OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
8 #include "core/frame/csp/SourceListDirective.h" | 8 #include "core/frame/csp/SourceListDirective.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/network/ResourceRequest.h" | 10 #include "platform/network/ResourceRequest.h" |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
149 "https://example.com/script/script.js", true}, | 149 "https://example.com/script/script.js", true}, |
150 {"default-src https://example.com", "https://not.example.com/script.js", | 150 {"default-src https://example.com", "https://not.example.com/script.js", |
151 false}, | 151 false}, |
152 {"default-src https://*.example.com", "https://not.example.com/script.js", | 152 {"default-src https://*.example.com", "https://not.example.com/script.js", |
153 true}, | 153 true}, |
154 {"default-src https://*.example.com", "https://example.com/script.js", | 154 {"default-src https://*.example.com", "https://example.com/script.js", |
155 false}, | 155 false}, |
156 }; | 156 }; |
157 | 157 |
158 for (const auto& test : cases) { | 158 for (const auto& test : cases) { |
159 SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" | 159 SCOPED_TRACE(testing::Message() |
160 << test.url << "`"); | 160 << "List: `" << test.list << "`, URL: `" << test.url << "`"); |
161 KURL scriptSrc = KURL(KURL(), test.url); | 161 KURL scriptSrc = KURL(KURL(), test.url); |
162 | 162 |
163 // Report-only | 163 // Report-only |
164 Member<CSPDirectiveList> directiveList = | 164 Member<CSPDirectiveList> directiveList = |
165 createList(test.list, ContentSecurityPolicyHeaderTypeReport); | 165 createList(test.list, ContentSecurityPolicyHeaderTypeReport); |
166 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 166 EXPECT_EQ(test.expected, |
167 scriptSrc, String(), ParserInserted, | 167 directiveList->allowScriptFromSource( |
168 ResourceRequest::RedirectStatus::NoRedirect, | 168 scriptSrc, String(), ParserInserted, |
169 ContentSecurityPolicy::SuppressReport)); | 169 ResourceRequest::RedirectStatus::NoRedirect, |
| 170 ContentSecurityPolicy::SuppressReport)); |
170 | 171 |
171 // Enforce | 172 // Enforce |
172 directiveList = | 173 directiveList = |
173 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); | 174 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); |
174 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 175 EXPECT_EQ(test.expected, |
175 scriptSrc, String(), ParserInserted, | 176 directiveList->allowScriptFromSource( |
176 ResourceRequest::RedirectStatus::NoRedirect, | 177 scriptSrc, String(), ParserInserted, |
177 ContentSecurityPolicy::SuppressReport)); | 178 ResourceRequest::RedirectStatus::NoRedirect, |
| 179 ContentSecurityPolicy::SuppressReport)); |
178 } | 180 } |
179 } | 181 } |
180 | 182 |
181 TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) { | 183 TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) { |
182 struct TestCase { | 184 struct TestCase { |
183 const char* list; | 185 const char* list; |
184 const char* url; | 186 const char* url; |
185 const char* nonce; | 187 const char* nonce; |
186 bool expected; | 188 bool expected; |
187 } cases[] = { | 189 } cases[] = { |
(...skipping 15 matching lines...) Expand all Loading... |
203 // Does affect URLs that don't. | 205 // Does affect URLs that don't. |
204 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", | 206 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", |
205 true}, | 207 true}, |
206 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", | 208 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", |
207 false}, | 209 false}, |
208 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "", | 210 {"https://example.com 'nonce-yay'", "https://not.example.com/file", "", |
209 false}, | 211 false}, |
210 }; | 212 }; |
211 | 213 |
212 for (const auto& test : cases) { | 214 for (const auto& test : cases) { |
213 SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" | 215 SCOPED_TRACE(testing::Message() |
214 << test.url << "`"); | 216 << "List: `" << test.list << "`, URL: `" << test.url << "`"); |
215 KURL resource = KURL(KURL(), test.url); | 217 KURL resource = KURL(KURL(), test.url); |
216 | 218 |
217 // Report-only 'script-src' | 219 // Report-only 'script-src' |
218 Member<CSPDirectiveList> directiveList = | 220 Member<CSPDirectiveList> directiveList = |
219 createList(String("script-src ") + test.list, | 221 createList(String("script-src ") + test.list, |
220 ContentSecurityPolicyHeaderTypeReport); | 222 ContentSecurityPolicyHeaderTypeReport); |
221 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 223 EXPECT_EQ(test.expected, |
222 resource, String(test.nonce), ParserInserted, | 224 directiveList->allowScriptFromSource( |
223 ResourceRequest::RedirectStatus::NoRedirect, | 225 resource, String(test.nonce), ParserInserted, |
224 ContentSecurityPolicy::SuppressReport)); | 226 ResourceRequest::RedirectStatus::NoRedirect, |
| 227 ContentSecurityPolicy::SuppressReport)); |
225 | 228 |
226 // Enforce 'script-src' | 229 // Enforce 'script-src' |
227 directiveList = createList(String("script-src ") + test.list, | 230 directiveList = createList(String("script-src ") + test.list, |
228 ContentSecurityPolicyHeaderTypeEnforce); | 231 ContentSecurityPolicyHeaderTypeEnforce); |
229 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 232 EXPECT_EQ(test.expected, |
230 resource, String(test.nonce), ParserInserted, | 233 directiveList->allowScriptFromSource( |
231 ResourceRequest::RedirectStatus::NoRedirect, | 234 resource, String(test.nonce), ParserInserted, |
232 ContentSecurityPolicy::SuppressReport)); | 235 ResourceRequest::RedirectStatus::NoRedirect, |
| 236 ContentSecurityPolicy::SuppressReport)); |
233 | 237 |
234 // Report-only 'style-src' | 238 // Report-only 'style-src' |
235 directiveList = createList(String("style-src ") + test.list, | 239 directiveList = createList(String("style-src ") + test.list, |
236 ContentSecurityPolicyHeaderTypeReport); | 240 ContentSecurityPolicyHeaderTypeReport); |
237 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 241 EXPECT_EQ(test.expected, |
238 resource, String(test.nonce), | 242 directiveList->allowStyleFromSource( |
239 ResourceRequest::RedirectStatus::NoRedirect, | 243 resource, String(test.nonce), |
240 ContentSecurityPolicy::SuppressReport)); | 244 ResourceRequest::RedirectStatus::NoRedirect, |
| 245 ContentSecurityPolicy::SuppressReport)); |
241 | 246 |
242 // Enforce 'style-src' | 247 // Enforce 'style-src' |
243 directiveList = createList(String("style-src ") + test.list, | 248 directiveList = createList(String("style-src ") + test.list, |
244 ContentSecurityPolicyHeaderTypeEnforce); | 249 ContentSecurityPolicyHeaderTypeEnforce); |
245 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 250 EXPECT_EQ(test.expected, |
246 resource, String(test.nonce), | 251 directiveList->allowStyleFromSource( |
247 ResourceRequest::RedirectStatus::NoRedirect, | 252 resource, String(test.nonce), |
248 ContentSecurityPolicy::SuppressReport)); | 253 ResourceRequest::RedirectStatus::NoRedirect, |
| 254 ContentSecurityPolicy::SuppressReport)); |
249 | 255 |
250 // Report-only 'style-src' | 256 // Report-only 'style-src' |
251 directiveList = createList(String("default-src ") + test.list, | 257 directiveList = createList(String("default-src ") + test.list, |
252 ContentSecurityPolicyHeaderTypeReport); | 258 ContentSecurityPolicyHeaderTypeReport); |
253 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 259 EXPECT_EQ(test.expected, |
254 resource, String(test.nonce), ParserInserted, | 260 directiveList->allowScriptFromSource( |
255 ResourceRequest::RedirectStatus::NoRedirect, | 261 resource, String(test.nonce), ParserInserted, |
256 ContentSecurityPolicy::SuppressReport)); | 262 ResourceRequest::RedirectStatus::NoRedirect, |
257 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 263 ContentSecurityPolicy::SuppressReport)); |
258 resource, String(test.nonce), | 264 EXPECT_EQ(test.expected, |
259 ResourceRequest::RedirectStatus::NoRedirect, | 265 directiveList->allowStyleFromSource( |
260 ContentSecurityPolicy::SuppressReport)); | 266 resource, String(test.nonce), |
| 267 ResourceRequest::RedirectStatus::NoRedirect, |
| 268 ContentSecurityPolicy::SuppressReport)); |
261 | 269 |
262 // Enforce 'style-src' | 270 // Enforce 'style-src' |
263 directiveList = createList(String("default-src ") + test.list, | 271 directiveList = createList(String("default-src ") + test.list, |
264 ContentSecurityPolicyHeaderTypeEnforce); | 272 ContentSecurityPolicyHeaderTypeEnforce); |
265 EXPECT_EQ(test.expected, directiveList->allowScriptFromSource( | 273 EXPECT_EQ(test.expected, |
266 resource, String(test.nonce), ParserInserted, | 274 directiveList->allowScriptFromSource( |
267 ResourceRequest::RedirectStatus::NoRedirect, | 275 resource, String(test.nonce), ParserInserted, |
268 ContentSecurityPolicy::SuppressReport)); | 276 ResourceRequest::RedirectStatus::NoRedirect, |
269 EXPECT_EQ(test.expected, directiveList->allowStyleFromSource( | 277 ContentSecurityPolicy::SuppressReport)); |
270 resource, String(test.nonce), | 278 EXPECT_EQ(test.expected, |
271 ResourceRequest::RedirectStatus::NoRedirect, | 279 directiveList->allowStyleFromSource( |
272 ContentSecurityPolicy::SuppressReport)); | 280 resource, String(test.nonce), |
| 281 ResourceRequest::RedirectStatus::NoRedirect, |
| 282 ContentSecurityPolicy::SuppressReport)); |
273 } | 283 } |
274 } | 284 } |
275 | 285 |
276 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) { | 286 TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) { |
277 struct TestCase { | 287 struct TestCase { |
278 const char* list; | 288 const char* list; |
279 const char* url; | 289 const char* url; |
280 const WebURLRequest::RequestContext context; | 290 const WebURLRequest::RequestContext context; |
281 bool expected; | 291 bool expected; |
282 } cases[] = { | 292 } cases[] = { |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
374 WebURLRequest::RequestContextScript, false}, | 384 WebURLRequest::RequestContextScript, false}, |
375 {"require-sri-for a script b", "https://example.com/file", | 385 {"require-sri-for a script b", "https://example.com/file", |
376 WebURLRequest::RequestContextScript, false}, | 386 WebURLRequest::RequestContextScript, false}, |
377 }; | 387 }; |
378 | 388 |
379 for (const auto& test : cases) { | 389 for (const auto& test : cases) { |
380 KURL resource = KURL(KURL(), test.url); | 390 KURL resource = KURL(KURL(), test.url); |
381 // Report-only | 391 // Report-only |
382 Member<CSPDirectiveList> directiveList = | 392 Member<CSPDirectiveList> directiveList = |
383 createList(test.list, ContentSecurityPolicyHeaderTypeReport); | 393 createList(test.list, ContentSecurityPolicyHeaderTypeReport); |
384 EXPECT_EQ(true, directiveList->allowRequestWithoutIntegrity( | 394 EXPECT_EQ( |
385 test.context, resource, | 395 true, |
386 ResourceRequest::RedirectStatus::NoRedirect, | 396 directiveList->allowRequestWithoutIntegrity( |
387 ContentSecurityPolicy::SuppressReport)); | 397 test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, |
| 398 ContentSecurityPolicy::SuppressReport)); |
388 | 399 |
389 // Enforce | 400 // Enforce |
390 directiveList = | 401 directiveList = |
391 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); | 402 createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); |
392 EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity( | 403 EXPECT_EQ( |
393 test.context, resource, | 404 test.expected, |
394 ResourceRequest::RedirectStatus::NoRedirect, | 405 directiveList->allowRequestWithoutIntegrity( |
395 ContentSecurityPolicy::SuppressReport)); | 406 test.context, resource, ResourceRequest::RedirectStatus::NoRedirect, |
| 407 ContentSecurityPolicy::SuppressReport)); |
396 } | 408 } |
397 } | 409 } |
398 | 410 |
399 TEST_F(CSPDirectiveListTest, workerSrc) { | 411 TEST_F(CSPDirectiveListTest, workerSrc) { |
400 struct TestCase { | 412 struct TestCase { |
401 const char* list; | 413 const char* list; |
402 bool allowed; | 414 bool allowed; |
403 } cases[] = { | 415 } cases[] = { |
404 {"worker-src 'none'", false}, | 416 {"worker-src 'none'", false}, |
405 {"worker-src http://not.example.test", false}, | 417 {"worker-src http://not.example.test", false}, |
(...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
941 CSPDirectiveList::getSourceVector(test.directive, policyVector).size(), | 953 CSPDirectiveList::getSourceVector(test.directive, policyVector).size(), |
942 udpatedTotal); | 954 udpatedTotal); |
943 EXPECT_EQ(CSPDirectiveList::getSourceVector( | 955 EXPECT_EQ(CSPDirectiveList::getSourceVector( |
944 ContentSecurityPolicy::DirectiveType::ChildSrc, policyVector) | 956 ContentSecurityPolicy::DirectiveType::ChildSrc, policyVector) |
945 .size(), | 957 .size(), |
946 expectedChildSrc); | 958 expectedChildSrc); |
947 } | 959 } |
948 } | 960 } |
949 | 961 |
950 } // namespace blink | 962 } // namespace blink |
OLD | NEW |