| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPSource.h" | 5 #include "core/frame/csp/CSPSource.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/network/ResourceRequest.h" | 9 #include "platform/network/ResourceRequest.h" |
| 10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 98 KURL base; | 98 KURL base; |
| 99 CSPSource source(csp.get(), "http", "example.com", 8000, "/bar/", | 99 CSPSource source(csp.get(), "http", "example.com", 8000, "/bar/", |
| 100 CSPSource::NoWildcard, CSPSource::NoWildcard); | 100 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 101 | 101 |
| 102 EXPECT_TRUE( | 102 EXPECT_TRUE( |
| 103 source.matches(KURL(base, "http://example.com:8000/"), | 103 source.matches(KURL(base, "http://example.com:8000/"), |
| 104 ResourceRequest::RedirectStatus::FollowedRedirect)); | 104 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 105 EXPECT_TRUE( | 105 EXPECT_TRUE( |
| 106 source.matches(KURL(base, "http://example.com:8000/foo"), | 106 source.matches(KURL(base, "http://example.com:8000/foo"), |
| 107 ResourceRequest::RedirectStatus::FollowedRedirect)); | 107 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 108 EXPECT_TRUE( | 108 // Should not allow upgrade of port or scheme without upgrading both |
| 109 EXPECT_FALSE( |
| 109 source.matches(KURL(base, "https://example.com:8000/foo"), | 110 source.matches(KURL(base, "https://example.com:8000/foo"), |
| 110 ResourceRequest::RedirectStatus::FollowedRedirect)); | 111 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 111 | |
| 112 EXPECT_FALSE( | 112 EXPECT_FALSE( |
| 113 source.matches(KURL(base, "http://not-example.com:8000/foo"), | 113 source.matches(KURL(base, "http://not-example.com:8000/foo"), |
| 114 ResourceRequest::RedirectStatus::FollowedRedirect)); | 114 ResourceRequest::RedirectStatus::FollowedRedirect)); |
| 115 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:9000/foo/"), | 115 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:9000/foo/"), |
| 116 ResourceRequest::RedirectStatus::NoRedirect)); | 116 ResourceRequest::RedirectStatus::NoRedirect)); |
| 117 } | 117 } |
| 118 | 118 |
| 119 TEST_F(CSPSourceTest, InsecureSchemeMatchesSecureScheme) { | 119 TEST_F(CSPSourceTest, InsecureSchemeMatchesSecureScheme) { |
| 120 KURL base; | 120 KURL base; |
| 121 CSPSource source(csp.get(), "http", "", 0, "/", CSPSource::NoWildcard, | 121 CSPSource source(csp.get(), "http", "", 0, "/", CSPSource::NoWildcard, |
| 122 CSPSource::HasWildcard); | 122 CSPSource::HasWildcard); |
| 123 | 123 |
| 124 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/"))); | 124 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/"))); |
| 125 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:8000/"))); | 125 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:8000/"))); |
| 126 EXPECT_TRUE(source.matches(KURL(base, "http://not-example.com:8000/"))); | 126 EXPECT_TRUE(source.matches(KURL(base, "http://not-example.com:8000/"))); |
| 127 EXPECT_TRUE(source.matches(KURL(base, "https://not-example.com:8000/"))); | 127 EXPECT_TRUE(source.matches(KURL(base, "https://not-example.com:8000/"))); |
| 128 EXPECT_FALSE(source.matches(KURL(base, "ftp://example.com:8000/"))); | 128 EXPECT_FALSE(source.matches(KURL(base, "ftp://example.com:8000/"))); |
| 129 } | 129 } |
| 130 | 130 |
| 131 TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme) { | 131 TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme) { |
| 132 KURL base; | 132 KURL base; |
| 133 CSPSource source(csp.get(), "http", "example.com", 0, "/", | 133 CSPSource source(csp.get(), "http", "example.com", 0, "/", |
| 134 CSPSource::NoWildcard, CSPSource::HasWildcard); | 134 CSPSource::NoWildcard, CSPSource::HasWildcard); |
| 135 | 135 |
| 136 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/"))); | 136 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/"))); |
| 137 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:8000/"))); | 137 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:8000/"))); |
| 138 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:8000/"))); | 138 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8000/"))); |
| 139 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/"))); | 139 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/"))); |
| 140 } | 140 } |
| 141 | 141 |
| 142 TEST_F(CSPSourceTest, SchemeIsEmpty) { | 142 TEST_F(CSPSourceTest, SchemeIsEmpty) { |
| 143 KURL base; | 143 KURL base; |
| 144 | 144 |
| 145 // Self scheme is http. | 145 // Self scheme is http. |
| 146 { | 146 { |
| 147 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); | 147 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); |
| 148 csp->setupSelf(*SecurityOrigin::createFromString("http://a.com/")); | 148 csp->setupSelf(*SecurityOrigin::createFromString("http://a.com/")); |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 198 | 198 |
| 199 TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) { | 199 TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) { |
| 200 KURL base; | 200 KURL base; |
| 201 | 201 |
| 202 // source scheme is "http" | 202 // source scheme is "http" |
| 203 { | 203 { |
| 204 CSPSource source(csp.get(), "http", "example.com", 80, "/", | 204 CSPSource source(csp.get(), "http", "example.com", 80, "/", |
| 205 CSPSource::NoWildcard, CSPSource::NoWildcard); | 205 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 206 EXPECT_TRUE(source.matches(KURL(base, "http://example.com/"))); | 206 EXPECT_TRUE(source.matches(KURL(base, "http://example.com/"))); |
| 207 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/"))); | 207 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/"))); |
| 208 // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the | 208 |
| 209 // sheme. See http://crbug.com/692499 | 209 // Should not allow scheme upgrades unless both port and scheme are upgraded |
| 210 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/"))); | 210 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443/"))); |
| 211 EXPECT_TRUE(source.matches(KURL(base, "https://example.com/"))); | 211 EXPECT_TRUE(source.matches(KURL(base, "https://example.com/"))); |
| 212 // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without | 212 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:80/"))); |
| 213 // the port. See http://crbug.com/692499 | 213 |
| 214 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/"))); | |
| 215 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/"))); | 214 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/"))); |
| 216 | 215 |
| 217 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/"))); | 216 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/"))); |
| 218 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/"))); | 217 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/"))); |
| 219 | 218 |
| 220 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/"))); | 219 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/"))); |
| 221 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/"))); | 220 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/"))); |
| 222 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/"))); | 221 EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/"))); |
| 223 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/"))); | 222 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/"))); |
| 224 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/"))); | 223 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/"))); |
| 225 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/"))); | 224 EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/"))); |
| 226 } | 225 } |
| 227 | 226 |
| 228 // source scheme is empty | 227 // source scheme is empty |
| 229 { | 228 { |
| 230 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); | 229 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); |
| 231 csp->setupSelf(*SecurityOrigin::createFromString("http://example.com")); | 230 csp->setupSelf(*SecurityOrigin::createFromString("http://example.com")); |
| 232 CSPSource source(csp.get(), "", "example.com", 80, "/", | 231 CSPSource source(csp.get(), "", "example.com", 80, "/", |
| 233 CSPSource::NoWildcard, CSPSource::NoWildcard); | 232 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 234 EXPECT_TRUE(source.matches(KURL(base, "http://example.com/"))); | 233 EXPECT_TRUE(source.matches(KURL(base, "http://example.com/"))); |
| 235 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443"))); | 234 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443"))); |
| 236 // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the | 235 // Should not allow upgrade of port or scheme without upgrading both |
| 237 // sheme. See http://crbug.com/692499 | 236 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443"))); |
| 238 EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443"))); | 237 } |
| 238 |
| 239 // source port is empty |
| 240 { |
| 241 CSPSource source(csp.get(), "http", "example.com", 0, "/", |
| 242 CSPSource::NoWildcard, CSPSource::NoWildcard); |
| 243 |
| 244 EXPECT_TRUE(source.matches(KURL(base, "http://example.com"))); |
| 245 EXPECT_TRUE(source.matches(KURL(base, "https://example.com"))); |
| 246 EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443"))); |
| 247 // Should not allow upgrade of port or scheme without upgrading both |
| 248 EXPECT_FALSE(source.matches(KURL(base, "https://example.com:80"))); |
| 249 EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443"))); |
| 239 } | 250 } |
| 240 } | 251 } |
| 241 | 252 |
| 242 TEST_F(CSPSourceTest, HostMatches) { | 253 TEST_F(CSPSourceTest, HostMatches) { |
| 243 KURL base; | 254 KURL base; |
| 244 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); | 255 Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create()); |
| 245 csp->setupSelf(*SecurityOrigin::createFromString("http://a.com")); | 256 csp->setupSelf(*SecurityOrigin::createFromString("http://a.com")); |
| 246 | 257 |
| 247 // Host is * (source-expression = "http://*") | 258 // Host is * (source-expression = "http://*") |
| 248 { | 259 { |
| (...skipping 649 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 898 normalized = B->intersect(A); | 909 normalized = B->intersect(A); |
| 899 Source intersectBA = { | 910 Source intersectBA = { |
| 900 normalized->m_scheme, normalized->m_host, | 911 normalized->m_scheme, normalized->m_host, |
| 901 normalized->m_path, normalized->m_port, | 912 normalized->m_path, normalized->m_port, |
| 902 normalized->m_hostWildcard, normalized->m_portWildcard}; | 913 normalized->m_hostWildcard, normalized->m_portWildcard}; |
| 903 EXPECT_TRUE(equalSources(intersectBA, test.normalized)); | 914 EXPECT_TRUE(equalSources(intersectBA, test.normalized)); |
| 904 } | 915 } |
| 905 } | 916 } |
| 906 | 917 |
| 907 } // namespace blink | 918 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2708873002:
Stop CSP from matching independent scheme/port upgrades (Closed)
