OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/frame/csp/CSPDirectiveList.h" | 8 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/html/HTMLScriptElement.h" | 9 #include "core/html/HTMLScriptElement.h" |
10 #include "core/loader/DocumentLoader.h" | 10 #include "core/loader/DocumentLoader.h" |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, | 48 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, |
49 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, | 49 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, |
50 {"block-all-mixed-content", kBlockAllMixedContent}, | 50 {"block-all-mixed-content", kBlockAllMixedContent}, |
51 {"upgrade-insecure-requests; block-all-mixed-content", | 51 {"upgrade-insecure-requests; block-all-mixed-content", |
52 kUpgradeInsecureRequests | kBlockAllMixedContent}, | 52 kUpgradeInsecureRequests | kBlockAllMixedContent}, |
53 {"upgrade-insecure-requests, block-all-mixed-content", | 53 {"upgrade-insecure-requests, block-all-mixed-content", |
54 kUpgradeInsecureRequests | kBlockAllMixedContent}}; | 54 kUpgradeInsecureRequests | kBlockAllMixedContent}}; |
55 | 55 |
56 // Enforced | 56 // Enforced |
57 for (const auto& test : cases) { | 57 for (const auto& test : cases) { |
58 SCOPED_TRACE(testing::Message() << "[Enforce] Header: `" << test.header | 58 SCOPED_TRACE(testing::Message() |
59 << "`"); | 59 << "[Enforce] Header: `" << test.header << "`"); |
60 csp = ContentSecurityPolicy::create(); | 60 csp = ContentSecurityPolicy::create(); |
61 csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeEnforce, | 61 csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeEnforce, |
62 ContentSecurityPolicyHeaderSourceHTTP); | 62 ContentSecurityPolicyHeaderSourceHTTP); |
63 EXPECT_EQ(test.expectedPolicy, csp->getInsecureRequestPolicy()); | 63 EXPECT_EQ(test.expectedPolicy, csp->getInsecureRequestPolicy()); |
64 | 64 |
65 document = Document::create(); | 65 document = Document::create(); |
66 document->setSecurityOrigin(secureOrigin); | 66 document->setSecurityOrigin(secureOrigin); |
67 document->setURL(secureURL); | 67 document->setURL(secureURL); |
68 csp->bindToExecutionContext(document.get()); | 68 csp->bindToExecutionContext(document.get()); |
69 EXPECT_EQ(test.expectedPolicy, document->getInsecureRequestPolicy()); | 69 EXPECT_EQ(test.expectedPolicy, document->getInsecureRequestPolicy()); |
70 bool expectUpgrade = test.expectedPolicy & kUpgradeInsecureRequests; | 70 bool expectUpgrade = test.expectedPolicy & kUpgradeInsecureRequests; |
71 EXPECT_EQ(expectUpgrade, document->insecureNavigationsToUpgrade()->contains( | 71 EXPECT_EQ(expectUpgrade, |
72 document->url().host().impl()->hash())); | 72 document->insecureNavigationsToUpgrade()->contains( |
| 73 document->url().host().impl()->hash())); |
73 } | 74 } |
74 | 75 |
75 // Report-Only | 76 // Report-Only |
76 for (const auto& test : cases) { | 77 for (const auto& test : cases) { |
77 SCOPED_TRACE(testing::Message() << "[Report-Only] Header: `" << test.header | 78 SCOPED_TRACE(testing::Message() |
78 << "`"); | 79 << "[Report-Only] Header: `" << test.header << "`"); |
79 csp = ContentSecurityPolicy::create(); | 80 csp = ContentSecurityPolicy::create(); |
80 csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeReport, | 81 csp->didReceiveHeader(test.header, ContentSecurityPolicyHeaderTypeReport, |
81 ContentSecurityPolicyHeaderSourceHTTP); | 82 ContentSecurityPolicyHeaderSourceHTTP); |
82 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->getInsecureRequestPolicy()); | 83 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->getInsecureRequestPolicy()); |
83 | 84 |
84 document = Document::create(); | 85 document = Document::create(); |
85 document->setSecurityOrigin(secureOrigin); | 86 document->setSecurityOrigin(secureOrigin); |
86 csp->bindToExecutionContext(document.get()); | 87 csp->bindToExecutionContext(document.get()); |
87 EXPECT_EQ(kLeaveInsecureRequestsAlone, | 88 EXPECT_EQ(kLeaveInsecureRequestsAlone, |
88 document->getInsecureRequestPolicy()); | 89 document->getInsecureRequestPolicy()); |
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
640 {"script-src 'nonce-yay'", "https://example.com/js", "yay", true}, | 641 {"script-src 'nonce-yay'", "https://example.com/js", "yay", true}, |
641 {"script-src https://example.com", "https://example.com/js", "", true}, | 642 {"script-src https://example.com", "https://example.com/js", "", true}, |
642 {"script-src https://example.com", "https://example.com/js", "yay", true}, | 643 {"script-src https://example.com", "https://example.com/js", "yay", true}, |
643 {"script-src https://example.com 'nonce-yay'", | 644 {"script-src https://example.com 'nonce-yay'", |
644 "https://not.example.com/js", "", false}, | 645 "https://not.example.com/js", "", false}, |
645 {"script-src https://example.com 'nonce-yay'", | 646 {"script-src https://example.com 'nonce-yay'", |
646 "https://not.example.com/js", "yay", true}, | 647 "https://not.example.com/js", "yay", true}, |
647 }; | 648 }; |
648 | 649 |
649 for (const auto& test : cases) { | 650 for (const auto& test : cases) { |
650 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, URL: `" | 651 SCOPED_TRACE(testing::Message() |
651 << test.url << "`, Nonce: `" << test.nonce | 652 << "Policy: `" << test.policy << "`, URL: `" << test.url |
652 << "`"); | 653 << "`, Nonce: `" << test.nonce << "`"); |
653 KURL resource = KURL(KURL(), test.url); | 654 KURL resource = KURL(KURL(), test.url); |
654 | 655 |
655 unsigned expectedReports = test.allowed ? 0u : 1u; | 656 unsigned expectedReports = test.allowed ? 0u : 1u; |
656 | 657 |
657 // Single enforce-mode policy should match `test.expected`: | 658 // Single enforce-mode policy should match `test.expected`: |
658 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | 659 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
659 policy->bindToExecutionContext(document.get()); | 660 policy->bindToExecutionContext(document.get()); |
660 policy->didReceiveHeader(test.policy, | 661 policy->didReceiveHeader(test.policy, |
661 ContentSecurityPolicyHeaderTypeEnforce, | 662 ContentSecurityPolicyHeaderTypeEnforce, |
662 ContentSecurityPolicyHeaderSourceHTTP); | 663 ContentSecurityPolicyHeaderSourceHTTP); |
663 EXPECT_EQ(test.allowed, policy->allowScriptFromSource( | 664 EXPECT_EQ(test.allowed, |
664 resource, String(test.nonce), ParserInserted)); | 665 policy->allowScriptFromSource(resource, String(test.nonce), |
| 666 ParserInserted)); |
665 // If this is expected to generate a violation, we should have sent a | 667 // If this is expected to generate a violation, we should have sent a |
666 // report. | 668 // report. |
667 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 669 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
668 | 670 |
669 // Single report-mode policy should always be `true`: | 671 // Single report-mode policy should always be `true`: |
670 policy = ContentSecurityPolicy::create(); | 672 policy = ContentSecurityPolicy::create(); |
671 policy->bindToExecutionContext(document.get()); | 673 policy->bindToExecutionContext(document.get()); |
672 policy->didReceiveHeader(test.policy, ContentSecurityPolicyHeaderTypeReport, | 674 policy->didReceiveHeader(test.policy, ContentSecurityPolicyHeaderTypeReport, |
673 ContentSecurityPolicyHeaderSourceHTTP); | 675 ContentSecurityPolicyHeaderSourceHTTP); |
674 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce), | 676 EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce), |
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
806 | 808 |
807 // Enforce / Report | 809 // Enforce / Report |
808 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); | 810 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); |
809 policy->bindToExecutionContext(document.get()); | 811 policy->bindToExecutionContext(document.get()); |
810 policy->didReceiveHeader(test.policy1, | 812 policy->didReceiveHeader(test.policy1, |
811 ContentSecurityPolicyHeaderTypeEnforce, | 813 ContentSecurityPolicyHeaderTypeEnforce, |
812 ContentSecurityPolicyHeaderSourceHTTP); | 814 ContentSecurityPolicyHeaderSourceHTTP); |
813 policy->didReceiveHeader(test.policy2, | 815 policy->didReceiveHeader(test.policy2, |
814 ContentSecurityPolicyHeaderTypeReport, | 816 ContentSecurityPolicyHeaderTypeReport, |
815 ContentSecurityPolicyHeaderSourceHTTP); | 817 ContentSecurityPolicyHeaderSourceHTTP); |
816 EXPECT_EQ(test.allowed1, policy->allowScriptFromSource( | 818 EXPECT_EQ(test.allowed1, |
817 resource, String(test.nonce), ParserInserted)); | 819 policy->allowScriptFromSource(resource, String(test.nonce), |
| 820 ParserInserted)); |
818 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 821 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
819 | 822 |
820 // Report / Enforce | 823 // Report / Enforce |
821 policy = ContentSecurityPolicy::create(); | 824 policy = ContentSecurityPolicy::create(); |
822 policy->bindToExecutionContext(document.get()); | 825 policy->bindToExecutionContext(document.get()); |
823 policy->didReceiveHeader(test.policy1, | 826 policy->didReceiveHeader(test.policy1, |
824 ContentSecurityPolicyHeaderTypeReport, | 827 ContentSecurityPolicyHeaderTypeReport, |
825 ContentSecurityPolicyHeaderSourceHTTP); | 828 ContentSecurityPolicyHeaderSourceHTTP); |
826 policy->didReceiveHeader(test.policy2, | 829 policy->didReceiveHeader(test.policy2, |
827 ContentSecurityPolicyHeaderTypeEnforce, | 830 ContentSecurityPolicyHeaderTypeEnforce, |
828 ContentSecurityPolicyHeaderSourceHTTP); | 831 ContentSecurityPolicyHeaderSourceHTTP); |
829 EXPECT_EQ(test.allowed2, policy->allowScriptFromSource( | 832 EXPECT_EQ(test.allowed2, |
830 resource, String(test.nonce), ParserInserted)); | 833 policy->allowScriptFromSource(resource, String(test.nonce), |
| 834 ParserInserted)); |
831 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); | 835 EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); |
832 | 836 |
833 // Enforce / Enforce | 837 // Enforce / Enforce |
834 policy = ContentSecurityPolicy::create(); | 838 policy = ContentSecurityPolicy::create(); |
835 policy->bindToExecutionContext(document.get()); | 839 policy->bindToExecutionContext(document.get()); |
836 policy->didReceiveHeader(test.policy1, | 840 policy->didReceiveHeader(test.policy1, |
837 ContentSecurityPolicyHeaderTypeEnforce, | 841 ContentSecurityPolicyHeaderTypeEnforce, |
838 ContentSecurityPolicyHeaderSourceHTTP); | 842 ContentSecurityPolicyHeaderSourceHTTP); |
839 policy->didReceiveHeader(test.policy2, | 843 policy->didReceiveHeader(test.policy2, |
840 ContentSecurityPolicyHeaderTypeEnforce, | 844 ContentSecurityPolicyHeaderTypeEnforce, |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
983 EXPECT_FALSE(csp->subsumes(*other)); | 987 EXPECT_FALSE(csp->subsumes(*other)); |
984 | 988 |
985 // `other` is stricter than `this`. | 989 // `other` is stricter than `this`. |
986 other->didReceiveHeader("default-src https://example.com;", | 990 other->didReceiveHeader("default-src https://example.com;", |
987 ContentSecurityPolicyHeaderTypeEnforce, | 991 ContentSecurityPolicyHeaderTypeEnforce, |
988 ContentSecurityPolicyHeaderSourceHTTP); | 992 ContentSecurityPolicyHeaderSourceHTTP); |
989 EXPECT_TRUE(csp->subsumes(*other)); | 993 EXPECT_TRUE(csp->subsumes(*other)); |
990 } | 994 } |
991 | 995 |
992 } // namespace blink | 996 } // namespace blink |
OLD | NEW |