Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(361)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp

Issue 2790693002: Split CSP into pre- and post-upgrade checks (Closed)
Patch Set: revert accidental AbstractWorker change Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameFetchContext.cpp ('k') | third_party/WebKit/Source/core/loader/FrameLoader.h » ('j') | third_party/WebKit/Source/core/loader/FrameLoader.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (c) 2015, Google Inc. All rights reserved. 2 * Copyright (c) 2015, Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are 5 * modification, are permitted provided that the following conditions are
6 * met: 6 * met:
7 * 7 *
8 * * Redistributions of source code must retain the above copyright 8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above 10 * * Redistributions in binary form must reproduce the above
(...skipping 451 matching lines...) Expand 10 before | Expand all | Expand 10 after
462 SetFrameOwnerBasedOnFrameType(test.frame_type, iframe, 462 SetFrameOwnerBasedOnFrameType(test.frame_type, iframe,
463 another_required_csp); 463 another_required_csp);
464 ExpectSetEmbeddingCSPRequestHeader( 464 ExpectSetEmbeddingCSPRequestHeader(
465 test.to_request, test.frame_type, 465 test.to_request, test.frame_type,
466 test.frame_type == WebURLRequest::kFrameTypeNested 466 test.frame_type == WebURLRequest::kFrameTypeNested
467 ? another_required_csp 467 ? another_required_csp
468 : g_null_atom); 468 : g_null_atom);
469 } 469 }
470 } 470 }
471 471
472 // Tests that CanFollowRedirect() checks both report-only and enforced CSP
473 // headers.
474 TEST_F(FrameFetchContextTest, RedirectChecksReportedAndEnforcedCSP) {
475 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy();
476 policy->DidReceiveHeader("script-src https://foo.test",
477 kContentSecurityPolicyHeaderTypeEnforce,
478 kContentSecurityPolicyHeaderSourceHTTP);
479 policy->DidReceiveHeader("script-src https://bar.test",
480 kContentSecurityPolicyHeaderTypeReport,
481 kContentSecurityPolicyHeaderSourceHTTP);
482 KURL url(KURL(), "http://baz.test");
483 ResourceRequest resource_request(url);
484 resource_request.SetRequestContext(WebURLRequest::kRequestContextScript);
485 EXPECT_EQ(
486 ResourceRequestBlockedReason::CSP,
487 fetch_context->CanFollowRedirect(
488 Resource::kScript, resource_request, url, ResourceLoaderOptions(),
489 SecurityViolationReportingPolicy::kReport,
490 FetchParameters::kUseDefaultOriginRestrictionForType));
491 EXPECT_EQ(2u, policy->violation_reports_sent_.size());
492 }
493
494 // Tests that AllowResponse() checks both report-only and enforced CSP headers.
495 TEST_F(FrameFetchContextTest, AllowResponseChecksReportedAndEnforcedCSP) {
496 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy();
497 policy->DidReceiveHeader("script-src https://foo.test",
498 kContentSecurityPolicyHeaderTypeEnforce,
499 kContentSecurityPolicyHeaderSourceHTTP);
500 policy->DidReceiveHeader("script-src https://bar.test",
501 kContentSecurityPolicyHeaderTypeReport,
502 kContentSecurityPolicyHeaderSourceHTTP);
503 KURL url(KURL(), "http://baz.test");
504 ResourceRequest resource_request(url);
505 resource_request.SetRequestContext(WebURLRequest::kRequestContextScript);
506 EXPECT_EQ(ResourceRequestBlockedReason::CSP,
507 fetch_context->AllowResponse(Resource::kScript, resource_request,
508 url, ResourceLoaderOptions()));
509 EXPECT_EQ(2u, policy->violation_reports_sent_.size());
510 }
511
512 // Tests that PopulateResourceRequest() checks report-only CSP headers, so that
513 // any violations are reported before the request is modified.
514 TEST_F(FrameFetchContextTest, PopulateResourceRequestChecksReportOnlyCSP) {
515 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy();
516 policy->DidReceiveHeader(
517 "upgrade-insecure-requests; script-src https://foo.test",
518 kContentSecurityPolicyHeaderTypeEnforce,
519 kContentSecurityPolicyHeaderSourceHTTP);
520 policy->DidReceiveHeader("script-src https://bar.test",
521 kContentSecurityPolicyHeaderTypeReport,
522 kContentSecurityPolicyHeaderSourceHTTP);
523 KURL url(KURL(), "http://baz.test");
524 ResourceRequest resource_request(url);
525 resource_request.SetRequestContext(WebURLRequest::kRequestContextScript);
526 fetch_context->PopulateResourceRequest(
527 url, Resource::kScript, ClientHintsPreferences(),
528 FetchParameters::ResourceWidth(), ResourceLoaderOptions(),
529 SecurityViolationReportingPolicy::kReport, resource_request);
530 EXPECT_EQ(1u, policy->violation_reports_sent_.size());
531 // Check that the resource was upgraded to a secure URL.
532 EXPECT_EQ(KURL(KURL(), "https://baz.test"), resource_request.Url());
533 }
534
472 class FrameFetchContextHintsTest : public FrameFetchContextTest { 535 class FrameFetchContextHintsTest : public FrameFetchContextTest {
473 public: 536 public:
474 FrameFetchContextHintsTest() {} 537 FrameFetchContextHintsTest() {}
475 538
476 protected: 539 protected:
477 void ExpectHeader(const char* input, 540 void ExpectHeader(const char* input,
478 const char* header_name, 541 const char* header_name,
479 bool is_present, 542 bool is_present,
480 const char* header_value, 543 const char* header_value,
481 float width = 0) { 544 float width = 0) {
(...skipping 546 matching lines...) Expand 10 before | Expand all | Expand 10 after
1028 SetFilterPolicy(WebDocumentSubresourceFilter::kWouldDisallow); 1091 SetFilterPolicy(WebDocumentSubresourceFilter::kWouldDisallow);
1029 1092
1030 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequest()); 1093 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequest());
1031 EXPECT_EQ(0, GetFilteredLoadCallCount()); 1094 EXPECT_EQ(0, GetFilteredLoadCallCount());
1032 1095
1033 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequestPreload()); 1096 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequestPreload());
1034 EXPECT_EQ(0, GetFilteredLoadCallCount()); 1097 EXPECT_EQ(0, GetFilteredLoadCallCount());
1035 } 1098 }
1036 1099
1037 } // namespace blink 1100 } // namespace blink
OLDNEW
« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameFetchContext.cpp ('k') | third_party/WebKit/Source/core/loader/FrameLoader.h » ('j') | third_party/WebKit/Source/core/loader/FrameLoader.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698