OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 1205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1216 for (const auto& sources : test.sourcesB) { | 1216 for (const auto& sources : test.sourcesB) { |
1217 SourceListDirective* member = new SourceListDirective( | 1217 SourceListDirective* member = new SourceListDirective( |
1218 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); | 1218 test.isScriptSrc ? "script-src" : "style-src", sources, cspB); |
1219 vectorB.append(member); | 1219 vectorB.append(member); |
1220 } | 1220 } |
1221 | 1221 |
1222 EXPECT_EQ(A.subsumes(vectorB), test.expected); | 1222 EXPECT_EQ(A.subsumes(vectorB), test.expected); |
1223 } | 1223 } |
1224 } | 1224 } |
1225 | 1225 |
1226 TEST_F(SourceListDirectiveTest, SubsumesListWildcard) { | |
1227 struct TestCase { | |
1228 const char* sourcesA; | |
1229 std::vector<const char*> sourcesB; | |
1230 bool expected; | |
1231 } cases[] = { | |
1232 // `A` subsumes `policiesB`.. | |
1233 {"*", {""}, true}, | |
1234 {"*", {"'none'"}, true}, | |
1235 {"*", {"*"}, true}, | |
1236 {"*", {"*", "*", "*"}, true}, | |
1237 {"*", {"*", "* https: http: ftp: ws: wss:"}, true}, | |
1238 {"*", {"*", "https: http: ftp: ws: wss:"}, true}, | |
1239 {"https: http: ftp: ws: wss:", {"*", "https: http: ftp: ws: wss:"}, true}, | |
1240 {"http: ftp: ws:", {"*", "https: http: ftp: ws: wss:"}, true}, | |
1241 {"http: ftp: ws:", {"*", "https: 'strict-dynamic'"}, true}, | |
1242 {"http://another.test", {"*", "'self'"}, true}, | |
amalika
2016/12/07 13:20:53
I realized that 'self' is "http://another.test" i.
Mike West
2016/12/07 15:16:22
As discussed, please add a test showing the behavi
| |
1243 {"http://another.test", {"https:", "'self'"}, true}, | |
1244 {"'self'", {"*", "'self'"}, true}, | |
1245 {"'unsafe-eval' * ", {"'unsafe-eval'"}, true}, | |
1246 {"'unsafe-hashed-attributes' * ", {"'unsafe-hashed-attributes'"}, true}, | |
1247 {"'unsafe-inline' * ", {"'unsafe-inline'"}, true}, | |
1248 {"*", {"*", "http://a.com ws://b.com ftp://c.com"}, true}, | |
1249 {"*", {"* data: blob:", "http://a.com ws://b.com ftp://c.com"}, true}, | |
1250 {"*", {"data: blob:", "http://a.com ws://b.com ftp://c.com"}, true}, | |
1251 {"*", {"*", "data://a.com ws://b.com ftp://c.com"}, true}, | |
1252 {"* data:", | |
1253 {"data: blob: *", "data://a.com ws://b.com ftp://c.com"}, | |
1254 true}, | |
1255 {"http://a.com ws://b.com ftp://c.com", | |
1256 {"*", "http://a.com ws://b.com ftp://c.com"}, | |
1257 true}, | |
1258 // `A` does not subsume `policiesB`.. | |
1259 {"*", {}, false}, | |
1260 {"", {"*"}, false}, | |
1261 {"'none'", {"*"}, false}, | |
1262 {"*", {"data:"}, false}, | |
1263 {"*", {"blob:"}, false}, | |
1264 {"http: ftp: ws:", | |
1265 {"* 'strict-dynamic'", "https: 'strict-dynamic'"}, | |
1266 false}, | |
1267 {"https://another.test", {"*"}, false}, | |
1268 {"*", {"* 'unsafe-eval'"}, false}, | |
1269 {"*", {"* 'unsafe-hashed-attributes'"}, false}, | |
1270 {"*", {"* 'unsafe-inline'"}, false}, | |
1271 {"'unsafe-eval'", {"* 'unsafe-eval'"}, false}, | |
1272 {"'unsafe-hashed-attributes'", {"* 'unsafe-hashed-attributes'"}, false}, | |
1273 {"'unsafe-inline'", {"* 'unsafe-inline'"}, false}, | |
1274 {"*", {"data: blob:", "data://a.com ws://b.com ftp://c.com"}, false}, | |
1275 {"* data:", | |
1276 {"data: blob:", "blob://a.com ws://b.com ftp://c.com"}, | |
1277 false}, | |
1278 }; | |
1279 | |
1280 for (const auto& test : cases) { | |
1281 SourceListDirective A("script-src", test.sourcesA, csp.get()); | |
1282 ContentSecurityPolicy* cspB = | |
1283 SetUpWithOrigin("https://another.test/image.png"); | |
1284 | |
1285 HeapVector<Member<SourceListDirective>> vectorB; | |
1286 for (const auto& sources : test.sourcesB) { | |
1287 SourceListDirective* member = | |
1288 new SourceListDirective("script-src", sources, cspB); | |
1289 vectorB.append(member); | |
1290 } | |
1291 | |
1292 EXPECT_EQ(A.subsumes(vectorB), test.expected); | |
1293 } | |
1294 } | |
1295 | |
1296 TEST_F(SourceListDirectiveTest, GetSources) { | |
1297 struct TestCase { | |
1298 const char* sources; | |
1299 const char* expected; | |
1300 } cases[] = { | |
1301 {"", ""}, | |
1302 {"*", "ftp: ws: http: https:"}, | |
1303 {"* data:", "data: ftp: ws: http: https:"}, | |
1304 {"blob: *", "blob: ftp: ws: http: https:"}, | |
1305 {"* 'self'", "ftp: ws: http: https:"}, | |
1306 {"https: 'self'", "https: https://example.test"}, | |
1307 {"https://b.com/bar/", "https://b.com/bar/"}, | |
1308 {"'self' http://a.com/foo/ https://b.com/bar/", | |
1309 "http://a.com/foo/ https://b.com/bar/ https://example.test"}, | |
1310 {"http://a.com/foo/ https://b.com/bar/ 'self'", | |
1311 "http://a.com/foo/ https://b.com/bar/ https://example.test"}, | |
1312 }; | |
1313 | |
1314 for (const auto& test : cases) { | |
1315 SourceListDirective list("script-src", test.sources, csp.get()); | |
1316 HeapVector<Member<CSPSource>> normalized = | |
1317 list.getSources(csp.get()->getSelfSource()); | |
1318 | |
1319 SourceListDirective expectedList("script-src", test.expected, csp.get()); | |
1320 HeapVector<Member<CSPSource>> expected = expectedList.m_list; | |
1321 EXPECT_EQ(normalized.size(), expected.size()); | |
1322 for (size_t i = 0; i < expected.size(); i++) { | |
1323 Source a = {expected[i]->m_scheme, expected[i]->m_host, | |
1324 expected[i]->m_port, expected[i]->m_path, | |
1325 expected[i]->m_hostWildcard, expected[i]->m_portWildcard}; | |
1326 Source b = {normalized[i]->m_scheme, normalized[i]->m_host, | |
1327 normalized[i]->m_port, normalized[i]->m_path, | |
1328 normalized[i]->m_hostWildcard, normalized[i]->m_portWildcard}; | |
1329 EXPECT_TRUE(equalSources(a, b)); | |
1330 } | |
1331 } | |
1332 } | |
1333 | |
1226 } // namespace blink | 1334 } // namespace blink |
OLD | NEW |