third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp - Issue 2555153002: Part 3.8: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Issue 2555153002: Part 3.8: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Style Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/SourceListDirective.h"	5 #include "core/frame/csp/SourceListDirective.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/frame/csp/CSPSource.h"	8 #include "core/frame/csp/CSPSource.h"

9 #include "core/frame/csp/ContentSecurityPolicy.h"	9 #include "core/frame/csp/ContentSecurityPolicy.h"

10 #include "platform/network/ResourceRequest.h"	10 #include "platform/network/ResourceRequest.h"

(...skipping 1205 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1216 for (const auto& sources : test.sourcesB) {	1216 for (const auto& sources : test.sourcesB) {

1217 SourceListDirective* member = new SourceListDirective(	1217 SourceListDirective* member = new SourceListDirective(

1218 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);	1218 test.isScriptSrc ? "script-src" : "style-src", sources, cspB);

1219 vectorB.append(member);	1219 vectorB.append(member);

1220 }	1220 }

1221	1221

1222 EXPECT_EQ(A.subsumes(vectorB), test.expected);	1222 EXPECT_EQ(A.subsumes(vectorB), test.expected);

1223 }	1223 }

1224 }	1224 }

1225	1225

	1226 TEST_F(SourceListDirectiveTest, SubsumesListWildcard) {

	1227 struct TestCase {

	1228 const char* sourcesA;

	1229 std::vector<const char*> sourcesB;

	1230 bool expected;

	1231 } cases[] = {

	1232 // `A` subsumes `policiesB`..

	1233 {"*", {""}, true},

	1234 {"*", {"'none'"}, true},

	1235 {"", {""}, true},

	1236 {"", {"", "", ""}, true},

	1237 {"", {"", "* https: http: ftp: ws: wss:"}, true},

	1238 {"", {"", "https: http: ftp: ws: wss:"}, true},

	1239 {"https: http: ftp: ws: wss:", {"*", "https: http: ftp: ws: wss:"}, true},

	1240 {"http: ftp: ws:", {"*", "https: http: ftp: ws: wss:"}, true},

	1241 {"http: ftp: ws:", {"*", "https: 'strict-dynamic'"}, true},

	1242 {"http://another.test", {"*", "'self'"}, true},
	amalika 2016/12/07 13:20:53 I realized that 'self' is "http://another.test" i. I realized that 'self' is "http://another.test" i.e. there is no path so that "http://another.test/" does not subsume "http://another.test". This is probably not intended for `self`? Mike West 2016/12/07 15:16:22 As discussed, please add a test showing the behavi Show quoted text On 2016/12/07 at 13:20:53, amalika wrote: > I realized that 'self' is "http://another.test" i.e. there is no path so that "http://another.test/" does not subsume "http://another.test". This is probably not intended for `self`? As discussed, please add a test showing the behavior difference between `http://another.test` and `http://another.test/`, and add a TODO noting that it probably shouldn't be different. :)
	1243 {"http://another.test", {"https:", "'self'"}, true},

	1244 {"'self'", {"*", "'self'"}, true},

	1245 {"'unsafe-eval' * ", {"'unsafe-eval'"}, true},

	1246 {"'unsafe-hashed-attributes' * ", {"'unsafe-hashed-attributes'"}, true},

	1247 {"'unsafe-inline' * ", {"'unsafe-inline'"}, true},

	1248 {"", {"", "http://a.com ws://b.com ftp://c.com"}, true},

	1249 {"", {" data: blob:", "http://a.com ws://b.com ftp://c.com"}, true},

	1250 {"*", {"data: blob:", "http://a.com ws://b.com ftp://c.com"}, true},

	1251 {"", {"", "data://a.com ws://b.com ftp://c.com"}, true},

	1252 {"* data:",

	1253 {"data: blob: *", "data://a.com ws://b.com ftp://c.com"},

	1254 true},

	1255 {"http://a.com ws://b.com ftp://c.com",

	1256 {"*", "http://a.com ws://b.com ftp://c.com"},

	1257 true},

	1258 // `A` does not subsume `policiesB`..

	1259 {"*", {}, false},

	1260 {"", {"*"}, false},

	1261 {"'none'", {"*"}, false},

	1262 {"*", {"data:"}, false},

	1263 {"*", {"blob:"}, false},

	1264 {"http: ftp: ws:",

	1265 {"* 'strict-dynamic'", "https: 'strict-dynamic'"},

	1266 false},

	1267 {"https://another.test", {"*"}, false},

	1268 {"", {" 'unsafe-eval'"}, false},

	1269 {"", {" 'unsafe-hashed-attributes'"}, false},

	1270 {"", {" 'unsafe-inline'"}, false},

	1271 {"'unsafe-eval'", {"* 'unsafe-eval'"}, false},

	1272 {"'unsafe-hashed-attributes'", {"* 'unsafe-hashed-attributes'"}, false},

	1273 {"'unsafe-inline'", {"* 'unsafe-inline'"}, false},

	1274 {"*", {"data: blob:", "data://a.com ws://b.com ftp://c.com"}, false},

	1275 {"* data:",

	1276 {"data: blob:", "blob://a.com ws://b.com ftp://c.com"},

	1277 false},

	1278 };

	1279

	1280 for (const auto& test : cases) {

	1281 SourceListDirective A("script-src", test.sourcesA, csp.get());

	1282 ContentSecurityPolicy* cspB =

	1283 SetUpWithOrigin("https://another.test/image.png");

	1284

	1285 HeapVector<Member<SourceListDirective>> vectorB;

	1286 for (const auto& sources : test.sourcesB) {

	1287 SourceListDirective* member =

	1288 new SourceListDirective("script-src", sources, cspB);

	1289 vectorB.append(member);

	1290 }

	1291

	1292 EXPECT_EQ(A.subsumes(vectorB), test.expected);

	1293 }

	1294 }

	1295

	1296 TEST_F(SourceListDirectiveTest, GetSources) {

	1297 struct TestCase {

	1298 const char* sources;

	1299 const char* expected;

	1300 } cases[] = {

	1301 {"", ""},

	1302 {"*", "ftp: ws: http: https:"},

	1303 {"* data:", "data: ftp: ws: http: https:"},

	1304 {"blob: *", "blob: ftp: ws: http: https:"},

	1305 {"* 'self'", "ftp: ws: http: https:"},

	1306 {"https: 'self'", "https: https://example.test"},

	1307 {"https://b.com/bar/", "https://b.com/bar/"},

	1308 {"'self' http://a.com/foo/ https://b.com/bar/",

	1309 "http://a.com/foo/ https://b.com/bar/ https://example.test"},

	1310 {"http://a.com/foo/ https://b.com/bar/ 'self'",

	1311 "http://a.com/foo/ https://b.com/bar/ https://example.test"},

	1312 };

	1313

	1314 for (const auto& test : cases) {

	1315 SourceListDirective list("script-src", test.sources, csp.get());

	1316 HeapVector<Member<CSPSource>> normalized =

	1317 list.getSources(csp.get()->getSelfSource());

	1318

	1319 SourceListDirective expectedList("script-src", test.expected, csp.get());

	1320 HeapVector<Member<CSPSource>> expected = expectedList.m_list;

	1321 EXPECT_EQ(normalized.size(), expected.size());

	1322 for (size_t i = 0; i < expected.size(); i++) {

	1323 Source a = {expected[i]->m_scheme, expected[i]->m_host,

	1324 expected[i]->m_port, expected[i]->m_path,

	1325 expected[i]->m_hostWildcard, expected[i]->m_portWildcard};

	1326 Source b = {normalized[i]->m_scheme, normalized[i]->m_host,

	1327 normalized[i]->m_port, normalized[i]->m_path,

	1328 normalized[i]->m_hostWildcard, normalized[i]->m_portWildcard};

	1329 EXPECT_TRUE(equalSources(a, b));

	1330 }

	1331 }

	1332 }

	1333

1226 } // namespace blink	1334 } // namespace blink

OLD	NEW

« third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp ('k') | no next file » | no next file with comments »