third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp - Issue 2697853002: Content-Security-Policy: Backporting test of hostmatches in CSPSource.

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Issue 2697853002: Content-Security-Policy: Backporting test of hostmatches in CSPSource. (Closed)

Patch Set: Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/CSPSource.h"	5 #include "core/frame/csp/CSPSource.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/frame/csp/ContentSecurityPolicy.h"	8 #include "core/frame/csp/ContentSecurityPolicy.h"

9 #include "platform/network/ResourceRequest.h"	9 #include "platform/network/ResourceRequest.h"

10 #include "platform/weborigin/KURL.h"	10 #include "platform/weborigin/KURL.h"

(...skipping 143 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
154 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));	154 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));

155	155

156 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));	156 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));

157 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));	157 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));

158 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));	158 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));

159 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));	159 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));

160 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));	160 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));

161 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));	161 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));

162 }	162 }

163	163

	164 TEST_F(CSPSourceTest, HostMatches) {

	165 KURL base;

	166 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());

	167 csp->setupSelf(*SecurityOrigin::createFromString("http://a.com"));

	168

	169 // Host is * (source-expression = "http://*")

	170 {

	171 CSPSource source(csp.get(), "http", "", 0, "", CSPSource::HasWildcard,

	172 CSPSource::NoWildcard);

	173 EXPECT_TRUE(source.matches(KURL(base, "http://a.com")));

	174 EXPECT_TRUE(source.matches(KURL(base, "http://.")));

	175 }

	176

	177 // Host is *.foo.bar

	178 {

	179 CSPSource source(csp.get(), "", "foo.bar", 0, "", CSPSource::HasWildcard,

	180 CSPSource::NoWildcard);

	181 EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));

	182 EXPECT_FALSE(source.matches(KURL(base, "http://bar")));

	183 EXPECT_FALSE(source.matches(KURL(base, "http://foo.bar")));

	184 EXPECT_FALSE(source.matches(KURL(base, "http://o.bar")));

	185 EXPECT_TRUE(source.matches(KURL(base, "http://*.foo.bar")));
	arthursonzogni 2017/02/14 14:16:30 It is strange to me(A wildcard in the host name), It is strange to me(A wildcard in the host name), but why not. Mike West 2017/02/15 06:43:49 This should match. It gets canonicalized to someth Show quoted text On 2017/02/14 at 14:16:30, arthursonzogni wrote: > It is strange to me(A wildcard in the host name), but why not. This should match. It gets canonicalized to something like `%2A.foo.bar`, which matches `foo.bar` with a host wildcard. arthursonzogni 2017/02/15 12:47:59 Acknowledged. Show quoted text On 2017/02/15 06:43:49, Mike West (sloooooow) wrote: > On 2017/02/14 at 14:16:30, arthursonzogni wrote: > > It is strange to me(A wildcard in the host name), but why not. > > This should match. It gets canonicalized to something like `%2A.foo.bar`, which > matches `foo.bar` with a host wildcard. Acknowledged.
	186 EXPECT_TRUE(source.matches(KURL(base, "http://sub.foo.bar")));

	187 EXPECT_TRUE(source.matches(KURL(base, "http://sub.sub.foo.bar")));

	188 EXPECT_TRUE(source.matches(KURL(base, "http://.foo.bar")));
	arthursonzogni 2017/02/14 14:16:30 You said it looks strange to you. What do you thin You said it looks strange to you. What do you think should be done? Mike West 2017/02/15 06:43:49 I did say that this looks strange. Please file a b Show quoted text On 2017/02/14 at 14:16:30, arthursonzogni wrote: > You said it looks strange to you. What do you think should be done? I did say that this looks strange. Please file a bug... I don't think it's a big deal, as we apparently transparently rewrite `.example.com` to `example.com` for navigations, but it's strange regardless. arthursonzogni 2017/02/15 12:47:59 Done. BUG=692505 Show quoted text On 2017/02/15 06:43:49, Mike West (sloooooow) wrote: > On 2017/02/14 at 14:16:30, arthursonzogni wrote: > > You said it looks strange to you. What do you think should be done? > > I did say that this looks strange. Please file a bug... I don't think it's a big > deal, as we apparently transparently rewrite `.example.com` to `example.com` for > navigations, but it's strange regardless. Done. BUG=692505
	189 }

	190

	191 // Host is exact.

	192 {

	193 CSPSource source(csp.get(), "", "foo.bar", 0, "", CSPSource::NoWildcard,

	194 CSPSource::NoWildcard);

	195 EXPECT_TRUE(source.matches(KURL(base, "http://foo.bar")));

	196 EXPECT_FALSE(source.matches(KURL(base, "http://sub.foo.bar")));

	197 EXPECT_FALSE(source.matches(KURL(base, "http://bar")));

	198 EXPECT_FALSE(source.matches(KURL(base, "http://.foo.bar")));
	arthursonzogni 2017/02/14 14:16:30 Same here. Same here. Mike West 2017/02/15 06:43:49 Ditto. Show quoted text On 2017/02/14 at 14:16:30, arthursonzogni wrote: > Same here. Ditto. arthursonzogni 2017/02/15 12:47:59 Done. Show quoted text On 2017/02/15 06:43:49, Mike West (sloooooow) wrote: > On 2017/02/14 at 14:16:30, arthursonzogni wrote: > > Same here. > > Ditto. Done.
	199 }

	200 }

	201

164 TEST_F(CSPSourceTest, DoesNotSubsume) {	202 TEST_F(CSPSourceTest, DoesNotSubsume) {

165 struct Source {	203 struct Source {

166 const char* scheme;	204 const char* scheme;

167 const char* host;	205 const char* host;

168 const char* path;	206 const char* path;

169 const int port;	207 const int port;

170 };	208 };

171 struct TestCase {	209 struct TestCase {

172 const Source a;	210 const Source a;

173 const Source b;	211 const Source b;

(...skipping 606 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
780 normalized = B->intersect(A);	818 normalized = B->intersect(A);

781 Source intersectBA = {	819 Source intersectBA = {

782 normalized->m_scheme, normalized->m_host,	820 normalized->m_scheme, normalized->m_host,

783 normalized->m_path, normalized->m_port,	821 normalized->m_path, normalized->m_port,

784 normalized->m_hostWildcard, normalized->m_portWildcard};	822 normalized->m_hostWildcard, normalized->m_portWildcard};

785 EXPECT_TRUE(equalSources(intersectBA, test.normalized));	823 EXPECT_TRUE(equalSources(intersectBA, test.normalized));

786 }	824 }

787 }	825 }

788	826

789 } // namespace blink	827 } // namespace blink

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »