| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (c) 2015, Google Inc. All rights reserved. | 2 * Copyright (c) 2015, Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 451 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 462 SetFrameOwnerBasedOnFrameType(test.frame_type, iframe, | 462 SetFrameOwnerBasedOnFrameType(test.frame_type, iframe, |
| 463 another_required_csp); | 463 another_required_csp); |
| 464 ExpectSetEmbeddingCSPRequestHeader( | 464 ExpectSetEmbeddingCSPRequestHeader( |
| 465 test.to_request, test.frame_type, | 465 test.to_request, test.frame_type, |
| 466 test.frame_type == WebURLRequest::kFrameTypeNested | 466 test.frame_type == WebURLRequest::kFrameTypeNested |
| 467 ? another_required_csp | 467 ? another_required_csp |
| 468 : g_null_atom); | 468 : g_null_atom); |
| 469 } | 469 } |
| 470 } | 470 } |
| 471 | 471 |
| 472 // Tests that CanFollowRedirect() checks both report-only and enforced CSP | |
| 473 // headers. | |
| 474 TEST_F(FrameFetchContextTest, RedirectChecksReportedAndEnforcedCSP) { | |
| 475 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy(); | |
| 476 policy->DidReceiveHeader("script-src https://foo.test", | |
| 477 kContentSecurityPolicyHeaderTypeEnforce, | |
| 478 kContentSecurityPolicyHeaderSourceHTTP); | |
| 479 policy->DidReceiveHeader("script-src https://bar.test", | |
| 480 kContentSecurityPolicyHeaderTypeReport, | |
| 481 kContentSecurityPolicyHeaderSourceHTTP); | |
| 482 KURL url(KURL(), "http://baz.test"); | |
| 483 ResourceRequest resource_request(url); | |
| 484 resource_request.SetRequestContext(WebURLRequest::kRequestContextScript); | |
| 485 EXPECT_EQ( | |
| 486 ResourceRequestBlockedReason::CSP, | |
| 487 fetch_context->CanFollowRedirect( | |
| 488 Resource::kScript, resource_request, url, ResourceLoaderOptions(), | |
| 489 SecurityViolationReportingPolicy::kReport, | |
| 490 FetchParameters::kUseDefaultOriginRestrictionForType)); | |
| 491 EXPECT_EQ(2u, policy->violation_reports_sent_.size()); | |
| 492 } | |
| 493 | |
| 494 // Tests that AllowResponse() checks both report-only and enforced CSP headers. | |
| 495 TEST_F(FrameFetchContextTest, AllowResponseChecksReportedAndEnforcedCSP) { | |
| 496 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy(); | |
| 497 policy->DidReceiveHeader("script-src https://foo.test", | |
| 498 kContentSecurityPolicyHeaderTypeEnforce, | |
| 499 kContentSecurityPolicyHeaderSourceHTTP); | |
| 500 policy->DidReceiveHeader("script-src https://bar.test", | |
| 501 kContentSecurityPolicyHeaderTypeReport, | |
| 502 kContentSecurityPolicyHeaderSourceHTTP); | |
| 503 KURL url(KURL(), "http://baz.test"); | |
| 504 ResourceRequest resource_request(url); | |
| 505 resource_request.SetRequestContext(WebURLRequest::kRequestContextScript); | |
| 506 EXPECT_EQ(ResourceRequestBlockedReason::CSP, | |
| 507 fetch_context->AllowResponse(Resource::kScript, resource_request, | |
| 508 url, ResourceLoaderOptions())); | |
| 509 EXPECT_EQ(2u, policy->violation_reports_sent_.size()); | |
| 510 } | |
| 511 | |
| 512 // Tests that PopulateResourceRequest() checks report-only CSP headers, so that | 472 // Tests that PopulateResourceRequest() checks report-only CSP headers, so that |
| 513 // any violations are reported before the request is modified. | 473 // any violations are reported before the request is modified. |
| 514 TEST_F(FrameFetchContextTest, PopulateResourceRequestChecksReportOnlyCSP) { | 474 TEST_F(FrameFetchContextTest, PopulateResourceRequestChecksReportOnlyCSP) { |
| 515 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy(); | 475 ContentSecurityPolicy* policy = document->GetContentSecurityPolicy(); |
| 516 policy->DidReceiveHeader( | 476 policy->DidReceiveHeader( |
| 517 "upgrade-insecure-requests; script-src https://foo.test", | 477 "upgrade-insecure-requests; script-src https://foo.test", |
| 518 kContentSecurityPolicyHeaderTypeEnforce, | 478 kContentSecurityPolicyHeaderTypeEnforce, |
| 519 kContentSecurityPolicyHeaderSourceHTTP); | 479 kContentSecurityPolicyHeaderSourceHTTP); |
| 520 policy->DidReceiveHeader("script-src https://bar.test", | 480 policy->DidReceiveHeader("script-src https://bar.test", |
| 521 kContentSecurityPolicyHeaderTypeReport, | 481 kContentSecurityPolicyHeaderTypeReport, |
| (...skipping 444 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 966 SetFilterPolicy(WebDocumentSubresourceFilter::kWouldDisallow); | 926 SetFilterPolicy(WebDocumentSubresourceFilter::kWouldDisallow); |
| 967 | 927 |
| 968 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequest()); | 928 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequest()); |
| 969 EXPECT_EQ(0, GetFilteredLoadCallCount()); | 929 EXPECT_EQ(0, GetFilteredLoadCallCount()); |
| 970 | 930 |
| 971 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequestPreload()); | 931 EXPECT_EQ(ResourceRequestBlockedReason::kNone, CanRequestPreload()); |
| 972 EXPECT_EQ(0, GetFilteredLoadCallCount()); | 932 EXPECT_EQ(0, GetFilteredLoadCallCount()); |
| 973 } | 933 } |
| 974 | 934 |
| 975 } // namespace blink | 935 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2823213002:
Implement CanRequest in BaseFetchContext (Closed)
