| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 8 #include "core/frame/csp/SourceListDirective.h" | 8 #include "core/frame/csp/SourceListDirective.h" |
| 9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 149 "https://example.com/script/script.js", true}, | 149 "https://example.com/script/script.js", true}, |
| 150 {"default-src https://example.com", "https://not.example.com/script.js", | 150 {"default-src https://example.com", "https://not.example.com/script.js", |
| 151 false}, | 151 false}, |
| 152 {"default-src https://*.example.com", "https://not.example.com/script.js", | 152 {"default-src https://*.example.com", "https://not.example.com/script.js", |
| 153 true}, | 153 true}, |
| 154 {"default-src https://*.example.com", "https://example.com/script.js", | 154 {"default-src https://*.example.com", "https://example.com/script.js", |
| 155 false}, | 155 false}, |
| 156 }; | 156 }; |
| 157 | 157 |
| 158 for (const auto& test : cases) { | 158 for (const auto& test : cases) { |
| 159 SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" | 159 SCOPED_TRACE(testing::Message() |
| 160 << test.url << "`"); | 160 << "List: `" << test.list << "`, URL: `" << test.url << "`"); |
| 161 KURL scriptSrc = KURL(KURL(), test.url); | 161 KURL scriptSrc = KURL(KURL(), test.url); |
| 162 | 162 |
| 163 // Report-only | 163 // Report-only |
| 164 Member<CSPDirectiveList> directiveList = | 164 Member<CSPDirectiveList> directiveList = |
| 165 createList(test.list, ContentSecurityPolicyHeaderTypeReport); | 165 createList(test.list, ContentSecurityPolicyHeaderTypeReport); |
| 166 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 166 EXPECT_EQ(test.expected, |
| 167 scriptSrc, String(), ParserInserted, | 167 directiveList->allowScriptFromSource( |
| 168 ResourceRequest::RedirectStatus::NoRedirect, | 168 scriptSrc, String(), ParserInserted, |
| 169 ContentSecurityPolicy::SuppressReport)); | 169 ResourceRequest::RedirectStatus::NoRedirect, |
| 170 ContentSecurityPolicy::SuppressReport)); |
| 170 | 171 |
| 171 // Enforce | 172 // Enforce |
| 172 directiveList = | 173 directiveList = |
| 173 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); | 174 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); |
| 174 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 175 EXPECT_EQ(test.expected, |
| 175 scriptSrc, String(), ParserInserted, | 176 directiveList->allowScriptFromSource( |
| 176 ResourceRequest::RedirectStatus::NoRedirect, | 177 scriptSrc, String(), ParserInserted, |
| 177 ContentSecurityPolicy::SuppressReport)); | 178 ResourceRequest::RedirectStatus::NoRedirect, |
| 179 ContentSecurityPolicy::SuppressReport)); |
| 178 } | 180 } |
| 179 } | 181 } |
| 180 | 182 |
| 181 TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) { | 183 TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) { |
| 182 struct TestCase { | 184 struct TestCase { |
| 183 const char* list; | 185 const char* list; |
| 184 const char* url; | 186 const char* url; |
| 185 const char* nonce; | 187 const char* nonce; |
| 186 bool expected; | 188 bool expected; |
| 187 } cases[] = { | 189 } cases[] = { |
| (...skipping 15 matching lines...) Expand all Loading... |
| 203 // Does affect URLs that don't. | 205 // Does affect URLs that don't. |
| 204 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", | 206 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", |
| 205 true}, | 207 true}, |
| 206 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", | 208 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", |
| 207 false}, | 209 false}, |
| 208 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "", | 210 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "", |
| 209 false}, | 211 false}, |
| 210 }; | 212 }; |
| 211 | 213 |
| 212 for (const auto& test : cases) { | 214 for (const auto& test : cases) { |
| 213 SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" | 215 SCOPED_TRACE(testing::Message() |
| 214 << test.url << "`"); | 216 << "List: `" << test.list << "`, URL: `" << test.url << "`"); |
| 215 KURL resource = KURL(KURL(), test.url); | 217 KURL resource = KURL(KURL(), test.url); |
| 216 | 218 |
| 217 // Report-only 'script-src' | 219 // Report-only 'script-src' |
| 218 Member<CSPDirectiveList> directiveList = | 220 Member<CSPDirectiveList> directiveList = |
| 219 createList(String("script-src ") + test.list, | 221 createList(String("script-src ") + test.list, |
| 220 ContentSecurityPolicyHeaderTypeReport); | 222 ContentSecurityPolicyHeaderTypeReport); |
| 221 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 223 EXPECT_EQ(test.expected, |
| 222 resource, String(test.nonce), ParserInserted, | 224 directiveList->allowScriptFromSource( |
| 223 ResourceRequest::RedirectStatus::NoRedirect, | 225 resource, String(test.nonce), ParserInserted, |
| 224 ContentSecurityPolicy::SuppressReport)); | 226 ResourceRequest::RedirectStatus::NoRedirect, |
| 227 ContentSecurityPolicy::SuppressReport)); |
| 225 | 228 |
| 226 // Enforce 'script-src' | 229 // Enforce 'script-src' |
| 227 directiveList = createList(String("script-src ") + test.list, | 230 directiveList = createList(String("script-src ") + test.list, |
| 228 ContentSecurityPolicyHeaderTypeEnforce); | 231 ContentSecurityPolicyHeaderTypeEnforce); |
| 229 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 232 EXPECT_EQ(test.expected, |
| 230 resource, String(test.nonce), ParserInserted, | 233 directiveList->allowScriptFromSource( |
| 231 ResourceRequest::RedirectStatus::NoRedirect, | 234 resource, String(test.nonce), ParserInserted, |
| 232 ContentSecurityPolicy::SuppressReport)); | 235 ResourceRequest::RedirectStatus::NoRedirect, |
| 236 ContentSecurityPolicy::SuppressReport)); |
| 233 | 237 |
| 234 // Report-only 'style-src' | 238 // Report-only 'style-src' |
| 235 directiveList = createList(String("style-src ") + test.list, | 239 directiveList = createList(String("style-src ") + test.list, |
| 236 ContentSecurityPolicyHeaderTypeReport); | 240 ContentSecurityPolicyHeaderTypeReport); |
| 237 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 241 EXPECT_EQ(test.expected, |
| 238 resource, String(test.nonce), | 242 directiveList->allowStyleFromSource( |
| 239 ResourceRequest::RedirectStatus::NoRedirect, | 243 resource, String(test.nonce), |
| 240 ContentSecurityPolicy::SuppressReport)); | 244 ResourceRequest::RedirectStatus::NoRedirect, |
| 245 ContentSecurityPolicy::SuppressReport)); |
| 241 | 246 |
| 242 // Enforce 'style-src' | 247 // Enforce 'style-src' |
| 243 directiveList = createList(String("style-src ") + test.list, | 248 directiveList = createList(String("style-src ") + test.list, |
| 244 ContentSecurityPolicyHeaderTypeEnforce); | 249 ContentSecurityPolicyHeaderTypeEnforce); |
| 245 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 250 EXPECT_EQ(test.expected, |
| 246 resource, String(test.nonce), | 251 directiveList->allowStyleFromSource( |
| 247 ResourceRequest::RedirectStatus::NoRedirect, | 252 resource, String(test.nonce), |
| 248 ContentSecurityPolicy::SuppressReport)); | 253 ResourceRequest::RedirectStatus::NoRedirect, |
| 254 ContentSecurityPolicy::SuppressReport)); |
| 249 | 255 |
| 250 // Report-only 'style-src' | 256 // Report-only 'style-src' |
| 251 directiveList = createList(String("default-src ") + test.list, | 257 directiveList = createList(String("default-src ") + test.list, |
| 252 ContentSecurityPolicyHeaderTypeReport); | 258 ContentSecurityPolicyHeaderTypeReport); |
| 253 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 259 EXPECT_EQ(test.expected, |
| 254 resource, String(test.nonce), ParserInserted, | 260 directiveList->allowScriptFromSource( |
| 255 ResourceRequest::RedirectStatus::NoRedirect, | 261 resource, String(test.nonce), ParserInserted, |
| 256 ContentSecurityPolicy::SuppressReport)); | 262 ResourceRequest::RedirectStatus::NoRedirect, |
| 257 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 263 ContentSecurityPolicy::SuppressReport)); |
| 258 resource, String(test.nonce), | 264 EXPECT_EQ(test.expected, |
| 259 ResourceRequest::RedirectStatus::NoRedirect, | 265 directiveList->allowStyleFromSource( |
| 260 ContentSecurityPolicy::SuppressReport)); | 266 resource, String(test.nonce), |
| 267 ResourceRequest::RedirectStatus::NoRedirect, |
| 268 ContentSecurityPolicy::SuppressReport)); |
| 261 | 269 |
| 262 // Enforce 'style-src' | 270 // Enforce 'style-src' |
| 263 directiveList = createList(String("default-src ") + test.list, | 271 directiveList = createList(String("default-src ") + test.list, |
| 264 ContentSecurityPolicyHeaderTypeEnforce); | 272 ContentSecurityPolicyHeaderTypeEnforce); |
| 265 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 273 EXPECT_EQ(test.expected, |
| 266 resource, String(test.nonce), ParserInserted, | 274 directiveList->allowScriptFromSource( |
| 267 ResourceRequest::RedirectStatus::NoRedirect, | 275 resource, String(test.nonce), ParserInserted, |
| 268 ContentSecurityPolicy::SuppressReport)); | 276 ResourceRequest::RedirectStatus::NoRedirect, |
| 269 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 277 ContentSecurityPolicy::SuppressReport)); |
| 270 resource, String(test.nonce), | 278 EXPECT_EQ(test.expected, |
| 271 ResourceRequest::RedirectStatus::NoRedirect, | 279 directiveList->allowStyleFromSource( |
| 272 ContentSecurityPolicy::SuppressReport)); | 280 resource, String(test.nonce), |
| 281 ResourceRequest::RedirectStatus::NoRedirect, |
| 282 ContentSecurityPolicy::SuppressReport)); |
| 273 } | 283 } |
| 274 } | 284 } |
| 275 | 285 |
| 276 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) { | 286 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) { |
| 277 struct TestCase { | 287 struct TestCase { |
| 278 const char* list; | 288 const char* list; |
| 279 const char* url; | 289 const char* url; |
| 280 const WebURLRequest::RequestContext context; | 290 const WebURLRequest::RequestContext context; |
| 281 bool expected; | 291 bool expected; |
| 282 } cases[] = { | 292 } cases[] = { |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 374 WebURLRequest::RequestContextScript, false}, | 384 WebURLRequest::RequestContextScript, false}, |
| 375 {"require-sri-for a script b", "https://example.com/file", | 385 {"require-sri-for a script b", "https://example.com/file", |
| 376 WebURLRequest::RequestContextScript, false}, | 386 WebURLRequest::RequestContextScript, false}, |
| 377 }; | 387 }; |
| 378 | 388 |
| 379 for (const auto& test : cases) { | 389 for (const auto& test : cases) { |
| 380 KURL resource = KURL(KURL(), test.url); | 390 KURL resource = KURL(KURL(), test.url); |
| 381 // Report-only | 391 // Report-only |
| 382 Member<CSPDirectiveList> directiveList = | 392 Member<CSPDirectiveList> directiveList = |
| 383 createList(test.list, ContentSecurityPolicyHeaderTypeReport); | 393 createList(test.list, ContentSecurityPolicyHeaderTypeReport); |
| 384 EXPECT_EQ(true, directiveList->allowRequestWithoutIntegrity( | 394 EXPECT_EQ( |
| 385 test.context, resource, | 395 true, |
| 386 ResourceRequest::RedirectStatus::NoRedirect, | 396 directiveList->allowRequestWithoutIntegrity( |
| 387 ContentSecurityPolicy::SuppressReport)); | 397 test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, |
| 398 ContentSecurityPolicy::SuppressReport)); |
| 388 | 399 |
| 389 // Enforce | 400 // Enforce |
| 390 directiveList = | 401 directiveList = |
| 391 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); | 402 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); |
| 392 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity( | 403 EXPECT_EQ( |
| 393 test.context, resource, | 404 test.expected, |
| 394 ResourceRequest::RedirectStatus::NoRedirect, | 405 directiveList->allowRequestWithoutIntegrity( |
| 395 ContentSecurityPolicy::SuppressReport)); | 406 test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, |
| 407 ContentSecurityPolicy::SuppressReport)); |
| 396 } | 408 } |
| 397 } | 409 } |
| 398 | 410 |
| 399 TEST_F(CSPDirectiveListTest, workerSrc) { | 411 TEST_F(CSPDirectiveListTest, workerSrc) { |
| 400 struct TestCase { | 412 struct TestCase { |
| 401 const char* list; | 413 const char* list; |
| 402 bool allowed; | 414 bool allowed; |
| 403 } cases[] = { | 415 } cases[] = { |
| 404 {"worker-src 'none'", false}, | 416 {"worker-src 'none'", false}, |
| 405 {"worker-src http://not.example.test", false}, | 417 {"worker-src http://not.example.test", false}, |
| (...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 941 CSPDirectiveList::getSourceVector(test.directive, policyVector).size(), | 953 CSPDirectiveList::getSourceVector(test.directive, policyVector).size(), |
| 942 udpatedTotal); | 954 udpatedTotal); |
| 943 EXPECT_EQ(CSPDirectiveList::getSourceVector( | 955 EXPECT_EQ(CSPDirectiveList::getSourceVector( |
| 944 ContentSecurityPolicy::DirectiveType::ChildSrc, policyVector) | 956 ContentSecurityPolicy::DirectiveType::ChildSrc, policyVector) |
| 945 .size(), | 957 .size(), |
| 946 expectedChildSrc); | 958 expectedChildSrc); |
| 947 } | 959 } |
| 948 } | 960 } |
| 949 | 961 |
| 950 } // namespace blink | 962 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2701993002:
DO NOT COMMIT: Results of running new (proposed) clang-format on Blink (Closed)
