e3 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
@@ -851,4 +851,200 @@ TEST_F(SourceListDirectiveTest, IsNone) {
}
}
+TEST_F(SourceListDirectiveTest, GetIntersectNonces) {
+ SourceListDirective listA(
+ "script-src",
+ "http://example.com 'nonce-abc' 'nonce-xyz' 'nonce' 'unsafe-inline'",
Mike West 2016/12/07 13:32:46 Is `'nonce'` the template bit we talked about? If
amalika 2016/12/07 15:11:51 it was intended to be a non-valid nonce. I changed
+ csp.get());
+ struct TestCase {
+ String sources;
+ String expected;
+ String expectedReversed;
Mike West 2016/12/07 13:32:46 You don't define this in any of the items below. D
amalika 2016/12/07 15:11:51 Hm yes, it is weird it compiles like this.
+ } cases[] = {
+ {"http:", ""},
Mike West 2016/12/07 13:32:46 Might as well add tests for `'unsafe-inline'`, `ht
amalika 2016/12/07 15:11:51 Added!
+ {"'nonce-abc'", "'nonce-abc'"},
+ {"'nonce-xyz'", "'nonce-xyz'"},
+ {"'nonce-123'", ""},
+ {"'nonce-abc' 'nonce-xyz'", "'nonce-abc' 'nonce-xyz'"},
+ {"'nonce-abc' 'nonce-xyz' 'nonce'", "'nonce-abc' 'nonce-xyz'"},
+ {"'nonce-abc' 'nonce-123'", "'nonce-abc'"},
+ {"'nonce-123' 'nonce-123'", ""},
+ {"'nonce-123' 'nonce-abc'", "'nonce-abc'"},
+ {"'nonce-123' 'nonce-xyz'", "'nonce-xyz'"},
+ {"'nonce-123' 'nonce-xyx'", ""},
+ };
+
+ for (const auto& test : cases) {
+ SourceListDirective listB("script-src", test.sources, csp.get());
+ HashSet<String> normalized = listA.getIntersectNonces(listB.m_nonces);
+
+ SourceListDirective expectedList("script-src", test.expected, csp.get());
+ HashSet<String> expected = expectedList.m_nonces;
+ EXPECT_EQ(normalized.size(), expected.size());
+ for (const auto& nonce : normalized) {
+ EXPECT_TRUE(expected.contains(nonce));
+ }
+ }
+}
+
+TEST_F(SourceListDirectiveTest, GetIntersectHashes) {
+ SourceListDirective listA(
+ "script-src",
+ "http://example.com 'sha256-abc123' 'sha384-' 'sha512-321cba' 'self'",
+ csp.get());
+ struct TestCase {
+ String sources;
+ String expected;
+ String expectedReversed;
+ } cases[] = {
+ {"http:", ""},
+ {"'sha384-abc'", ""},
+ {"'sha384-'", ""},
+ {"'sha256-abc123'", "'sha256-abc123'"},
+ {"'sha256-abc123' 'sha384-'", "'sha256-abc123'"},
+ {"'sha256-abc123' 'sha512-321cba'", "'sha512-321cba' 'sha256-abc123'"},
+ {"'sha256-abc123' 'sha384-' 'sha512-321cba'",
+ "'sha256-abc123' 'sha512-321cba' "},
+ {"'sha256-else' 'sha384-' 'sha512-321cba'", "'sha512-321cba' "},
+ {"'hash-123'", ""},
+ {"'sha256-123'", ""},
+ };
+
+ for (const auto& test : cases) {
+ SourceListDirective listB("script-src", test.sources, csp.get());
+ HashSet<CSPHashValue> normalized = listA.getIntersectHashes(listB.m_hashes);
+
+ SourceListDirective expectedList("script-src", test.expected, csp.get());
+ HashSet<CSPHashValue> expected = expectedList.m_hashes;
+ EXPECT_EQ(normalized.size(), expected.size());
+ for (const auto& hash : normalized) {
+ EXPECT_TRUE(expected.contains(hash));
+ }
+ }
+}
+
+TEST_F(SourceListDirectiveTest, SubsumesNoncesAndHashes) {
+ struct TestCase {
+ bool isScriptSrc;
+ String sourcesA;
+ std::vector<String> sourcesB;
+ bool expected;
+ } cases[] = {
+ // Check nonces.
+ {true,
+ "http://example1.com/foo/ 'unsafe-inline' 'nonce-abc'",
+ {"'unsafe-inline'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-abc'",
+ {"'nonce-abc'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline'",
+ {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'nonce-yay'",
+ {"'unsafe-inline' 'nonce-yay'", "'nonce-yay'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'nonce-abc' 'nonce-yay'",
+ {"'unsafe-inline' https://example.test/"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'nonce-abc' 'nonce-yay'",
+ {"'nonce-abc' https://example1.com/foo/"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' "
+ "'strict-dynamic'",
+ {"https://example.test/ 'nonce-yay'"},
+ false},
+ {false,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'nonce-yay' "
+ "'strict-dynamic'",
+ {"'nonce-yay' https://example1.com/foo/"},
+ true},
+ // Check hashes.
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'",
+ {"http://example1.com/foo/page.html 'strict-dynamic'",
+ "https://example1.com/foo/ 'sha512-321cba'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'",
+ {"http://some-other.com/ 'strict-dynamic' 'sha512-321cba'",
+ "http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'",
+ {"http://example1.com/foo/ 'sha512-321abc' 'sha512-321cba'",
+ "http://example1.com/foo/ 'sha512-321abc' 'sha512-321cba'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'",
+ {"http://example1.com/foo/ 'unsafe-inline'",
+ "http://example1.com/foo/ 'sha512-321cba'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc'",
+ {"http://example1.com/foo/ 'unsafe-inline' 'sha512-321abc'",
+ "http://example1.com/foo/ 'sha512-321abc'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc'",
+ {"'unsafe-inline' 'sha512-321abc'",
+ "http://example1.com/foo/ 'sha512-321abc'"},
+ true},
+ // Nonces and hashes together.
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' "
+ "'nonce-abc'",
+ {"'unsafe-inline' 'sha512-321abc' 'self'",
+ "'unsafe-inline''sha512-321abc' https://example.test/"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' "
+ "'nonce-abc'",
+ {"'unsafe-inline' 'sha512-321abc' 'self' 'nonce-abc'",
+ "'sha512-321abc' https://example.test/"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' "
+ "'nonce-abc'",
+ {"'unsafe-inline' 'sha512-321abc' 'self'",
+ " 'sha512-321abc' https://example.test/ 'nonce-abc'"},
+ true},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' "
+ "'nonce-abc'",
+ {"'unsafe-inline' 'sha512-321abc' 'self' 'nonce-xyz'",
+ "unsafe-inline' 'sha512-321abc' https://example.test/ 'nonce-xyz'"},
+ false},
+ {true,
+ "http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321abc' "
+ "'nonce-abc'",
+ {"'unsafe-inline' 'sha512-321abc' 'self' 'sha512-xyz'",
+ "unsafe-inline' 'sha512-321abc' https://example.test/ 'sha512-xyz'"},
+ false},
+
+ };
+
+ for (const auto& test : cases) {
+ SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",
+ test.sourcesA, csp.get());
+ ContentSecurityPolicy* cspB =
+ SetUpWithOrigin("https://another.test/image.png");
+
+ HeapVector<Member<SourceListDirective>> vectorB;
+ for (const auto& sources : test.sourcesB) {
+ SourceListDirective* member = new SourceListDirective(
+ test.isScriptSrc ? "script-src" : "style-src", sources, cspB);
+ vectorB.append(member);
+ }
+
+ EXPECT_EQ(A.subsumes(vectorB), test.expected);
+ }
+}
+
} // namespace blink
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698