OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <title>Embedded Enforcement: Subsumption Algorithm - Hashes.</title> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script src="support/testharness-helper.sub.js"></script> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 var tests = [ |
| 12 { "name": "'sha256-abc123' is properly subsumed.", |
| 13 "required_csp": "style-src 'sha256-abc123'", |
| 14 "returned_csp_1": "style-src 'sha256-abc123'", |
| 15 "expected": IframeLoad.EXPECT_LOAD }, |
| 16 { "name": "Returned should not include hashes not present in required csp.
", |
| 17 "required_csp": "style-src http://example.com", |
| 18 "returned_csp_1": "style-src 'sha256-abc123'", |
| 19 "expected": IframeLoad.EXPECT_BLOCK }, |
| 20 { "name": "'sha256-abc123' is properly subsumed with other sources.", |
| 21 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashe
d-attributes' 'strict-dynamic' 'sha256-abc123'", |
| 22 "returned_csp_1": "style-src http://example1.com/foo/bar.html 'sha256-ab
c123'", |
| 23 "expected": IframeLoad.EXPECT_LOAD }, |
| 24 { "name": "Hashes do not have to be present in returned csp.", |
| 25 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc12
3'", |
| 26 "returned_csp_1": "style-src http://example1.com/foo/", |
| 27 "expected": IframeLoad.EXPECT_LOAD }, |
| 28 { "name": "Hashes do not have to be present in returned csp but must not a
llow all inline behavior.", |
| 29 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc12
3'", |
| 30 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", |
| 31 "expected": IframeLoad.EXPECT_BLOCK }, |
| 32 { "name": "Other expressions have to be subsumed.", |
| 33 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc12
3'", |
| 34 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'sha
256-abc123'", |
| 35 "expected": IframeLoad.EXPECT_BLOCK }, |
| 36 { "name": "Other expressions have to be subsumed but 'unsafe-inline' gets
ignored.", |
| 37 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc12
3'", |
| 38 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 's
ha256-abc123'", |
| 39 "expected": IframeLoad.EXPECT_LOAD }, |
| 40 { "name": "Effective policy is properly found.", |
| 41 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc1
23'", |
| 42 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-att
ributes' 'sha256-abc123'", |
| 43 "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'sha256-abc
123'", |
| 44 "expected": IframeLoad.EXPECT_LOAD }, |
| 45 { "name": "Required csp must allow 'sha256-abc123'.", |
| 46 "required_csp": "style-src http://example1.com/foo/ 'self'", |
| 47 "returned_csp_1": "style-src http://example1.com/foo/ 'self' 'sha256-ab
c123'", |
| 48 "expected": IframeLoad.EXPECT_BLOCK }, |
| 49 { "name": "Effective policy is properly found where 'sha256-abc123' is not
subsumed.", |
| 50 "required_csp": "style-src http://example1.com/foo/ 'self'", |
| 51 "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'"
, |
| 52 "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'", |
| 53 "expected": IframeLoad.EXPECT_BLOCK }, |
| 54 { "name": "'sha256-abc123' is not subsumed by 'sha256-abc456'.", |
| 55 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc45
6'", |
| 56 "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'"
, |
| 57 "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'", |
| 58 "expected": IframeLoad.EXPECT_BLOCK }, |
| 59 { "name": "Effective policy now does not allow 'sha256-abc123'.", |
| 60 "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc45
6'", |
| 61 "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'
'sha256-abc456'", |
| 62 "returned_csp_2": "style-src 'sha256-abc456' 'unsafe-inline'", |
| 63 "expected": IframeLoad.EXPECT_LOAD }, |
| 64 { "name": "Effective policy is properly found where 'sha256-abc123' is not
part of it.", |
| 65 "required_csp": "style-src http://example1.com/foo/ 'self'", |
| 66 "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'", |
| 67 "returned_csp_2": "style-src 'sha256-abc123' 'self'", |
| 68 "expected": IframeLoad.EXPECT_LOAD }, |
| 69 ]; |
| 70 tests.forEach(test => { |
| 71 async_test(t => { |
| 72 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1
); |
| 73 if (test.returned_csp_2) |
| 74 url.searchParams.append("policy2", test.returned_csp_2); |
| 75 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.na
me, null); |
| 76 }, test.name); |
| 77 }); |
| 78 </script> |
| 79 </body> |
| 80 </html> |
OLD | NEW |