OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/dom/Document.h" | |
8 #include "core/frame/csp/CSPDirectiveList.h" | 7 #include "core/frame/csp/CSPDirectiveList.h" |
9 #include "core/html/HTMLScriptElement.h" | 8 #include "core/html/HTMLScriptElement.h" |
10 #include "core/loader/DocumentLoader.h" | 9 #include "core/testing/NullExecutionContext.h" |
11 #include "core/testing/DummyPageHolder.h" | |
12 #include "platform/Crypto.h" | 10 #include "platform/Crypto.h" |
13 #include "platform/RuntimeEnabledFeatures.h" | 11 #include "platform/RuntimeEnabledFeatures.h" |
14 #include "platform/loader/fetch/IntegrityMetadata.h" | 12 #include "platform/loader/fetch/IntegrityMetadata.h" |
15 #include "platform/loader/fetch/ResourceRequest.h" | 13 #include "platform/loader/fetch/ResourceRequest.h" |
16 #include "platform/network/ContentSecurityPolicyParsers.h" | 14 #include "platform/network/ContentSecurityPolicyParsers.h" |
17 #include "platform/weborigin/KURL.h" | 15 #include "platform/weborigin/KURL.h" |
18 #include "platform/weborigin/SchemeRegistry.h" | 16 #include "platform/weborigin/SchemeRegistry.h" |
19 #include "platform/weborigin/SecurityOrigin.h" | 17 #include "platform/weborigin/SecurityOrigin.h" |
20 #include "public/platform/WebAddressSpace.h" | 18 #include "public/platform/WebAddressSpace.h" |
21 #include "public/platform/WebInsecureRequestPolicy.h" | 19 #include "public/platform/WebInsecureRequestPolicy.h" |
22 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
23 | 21 |
24 namespace blink { | 22 namespace blink { |
25 | 23 |
26 class ContentSecurityPolicyTest : public ::testing::Test { | 24 class ContentSecurityPolicyTest : public ::testing::Test { |
27 public: | 25 public: |
28 ContentSecurityPolicyTest() | 26 ContentSecurityPolicyTest() |
29 : csp(ContentSecurityPolicy::Create()), | 27 : csp(ContentSecurityPolicy::Create()), |
30 secure_url(kParsedURLString, "https://example.test/image.png"), | 28 secure_url(kParsedURLString, "https://example.test/image.png"), |
31 secure_origin(SecurityOrigin::Create(secure_url)) {} | 29 secure_origin(SecurityOrigin::Create(secure_url)) {} |
32 | 30 |
33 protected: | 31 protected: |
34 virtual void SetUp() { | 32 virtual void SetUp() { execution_context = CreateExecutionContext(); } |
35 document = Document::Create(); | 33 |
36 document->SetSecurityOrigin(secure_origin); | 34 NullExecutionContext* CreateExecutionContext() { |
| 35 NullExecutionContext* context = new NullExecutionContext(); |
| 36 context->SetUpSecurityContext(); |
| 37 context->SetSecurityOrigin(secure_origin); |
| 38 return context; |
37 } | 39 } |
38 | 40 |
39 Persistent<ContentSecurityPolicy> csp; | 41 Persistent<ContentSecurityPolicy> csp; |
40 KURL secure_url; | 42 KURL secure_url; |
41 RefPtr<SecurityOrigin> secure_origin; | 43 RefPtr<SecurityOrigin> secure_origin; |
42 Persistent<Document> document; | 44 Persistent<NullExecutionContext> execution_context; |
43 }; | 45 }; |
44 | 46 |
45 TEST_F(ContentSecurityPolicyTest, ParseInsecureRequestPolicy) { | 47 TEST_F(ContentSecurityPolicyTest, ParseInsecureRequestPolicy) { |
46 struct TestCase { | 48 struct TestCase { |
47 const char* header; | 49 const char* header; |
48 WebInsecureRequestPolicy expected_policy; | 50 WebInsecureRequestPolicy expected_policy; |
49 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, | 51 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, |
50 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, | 52 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, |
51 {"block-all-mixed-content", kBlockAllMixedContent}, | 53 {"block-all-mixed-content", kBlockAllMixedContent}, |
52 {"upgrade-insecure-requests; block-all-mixed-content", | 54 {"upgrade-insecure-requests; block-all-mixed-content", |
53 kUpgradeInsecureRequests | kBlockAllMixedContent}, | 55 kUpgradeInsecureRequests | kBlockAllMixedContent}, |
54 {"upgrade-insecure-requests, block-all-mixed-content", | 56 {"upgrade-insecure-requests, block-all-mixed-content", |
55 kUpgradeInsecureRequests | kBlockAllMixedContent}}; | 57 kUpgradeInsecureRequests | kBlockAllMixedContent}}; |
56 | 58 |
57 // Enforced | 59 // Enforced |
58 for (const auto& test : cases) { | 60 for (const auto& test : cases) { |
59 SCOPED_TRACE(testing::Message() << "[Enforce] Header: `" << test.header | 61 SCOPED_TRACE(testing::Message() << "[Enforce] Header: `" << test.header |
60 << "`"); | 62 << "`"); |
61 csp = ContentSecurityPolicy::Create(); | 63 csp = ContentSecurityPolicy::Create(); |
62 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeEnforce, | 64 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeEnforce, |
63 kContentSecurityPolicyHeaderSourceHTTP); | 65 kContentSecurityPolicyHeaderSourceHTTP); |
64 EXPECT_EQ(test.expected_policy, csp->GetInsecureRequestPolicy()); | 66 EXPECT_EQ(test.expected_policy, csp->GetInsecureRequestPolicy()); |
65 | 67 |
66 document = Document::Create(); | 68 execution_context = CreateExecutionContext(); |
67 document->SetSecurityOrigin(secure_origin); | 69 execution_context->SetSecurityOrigin(secure_origin); |
68 document->SetURL(secure_url); | 70 execution_context->SetURL(secure_url); |
69 csp->BindToExecutionContext(document.Get()); | 71 csp->BindToExecutionContext(execution_context.Get()); |
70 EXPECT_EQ(test.expected_policy, document->GetInsecureRequestPolicy()); | 72 EXPECT_EQ(test.expected_policy, |
| 73 execution_context->GetInsecureRequestPolicy()); |
71 bool expect_upgrade = test.expected_policy & kUpgradeInsecureRequests; | 74 bool expect_upgrade = test.expected_policy & kUpgradeInsecureRequests; |
72 EXPECT_EQ(expect_upgrade, | 75 EXPECT_EQ(expect_upgrade, |
73 document->InsecureNavigationsToUpgrade()->Contains( | 76 execution_context->InsecureNavigationsToUpgrade()->Contains( |
74 document->Url().Host().Impl()->GetHash())); | 77 execution_context->Url().Host().Impl()->GetHash())); |
75 } | 78 } |
76 | 79 |
77 // Report-Only | 80 // Report-Only |
78 for (const auto& test : cases) { | 81 for (const auto& test : cases) { |
79 SCOPED_TRACE(testing::Message() << "[Report-Only] Header: `" << test.header | 82 SCOPED_TRACE(testing::Message() << "[Report-Only] Header: `" << test.header |
80 << "`"); | 83 << "`"); |
81 csp = ContentSecurityPolicy::Create(); | 84 csp = ContentSecurityPolicy::Create(); |
82 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeReport, | 85 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeReport, |
83 kContentSecurityPolicyHeaderSourceHTTP); | 86 kContentSecurityPolicyHeaderSourceHTTP); |
84 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->GetInsecureRequestPolicy()); | 87 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->GetInsecureRequestPolicy()); |
85 | 88 |
86 document = Document::Create(); | 89 execution_context = CreateExecutionContext(); |
87 document->SetSecurityOrigin(secure_origin); | 90 execution_context->SetSecurityOrigin(secure_origin); |
88 csp->BindToExecutionContext(document.Get()); | 91 csp->BindToExecutionContext(execution_context.Get()); |
89 EXPECT_EQ(kLeaveInsecureRequestsAlone, | 92 EXPECT_EQ(kLeaveInsecureRequestsAlone, |
90 document->GetInsecureRequestPolicy()); | 93 execution_context->GetInsecureRequestPolicy()); |
91 EXPECT_FALSE(document->InsecureNavigationsToUpgrade()->Contains( | 94 EXPECT_FALSE(execution_context->InsecureNavigationsToUpgrade()->Contains( |
92 secure_origin->Host().Impl()->GetHash())); | 95 secure_origin->Host().Impl()->GetHash())); |
93 } | 96 } |
94 } | 97 } |
95 | 98 |
96 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled) { | 99 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled) { |
97 RuntimeEnabledFeatures::setCorsRFC1918Enabled(false); | 100 RuntimeEnabledFeatures::setCorsRFC1918Enabled(false); |
98 document->SetAddressSpace(kWebAddressSpacePrivate); | 101 execution_context->SetAddressSpace(kWebAddressSpacePrivate); |
99 EXPECT_EQ(kWebAddressSpacePrivate, document->AddressSpace()); | 102 EXPECT_EQ(kWebAddressSpacePrivate, execution_context->AddressSpace()); |
100 | 103 |
101 csp->DidReceiveHeader("treat-as-public-address", | 104 csp->DidReceiveHeader("treat-as-public-address", |
102 kContentSecurityPolicyHeaderTypeEnforce, | 105 kContentSecurityPolicyHeaderTypeEnforce, |
103 kContentSecurityPolicyHeaderSourceHTTP); | 106 kContentSecurityPolicyHeaderSourceHTTP); |
104 csp->BindToExecutionContext(document.Get()); | 107 csp->BindToExecutionContext(execution_context.Get()); |
105 EXPECT_EQ(kWebAddressSpacePrivate, document->AddressSpace()); | 108 EXPECT_EQ(kWebAddressSpacePrivate, execution_context->AddressSpace()); |
106 } | 109 } |
107 | 110 |
108 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled) { | 111 TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled) { |
109 RuntimeEnabledFeatures::setCorsRFC1918Enabled(true); | 112 RuntimeEnabledFeatures::setCorsRFC1918Enabled(true); |
110 document->SetAddressSpace(kWebAddressSpacePrivate); | 113 execution_context->SetAddressSpace(kWebAddressSpacePrivate); |
111 EXPECT_EQ(kWebAddressSpacePrivate, document->AddressSpace()); | 114 EXPECT_EQ(kWebAddressSpacePrivate, execution_context->AddressSpace()); |
112 | 115 |
113 csp->DidReceiveHeader("treat-as-public-address", | 116 csp->DidReceiveHeader("treat-as-public-address", |
114 kContentSecurityPolicyHeaderTypeEnforce, | 117 kContentSecurityPolicyHeaderTypeEnforce, |
115 kContentSecurityPolicyHeaderSourceHTTP); | 118 kContentSecurityPolicyHeaderSourceHTTP); |
116 csp->BindToExecutionContext(document.Get()); | 119 csp->BindToExecutionContext(execution_context.Get()); |
117 EXPECT_EQ(kWebAddressSpacePublic, document->AddressSpace()); | 120 EXPECT_EQ(kWebAddressSpacePublic, execution_context->AddressSpace()); |
118 } | 121 } |
119 | 122 |
120 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) { | 123 TEST_F(ContentSecurityPolicyTest, CopyStateFrom) { |
121 csp->DidReceiveHeader("script-src 'none'; plugin-types application/x-type-1", | 124 csp->DidReceiveHeader("script-src 'none'; plugin-types application/x-type-1", |
122 kContentSecurityPolicyHeaderTypeReport, | 125 kContentSecurityPolicyHeaderTypeReport, |
123 kContentSecurityPolicyHeaderSourceHTTP); | 126 kContentSecurityPolicyHeaderSourceHTTP); |
124 csp->DidReceiveHeader("img-src http://example.com", | 127 csp->DidReceiveHeader("img-src http://example.com", |
125 kContentSecurityPolicyHeaderTypeReport, | 128 kContentSecurityPolicyHeaderTypeReport, |
126 kContentSecurityPolicyHeaderSourceHTTP); | 129 kContentSecurityPolicyHeaderSourceHTTP); |
127 | 130 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
195 | 198 |
196 csp->DidReceiveHeader("frame-ancestors 'self'", | 199 csp->DidReceiveHeader("frame-ancestors 'self'", |
197 kContentSecurityPolicyHeaderTypeEnforce, | 200 kContentSecurityPolicyHeaderTypeEnforce, |
198 kContentSecurityPolicyHeaderSourceHTTP); | 201 kContentSecurityPolicyHeaderSourceHTTP); |
199 EXPECT_TRUE(csp->IsFrameAncestorsEnforced()); | 202 EXPECT_TRUE(csp->IsFrameAncestorsEnforced()); |
200 } | 203 } |
201 | 204 |
202 // Tests that frame-ancestors directives are discarded from policies | 205 // Tests that frame-ancestors directives are discarded from policies |
203 // delivered in <meta> elements. | 206 // delivered in <meta> elements. |
204 TEST_F(ContentSecurityPolicyTest, FrameAncestorsInMeta) { | 207 TEST_F(ContentSecurityPolicyTest, FrameAncestorsInMeta) { |
205 csp->BindToExecutionContext(document.Get()); | 208 csp->BindToExecutionContext(execution_context.Get()); |
206 csp->DidReceiveHeader("frame-ancestors 'none';", | 209 csp->DidReceiveHeader("frame-ancestors 'none';", |
207 kContentSecurityPolicyHeaderTypeEnforce, | 210 kContentSecurityPolicyHeaderTypeEnforce, |
208 kContentSecurityPolicyHeaderSourceMeta); | 211 kContentSecurityPolicyHeaderSourceMeta); |
209 EXPECT_FALSE(csp->IsFrameAncestorsEnforced()); | 212 EXPECT_FALSE(csp->IsFrameAncestorsEnforced()); |
210 csp->DidReceiveHeader("frame-ancestors 'none';", | 213 csp->DidReceiveHeader("frame-ancestors 'none';", |
211 kContentSecurityPolicyHeaderTypeEnforce, | 214 kContentSecurityPolicyHeaderTypeEnforce, |
212 kContentSecurityPolicyHeaderSourceHTTP); | 215 kContentSecurityPolicyHeaderSourceHTTP); |
213 EXPECT_TRUE(csp->IsFrameAncestorsEnforced()); | 216 EXPECT_TRUE(csp->IsFrameAncestorsEnforced()); |
214 } | 217 } |
215 | 218 |
216 // Tests that sandbox directives are discarded from policies | 219 // Tests that sandbox directives are discarded from policies |
217 // delivered in <meta> elements. | 220 // delivered in <meta> elements. |
218 TEST_F(ContentSecurityPolicyTest, SandboxInMeta) { | 221 TEST_F(ContentSecurityPolicyTest, SandboxInMeta) { |
219 csp->BindToExecutionContext(document.Get()); | 222 csp->BindToExecutionContext(execution_context.Get()); |
220 csp->DidReceiveHeader("sandbox;", kContentSecurityPolicyHeaderTypeEnforce, | 223 csp->DidReceiveHeader("sandbox;", kContentSecurityPolicyHeaderTypeEnforce, |
221 kContentSecurityPolicyHeaderSourceMeta); | 224 kContentSecurityPolicyHeaderSourceMeta); |
222 EXPECT_FALSE(document->GetSecurityOrigin()->IsUnique()); | 225 EXPECT_FALSE(execution_context->GetSecurityOrigin()->IsUnique()); |
223 csp->DidReceiveHeader("sandbox;", kContentSecurityPolicyHeaderTypeEnforce, | 226 csp->DidReceiveHeader("sandbox;", kContentSecurityPolicyHeaderTypeEnforce, |
224 kContentSecurityPolicyHeaderSourceHTTP); | 227 kContentSecurityPolicyHeaderSourceHTTP); |
225 EXPECT_TRUE(document->GetSecurityOrigin()->IsUnique()); | 228 EXPECT_TRUE(execution_context->GetSecurityOrigin()->IsUnique()); |
226 } | 229 } |
227 | 230 |
228 // Tests that report-uri directives are discarded from policies | 231 // Tests that report-uri directives are discarded from policies |
229 // delivered in <meta> elements. | 232 // delivered in <meta> elements. |
230 TEST_F(ContentSecurityPolicyTest, ReportURIInMeta) { | 233 TEST_F(ContentSecurityPolicyTest, ReportURIInMeta) { |
231 String policy = "img-src 'none'; report-uri http://foo.test"; | 234 String policy = "img-src 'none'; report-uri http://foo.test"; |
232 Vector<UChar> characters; | 235 Vector<UChar> characters; |
233 policy.AppendTo(characters); | 236 policy.AppendTo(characters); |
234 const UChar* begin = characters.data(); | 237 const UChar* begin = characters.data(); |
235 const UChar* end = begin + characters.size(); | 238 const UChar* end = begin + characters.size(); |
236 CSPDirectiveList* directive_list(CSPDirectiveList::Create( | 239 CSPDirectiveList* directive_list(CSPDirectiveList::Create( |
237 csp, begin, end, kContentSecurityPolicyHeaderTypeEnforce, | 240 csp, begin, end, kContentSecurityPolicyHeaderTypeEnforce, |
238 kContentSecurityPolicyHeaderSourceMeta)); | 241 kContentSecurityPolicyHeaderSourceMeta)); |
239 EXPECT_TRUE(directive_list->ReportEndpoints().IsEmpty()); | 242 EXPECT_TRUE(directive_list->ReportEndpoints().IsEmpty()); |
240 directive_list = CSPDirectiveList::Create( | 243 directive_list = CSPDirectiveList::Create( |
241 csp, begin, end, kContentSecurityPolicyHeaderTypeEnforce, | 244 csp, begin, end, kContentSecurityPolicyHeaderTypeEnforce, |
242 kContentSecurityPolicyHeaderSourceHTTP); | 245 kContentSecurityPolicyHeaderSourceHTTP); |
243 EXPECT_FALSE(directive_list->ReportEndpoints().IsEmpty()); | 246 EXPECT_FALSE(directive_list->ReportEndpoints().IsEmpty()); |
244 } | 247 } |
245 | 248 |
246 // Tests that object-src directives are applied to a request to load a | 249 // Tests that object-src directives are applied to a request to load a |
247 // plugin, but not to subresource requests that the plugin itself | 250 // plugin, but not to subresource requests that the plugin itself |
248 // makes. https://crbug.com/603952 | 251 // makes. https://crbug.com/603952 |
249 TEST_F(ContentSecurityPolicyTest, ObjectSrc) { | 252 TEST_F(ContentSecurityPolicyTest, ObjectSrc) { |
250 KURL url(KURL(), "https://example.test"); | 253 KURL url(KURL(), "https://example.test"); |
251 csp->BindToExecutionContext(document.Get()); | 254 csp->BindToExecutionContext(execution_context.Get()); |
252 csp->DidReceiveHeader("object-src 'none';", | 255 csp->DidReceiveHeader("object-src 'none';", |
253 kContentSecurityPolicyHeaderTypeEnforce, | 256 kContentSecurityPolicyHeaderTypeEnforce, |
254 kContentSecurityPolicyHeaderSourceMeta); | 257 kContentSecurityPolicyHeaderSourceMeta); |
255 EXPECT_FALSE( | 258 EXPECT_FALSE( |
256 csp->AllowRequest(WebURLRequest::kRequestContextObject, url, String(), | 259 csp->AllowRequest(WebURLRequest::kRequestContextObject, url, String(), |
257 IntegrityMetadataSet(), kParserInserted, | 260 IntegrityMetadataSet(), kParserInserted, |
258 ResourceRequest::RedirectStatus::kNoRedirect, | 261 ResourceRequest::RedirectStatus::kNoRedirect, |
259 SecurityViolationReportingPolicy::kSuppressReporting)); | 262 SecurityViolationReportingPolicy::kSuppressReporting)); |
260 EXPECT_FALSE( | 263 EXPECT_FALSE( |
261 csp->AllowRequest(WebURLRequest::kRequestContextEmbed, url, String(), | 264 csp->AllowRequest(WebURLRequest::kRequestContextEmbed, url, String(), |
262 IntegrityMetadataSet(), kParserInserted, | 265 IntegrityMetadataSet(), kParserInserted, |
263 ResourceRequest::RedirectStatus::kNoRedirect, | 266 ResourceRequest::RedirectStatus::kNoRedirect, |
264 SecurityViolationReportingPolicy::kSuppressReporting)); | 267 SecurityViolationReportingPolicy::kSuppressReporting)); |
265 EXPECT_TRUE( | 268 EXPECT_TRUE( |
266 csp->AllowRequest(WebURLRequest::kRequestContextPlugin, url, String(), | 269 csp->AllowRequest(WebURLRequest::kRequestContextPlugin, url, String(), |
267 IntegrityMetadataSet(), kParserInserted, | 270 IntegrityMetadataSet(), kParserInserted, |
268 ResourceRequest::RedirectStatus::kNoRedirect, | 271 ResourceRequest::RedirectStatus::kNoRedirect, |
269 SecurityViolationReportingPolicy::kSuppressReporting)); | 272 SecurityViolationReportingPolicy::kSuppressReporting)); |
270 } | 273 } |
271 | 274 |
272 TEST_F(ContentSecurityPolicyTest, ConnectSrc) { | 275 TEST_F(ContentSecurityPolicyTest, ConnectSrc) { |
273 KURL url(KURL(), "https://example.test"); | 276 KURL url(KURL(), "https://example.test"); |
274 csp->BindToExecutionContext(document.Get()); | 277 csp->BindToExecutionContext(execution_context.Get()); |
275 csp->DidReceiveHeader("connect-src 'none';", | 278 csp->DidReceiveHeader("connect-src 'none';", |
276 kContentSecurityPolicyHeaderTypeEnforce, | 279 kContentSecurityPolicyHeaderTypeEnforce, |
277 kContentSecurityPolicyHeaderSourceMeta); | 280 kContentSecurityPolicyHeaderSourceMeta); |
278 EXPECT_FALSE( | 281 EXPECT_FALSE( |
279 csp->AllowRequest(WebURLRequest::kRequestContextSubresource, url, | 282 csp->AllowRequest(WebURLRequest::kRequestContextSubresource, url, |
280 String(), IntegrityMetadataSet(), kParserInserted, | 283 String(), IntegrityMetadataSet(), kParserInserted, |
281 ResourceRequest::RedirectStatus::kNoRedirect, | 284 ResourceRequest::RedirectStatus::kNoRedirect, |
282 SecurityViolationReportingPolicy::kSuppressReporting)); | 285 SecurityViolationReportingPolicy::kSuppressReporting)); |
283 EXPECT_FALSE( | 286 EXPECT_FALSE( |
284 csp->AllowRequest(WebURLRequest::kRequestContextXMLHttpRequest, url, | 287 csp->AllowRequest(WebURLRequest::kRequestContextXMLHttpRequest, url, |
(...skipping 15 matching lines...) Expand all Loading... |
300 IntegrityMetadataSet(), kParserInserted, | 303 IntegrityMetadataSet(), kParserInserted, |
301 ResourceRequest::RedirectStatus::kNoRedirect, | 304 ResourceRequest::RedirectStatus::kNoRedirect, |
302 SecurityViolationReportingPolicy::kSuppressReporting)); | 305 SecurityViolationReportingPolicy::kSuppressReporting)); |
303 } | 306 } |
304 // Tests that requests for scripts and styles are blocked | 307 // Tests that requests for scripts and styles are blocked |
305 // if `require-sri-for` delivered in HTTP header requires integrity be present | 308 // if `require-sri-for` delivered in HTTP header requires integrity be present |
306 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { | 309 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderMissingIntegrity) { |
307 KURL url(KURL(), "https://example.test"); | 310 KURL url(KURL(), "https://example.test"); |
308 // Enforce | 311 // Enforce |
309 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 312 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
310 policy->BindToExecutionContext(document.Get()); | 313 policy->BindToExecutionContext(execution_context.Get()); |
311 policy->DidReceiveHeader("require-sri-for script style", | 314 policy->DidReceiveHeader("require-sri-for script style", |
312 kContentSecurityPolicyHeaderTypeEnforce, | 315 kContentSecurityPolicyHeaderTypeEnforce, |
313 kContentSecurityPolicyHeaderSourceHTTP); | 316 kContentSecurityPolicyHeaderSourceHTTP); |
314 EXPECT_FALSE(policy->AllowRequest( | 317 EXPECT_FALSE(policy->AllowRequest( |
315 WebURLRequest::kRequestContextScript, url, String(), | 318 WebURLRequest::kRequestContextScript, url, String(), |
316 IntegrityMetadataSet(), kParserInserted, | 319 IntegrityMetadataSet(), kParserInserted, |
317 ResourceRequest::RedirectStatus::kNoRedirect, | 320 ResourceRequest::RedirectStatus::kNoRedirect, |
318 SecurityViolationReportingPolicy::kSuppressReporting)); | 321 SecurityViolationReportingPolicy::kSuppressReporting)); |
319 EXPECT_FALSE(policy->AllowRequest( | 322 EXPECT_FALSE(policy->AllowRequest( |
320 WebURLRequest::kRequestContextImport, url, String(), | 323 WebURLRequest::kRequestContextImport, url, String(), |
(...skipping 20 matching lines...) Expand all Loading... |
341 IntegrityMetadataSet(), kParserInserted, | 344 IntegrityMetadataSet(), kParserInserted, |
342 ResourceRequest::RedirectStatus::kNoRedirect, | 345 ResourceRequest::RedirectStatus::kNoRedirect, |
343 SecurityViolationReportingPolicy::kSuppressReporting)); | 346 SecurityViolationReportingPolicy::kSuppressReporting)); |
344 EXPECT_TRUE(policy->AllowRequest( | 347 EXPECT_TRUE(policy->AllowRequest( |
345 WebURLRequest::kRequestContextImage, url, String(), | 348 WebURLRequest::kRequestContextImage, url, String(), |
346 IntegrityMetadataSet(), kParserInserted, | 349 IntegrityMetadataSet(), kParserInserted, |
347 ResourceRequest::RedirectStatus::kNoRedirect, | 350 ResourceRequest::RedirectStatus::kNoRedirect, |
348 SecurityViolationReportingPolicy::kSuppressReporting)); | 351 SecurityViolationReportingPolicy::kSuppressReporting)); |
349 // Report | 352 // Report |
350 policy = ContentSecurityPolicy::Create(); | 353 policy = ContentSecurityPolicy::Create(); |
351 policy->BindToExecutionContext(document.Get()); | 354 policy->BindToExecutionContext(execution_context.Get()); |
352 policy->DidReceiveHeader("require-sri-for script style", | 355 policy->DidReceiveHeader("require-sri-for script style", |
353 kContentSecurityPolicyHeaderTypeReport, | 356 kContentSecurityPolicyHeaderTypeReport, |
354 kContentSecurityPolicyHeaderSourceHTTP); | 357 kContentSecurityPolicyHeaderSourceHTTP); |
355 EXPECT_TRUE(policy->AllowRequest( | 358 EXPECT_TRUE(policy->AllowRequest( |
356 WebURLRequest::kRequestContextScript, url, String(), | 359 WebURLRequest::kRequestContextScript, url, String(), |
357 IntegrityMetadataSet(), kParserInserted, | 360 IntegrityMetadataSet(), kParserInserted, |
358 ResourceRequest::RedirectStatus::kNoRedirect, | 361 ResourceRequest::RedirectStatus::kNoRedirect, |
359 SecurityViolationReportingPolicy::kSuppressReporting)); | 362 SecurityViolationReportingPolicy::kSuppressReporting)); |
360 EXPECT_TRUE(policy->AllowRequest( | 363 EXPECT_TRUE(policy->AllowRequest( |
361 WebURLRequest::kRequestContextImport, url, String(), | 364 WebURLRequest::kRequestContextImport, url, String(), |
(...skipping 27 matching lines...) Expand all Loading... |
389 SecurityViolationReportingPolicy::kSuppressReporting)); | 392 SecurityViolationReportingPolicy::kSuppressReporting)); |
390 } | 393 } |
391 | 394 |
392 // Tests that requests for scripts and styles are allowed | 395 // Tests that requests for scripts and styles are allowed |
393 // if `require-sri-for` delivered in HTTP header requires integrity be present | 396 // if `require-sri-for` delivered in HTTP header requires integrity be present |
394 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderPresentIntegrity) { | 397 TEST_F(ContentSecurityPolicyTest, RequireSRIForInHeaderPresentIntegrity) { |
395 KURL url(KURL(), "https://example.test"); | 398 KURL url(KURL(), "https://example.test"); |
396 IntegrityMetadataSet integrity_metadata; | 399 IntegrityMetadataSet integrity_metadata; |
397 integrity_metadata.insert( | 400 integrity_metadata.insert( |
398 IntegrityMetadata("1234", kHashAlgorithmSha384).ToPair()); | 401 IntegrityMetadata("1234", kHashAlgorithmSha384).ToPair()); |
399 csp->BindToExecutionContext(document.Get()); | 402 csp->BindToExecutionContext(execution_context.Get()); |
400 // Enforce | 403 // Enforce |
401 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 404 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
402 policy->BindToExecutionContext(document.Get()); | 405 policy->BindToExecutionContext(execution_context.Get()); |
403 policy->DidReceiveHeader("require-sri-for script style", | 406 policy->DidReceiveHeader("require-sri-for script style", |
404 kContentSecurityPolicyHeaderTypeEnforce, | 407 kContentSecurityPolicyHeaderTypeEnforce, |
405 kContentSecurityPolicyHeaderSourceHTTP); | 408 kContentSecurityPolicyHeaderSourceHTTP); |
406 EXPECT_TRUE(policy->AllowRequest( | 409 EXPECT_TRUE(policy->AllowRequest( |
407 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, | 410 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, |
408 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 411 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
409 SecurityViolationReportingPolicy::kSuppressReporting)); | 412 SecurityViolationReportingPolicy::kSuppressReporting)); |
410 EXPECT_TRUE(policy->AllowRequest( | 413 EXPECT_TRUE(policy->AllowRequest( |
411 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, | 414 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, |
412 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 415 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
(...skipping 16 matching lines...) Expand all Loading... |
429 WebURLRequest::kRequestContextWorker, url, String(), integrity_metadata, | 432 WebURLRequest::kRequestContextWorker, url, String(), integrity_metadata, |
430 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 433 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
431 SecurityViolationReportingPolicy::kSuppressReporting)); | 434 SecurityViolationReportingPolicy::kSuppressReporting)); |
432 EXPECT_TRUE(policy->AllowRequest( | 435 EXPECT_TRUE(policy->AllowRequest( |
433 WebURLRequest::kRequestContextImage, url, String(), integrity_metadata, | 436 WebURLRequest::kRequestContextImage, url, String(), integrity_metadata, |
434 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 437 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
435 SecurityViolationReportingPolicy::kSuppressReporting)); | 438 SecurityViolationReportingPolicy::kSuppressReporting)); |
436 // Content-Security-Policy-Report-Only is not supported in meta element, | 439 // Content-Security-Policy-Report-Only is not supported in meta element, |
437 // so nothing should be blocked | 440 // so nothing should be blocked |
438 policy = ContentSecurityPolicy::Create(); | 441 policy = ContentSecurityPolicy::Create(); |
439 policy->BindToExecutionContext(document.Get()); | 442 policy->BindToExecutionContext(execution_context.Get()); |
440 policy->DidReceiveHeader("require-sri-for script style", | 443 policy->DidReceiveHeader("require-sri-for script style", |
441 kContentSecurityPolicyHeaderTypeReport, | 444 kContentSecurityPolicyHeaderTypeReport, |
442 kContentSecurityPolicyHeaderSourceHTTP); | 445 kContentSecurityPolicyHeaderSourceHTTP); |
443 EXPECT_TRUE(policy->AllowRequest( | 446 EXPECT_TRUE(policy->AllowRequest( |
444 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, | 447 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, |
445 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 448 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
446 SecurityViolationReportingPolicy::kSuppressReporting)); | 449 SecurityViolationReportingPolicy::kSuppressReporting)); |
447 EXPECT_TRUE(policy->AllowRequest( | 450 EXPECT_TRUE(policy->AllowRequest( |
448 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, | 451 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, |
449 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 452 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
(...skipping 21 matching lines...) Expand all Loading... |
471 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 474 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
472 SecurityViolationReportingPolicy::kSuppressReporting)); | 475 SecurityViolationReportingPolicy::kSuppressReporting)); |
473 } | 476 } |
474 | 477 |
475 // Tests that requests for scripts and styles are blocked | 478 // Tests that requests for scripts and styles are blocked |
476 // if `require-sri-for` delivered in meta tag requires integrity be present | 479 // if `require-sri-for` delivered in meta tag requires integrity be present |
477 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaMissingIntegrity) { | 480 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaMissingIntegrity) { |
478 KURL url(KURL(), "https://example.test"); | 481 KURL url(KURL(), "https://example.test"); |
479 // Enforce | 482 // Enforce |
480 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 483 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
481 policy->BindToExecutionContext(document.Get()); | 484 policy->BindToExecutionContext(execution_context.Get()); |
482 policy->DidReceiveHeader("require-sri-for script style", | 485 policy->DidReceiveHeader("require-sri-for script style", |
483 kContentSecurityPolicyHeaderTypeEnforce, | 486 kContentSecurityPolicyHeaderTypeEnforce, |
484 kContentSecurityPolicyHeaderSourceMeta); | 487 kContentSecurityPolicyHeaderSourceMeta); |
485 EXPECT_FALSE(policy->AllowRequest( | 488 EXPECT_FALSE(policy->AllowRequest( |
486 WebURLRequest::kRequestContextScript, url, String(), | 489 WebURLRequest::kRequestContextScript, url, String(), |
487 IntegrityMetadataSet(), kParserInserted, | 490 IntegrityMetadataSet(), kParserInserted, |
488 ResourceRequest::RedirectStatus::kNoRedirect, | 491 ResourceRequest::RedirectStatus::kNoRedirect, |
489 SecurityViolationReportingPolicy::kSuppressReporting)); | 492 SecurityViolationReportingPolicy::kSuppressReporting)); |
490 EXPECT_FALSE(policy->AllowRequest( | 493 EXPECT_FALSE(policy->AllowRequest( |
491 WebURLRequest::kRequestContextImport, url, String(), | 494 WebURLRequest::kRequestContextImport, url, String(), |
(...skipping 21 matching lines...) Expand all Loading... |
513 ResourceRequest::RedirectStatus::kNoRedirect, | 516 ResourceRequest::RedirectStatus::kNoRedirect, |
514 SecurityViolationReportingPolicy::kSuppressReporting)); | 517 SecurityViolationReportingPolicy::kSuppressReporting)); |
515 EXPECT_TRUE(policy->AllowRequest( | 518 EXPECT_TRUE(policy->AllowRequest( |
516 WebURLRequest::kRequestContextImage, url, String(), | 519 WebURLRequest::kRequestContextImage, url, String(), |
517 IntegrityMetadataSet(), kParserInserted, | 520 IntegrityMetadataSet(), kParserInserted, |
518 ResourceRequest::RedirectStatus::kNoRedirect, | 521 ResourceRequest::RedirectStatus::kNoRedirect, |
519 SecurityViolationReportingPolicy::kSuppressReporting)); | 522 SecurityViolationReportingPolicy::kSuppressReporting)); |
520 // Content-Security-Policy-Report-Only is not supported in meta element, | 523 // Content-Security-Policy-Report-Only is not supported in meta element, |
521 // so nothing should be blocked | 524 // so nothing should be blocked |
522 policy = ContentSecurityPolicy::Create(); | 525 policy = ContentSecurityPolicy::Create(); |
523 policy->BindToExecutionContext(document.Get()); | 526 policy->BindToExecutionContext(execution_context.Get()); |
524 policy->DidReceiveHeader("require-sri-for script style", | 527 policy->DidReceiveHeader("require-sri-for script style", |
525 kContentSecurityPolicyHeaderTypeReport, | 528 kContentSecurityPolicyHeaderTypeReport, |
526 kContentSecurityPolicyHeaderSourceMeta); | 529 kContentSecurityPolicyHeaderSourceMeta); |
527 EXPECT_TRUE(policy->AllowRequest( | 530 EXPECT_TRUE(policy->AllowRequest( |
528 WebURLRequest::kRequestContextScript, url, String(), | 531 WebURLRequest::kRequestContextScript, url, String(), |
529 IntegrityMetadataSet(), kParserInserted, | 532 IntegrityMetadataSet(), kParserInserted, |
530 ResourceRequest::RedirectStatus::kNoRedirect, | 533 ResourceRequest::RedirectStatus::kNoRedirect, |
531 SecurityViolationReportingPolicy::kSuppressReporting)); | 534 SecurityViolationReportingPolicy::kSuppressReporting)); |
532 EXPECT_TRUE(policy->AllowRequest( | 535 EXPECT_TRUE(policy->AllowRequest( |
533 WebURLRequest::kRequestContextImport, url, String(), | 536 WebURLRequest::kRequestContextImport, url, String(), |
(...skipping 27 matching lines...) Expand all Loading... |
561 SecurityViolationReportingPolicy::kSuppressReporting)); | 564 SecurityViolationReportingPolicy::kSuppressReporting)); |
562 } | 565 } |
563 | 566 |
564 // Tests that requests for scripts and styles are allowed | 567 // Tests that requests for scripts and styles are allowed |
565 // if `require-sri-for` delivered meta tag requires integrity be present | 568 // if `require-sri-for` delivered meta tag requires integrity be present |
566 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaPresentIntegrity) { | 569 TEST_F(ContentSecurityPolicyTest, RequireSRIForInMetaPresentIntegrity) { |
567 KURL url(KURL(), "https://example.test"); | 570 KURL url(KURL(), "https://example.test"); |
568 IntegrityMetadataSet integrity_metadata; | 571 IntegrityMetadataSet integrity_metadata; |
569 integrity_metadata.insert( | 572 integrity_metadata.insert( |
570 IntegrityMetadata("1234", kHashAlgorithmSha384).ToPair()); | 573 IntegrityMetadata("1234", kHashAlgorithmSha384).ToPair()); |
571 csp->BindToExecutionContext(document.Get()); | 574 csp->BindToExecutionContext(execution_context.Get()); |
572 // Enforce | 575 // Enforce |
573 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 576 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
574 policy->BindToExecutionContext(document.Get()); | 577 policy->BindToExecutionContext(execution_context.Get()); |
575 policy->DidReceiveHeader("require-sri-for script style", | 578 policy->DidReceiveHeader("require-sri-for script style", |
576 kContentSecurityPolicyHeaderTypeEnforce, | 579 kContentSecurityPolicyHeaderTypeEnforce, |
577 kContentSecurityPolicyHeaderSourceMeta); | 580 kContentSecurityPolicyHeaderSourceMeta); |
578 EXPECT_TRUE(policy->AllowRequest( | 581 EXPECT_TRUE(policy->AllowRequest( |
579 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, | 582 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, |
580 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 583 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
581 SecurityViolationReportingPolicy::kSuppressReporting)); | 584 SecurityViolationReportingPolicy::kSuppressReporting)); |
582 EXPECT_TRUE(policy->AllowRequest( | 585 EXPECT_TRUE(policy->AllowRequest( |
583 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, | 586 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, |
584 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 587 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
(...skipping 16 matching lines...) Expand all Loading... |
601 WebURLRequest::kRequestContextWorker, url, String(), integrity_metadata, | 604 WebURLRequest::kRequestContextWorker, url, String(), integrity_metadata, |
602 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 605 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
603 SecurityViolationReportingPolicy::kSuppressReporting)); | 606 SecurityViolationReportingPolicy::kSuppressReporting)); |
604 EXPECT_TRUE(policy->AllowRequest( | 607 EXPECT_TRUE(policy->AllowRequest( |
605 WebURLRequest::kRequestContextImage, url, String(), integrity_metadata, | 608 WebURLRequest::kRequestContextImage, url, String(), integrity_metadata, |
606 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 609 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
607 SecurityViolationReportingPolicy::kSuppressReporting)); | 610 SecurityViolationReportingPolicy::kSuppressReporting)); |
608 // Content-Security-Policy-Report-Only is not supported in meta element, | 611 // Content-Security-Policy-Report-Only is not supported in meta element, |
609 // so nothing should be blocked | 612 // so nothing should be blocked |
610 policy = ContentSecurityPolicy::Create(); | 613 policy = ContentSecurityPolicy::Create(); |
611 policy->BindToExecutionContext(document.Get()); | 614 policy->BindToExecutionContext(execution_context.Get()); |
612 policy->DidReceiveHeader("require-sri-for script style", | 615 policy->DidReceiveHeader("require-sri-for script style", |
613 kContentSecurityPolicyHeaderTypeReport, | 616 kContentSecurityPolicyHeaderTypeReport, |
614 kContentSecurityPolicyHeaderSourceMeta); | 617 kContentSecurityPolicyHeaderSourceMeta); |
615 EXPECT_TRUE(policy->AllowRequest( | 618 EXPECT_TRUE(policy->AllowRequest( |
616 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, | 619 WebURLRequest::kRequestContextScript, url, String(), integrity_metadata, |
617 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 620 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
618 SecurityViolationReportingPolicy::kSuppressReporting)); | 621 SecurityViolationReportingPolicy::kSuppressReporting)); |
619 EXPECT_TRUE(policy->AllowRequest( | 622 EXPECT_TRUE(policy->AllowRequest( |
620 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, | 623 WebURLRequest::kRequestContextImport, url, String(), integrity_metadata, |
621 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 624 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
664 for (const auto& test : cases) { | 667 for (const auto& test : cases) { |
665 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, URL: `" | 668 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, URL: `" |
666 << test.url << "`, Nonce: `" << test.nonce | 669 << test.url << "`, Nonce: `" << test.nonce |
667 << "`"); | 670 << "`"); |
668 KURL resource = KURL(KURL(), test.url); | 671 KURL resource = KURL(KURL(), test.url); |
669 | 672 |
670 unsigned expected_reports = test.allowed ? 0u : 1u; | 673 unsigned expected_reports = test.allowed ? 0u : 1u; |
671 | 674 |
672 // Single enforce-mode policy should match `test.expected`: | 675 // Single enforce-mode policy should match `test.expected`: |
673 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 676 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
674 policy->BindToExecutionContext(document.Get()); | 677 policy->BindToExecutionContext(execution_context.Get()); |
675 policy->DidReceiveHeader(test.policy, | 678 policy->DidReceiveHeader(test.policy, |
676 kContentSecurityPolicyHeaderTypeEnforce, | 679 kContentSecurityPolicyHeaderTypeEnforce, |
677 kContentSecurityPolicyHeaderSourceHTTP); | 680 kContentSecurityPolicyHeaderSourceHTTP); |
678 EXPECT_EQ(test.allowed, policy->AllowScriptFromSource( | 681 EXPECT_EQ(test.allowed, policy->AllowScriptFromSource( |
679 resource, String(test.nonce), | 682 resource, String(test.nonce), |
680 IntegrityMetadataSet(), kParserInserted)); | 683 IntegrityMetadataSet(), kParserInserted)); |
681 // If this is expected to generate a violation, we should have sent a | 684 // If this is expected to generate a violation, we should have sent a |
682 // report. | 685 // report. |
683 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 686 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
684 | 687 |
685 // Single report-mode policy should always be `true`: | 688 // Single report-mode policy should always be `true`: |
686 policy = ContentSecurityPolicy::Create(); | 689 policy = ContentSecurityPolicy::Create(); |
687 policy->BindToExecutionContext(document.Get()); | 690 policy->BindToExecutionContext(execution_context.Get()); |
688 policy->DidReceiveHeader(test.policy, | 691 policy->DidReceiveHeader(test.policy, |
689 kContentSecurityPolicyHeaderTypeReport, | 692 kContentSecurityPolicyHeaderTypeReport, |
690 kContentSecurityPolicyHeaderSourceHTTP); | 693 kContentSecurityPolicyHeaderSourceHTTP); |
691 EXPECT_TRUE(policy->AllowScriptFromSource( | 694 EXPECT_TRUE(policy->AllowScriptFromSource( |
692 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, | 695 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, |
693 ResourceRequest::RedirectStatus::kNoRedirect, | 696 ResourceRequest::RedirectStatus::kNoRedirect, |
694 SecurityViolationReportingPolicy::kReport, | 697 SecurityViolationReportingPolicy::kReport, |
695 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); | 698 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); |
696 // If this is expected to generate a violation, we should have sent a | 699 // If this is expected to generate a violation, we should have sent a |
697 // report, even though we don't deny access in `allowScriptFromSource`: | 700 // report, even though we don't deny access in `allowScriptFromSource`: |
(...skipping 11 matching lines...) Expand all Loading... |
709 {"'unsafe-inline'", "yay", true}, | 712 {"'unsafe-inline'", "yay", true}, |
710 {"'nonce-yay'", "", false}, | 713 {"'nonce-yay'", "", false}, |
711 {"'nonce-yay'", "yay", true}, | 714 {"'nonce-yay'", "yay", true}, |
712 {"'unsafe-inline' 'nonce-yay'", "", false}, | 715 {"'unsafe-inline' 'nonce-yay'", "", false}, |
713 {"'unsafe-inline' 'nonce-yay'", "yay", true}, | 716 {"'unsafe-inline' 'nonce-yay'", "yay", true}, |
714 }; | 717 }; |
715 | 718 |
716 String context_url; | 719 String context_url; |
717 String content; | 720 String content; |
718 WTF::OrdinalNumber context_line; | 721 WTF::OrdinalNumber context_line; |
| 722 |
| 723 // We need document for HTMLScriptElement tests. |
| 724 Document* document = Document::Create(); |
| 725 document->SetSecurityOrigin(secure_origin); |
| 726 |
719 for (const auto& test : cases) { | 727 for (const auto& test : cases) { |
720 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy | 728 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy |
721 << "`, Nonce: `" << test.nonce << "`"); | 729 << "`, Nonce: `" << test.nonce << "`"); |
722 | 730 |
723 unsigned expected_reports = test.allowed ? 0u : 1u; | 731 unsigned expected_reports = test.allowed ? 0u : 1u; |
724 HTMLScriptElement* element = HTMLScriptElement::Create(*document, true); | 732 HTMLScriptElement* element = HTMLScriptElement::Create(*document, true); |
725 | 733 |
726 // Enforce 'script-src' | 734 // Enforce 'script-src' |
727 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 735 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
728 policy->BindToExecutionContext(document.Get()); | 736 policy->BindToExecutionContext(document); |
729 policy->DidReceiveHeader(String("script-src ") + test.policy, | 737 policy->DidReceiveHeader(String("script-src ") + test.policy, |
730 kContentSecurityPolicyHeaderTypeEnforce, | 738 kContentSecurityPolicyHeaderTypeEnforce, |
731 kContentSecurityPolicyHeaderSourceHTTP); | 739 kContentSecurityPolicyHeaderSourceHTTP); |
732 EXPECT_EQ(test.allowed, policy->AllowInlineScript(element, context_url, | 740 EXPECT_EQ(test.allowed, policy->AllowInlineScript(element, context_url, |
733 String(test.nonce), | 741 String(test.nonce), |
734 context_line, content)); | 742 context_line, content)); |
735 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 743 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
736 | 744 |
737 // Enforce 'style-src' | 745 // Enforce 'style-src' |
738 policy = ContentSecurityPolicy::Create(); | 746 policy = ContentSecurityPolicy::Create(); |
739 policy->BindToExecutionContext(document.Get()); | 747 policy->BindToExecutionContext(document); |
740 policy->DidReceiveHeader(String("style-src ") + test.policy, | 748 policy->DidReceiveHeader(String("style-src ") + test.policy, |
741 kContentSecurityPolicyHeaderTypeEnforce, | 749 kContentSecurityPolicyHeaderTypeEnforce, |
742 kContentSecurityPolicyHeaderSourceHTTP); | 750 kContentSecurityPolicyHeaderSourceHTTP); |
743 EXPECT_EQ(test.allowed, | 751 EXPECT_EQ(test.allowed, |
744 policy->AllowInlineStyle(element, context_url, String(test.nonce), | 752 policy->AllowInlineStyle(element, context_url, String(test.nonce), |
745 context_line, content)); | 753 context_line, content)); |
746 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 754 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
747 | 755 |
748 // Report 'script-src' | 756 // Report 'script-src' |
749 policy = ContentSecurityPolicy::Create(); | 757 policy = ContentSecurityPolicy::Create(); |
750 policy->BindToExecutionContext(document.Get()); | 758 policy->BindToExecutionContext(document); |
751 policy->DidReceiveHeader(String("script-src ") + test.policy, | 759 policy->DidReceiveHeader(String("script-src ") + test.policy, |
752 kContentSecurityPolicyHeaderTypeReport, | 760 kContentSecurityPolicyHeaderTypeReport, |
753 kContentSecurityPolicyHeaderSourceHTTP); | 761 kContentSecurityPolicyHeaderSourceHTTP); |
754 EXPECT_TRUE(policy->AllowInlineScript( | 762 EXPECT_TRUE(policy->AllowInlineScript( |
755 element, context_url, String(test.nonce), context_line, content)); | 763 element, context_url, String(test.nonce), context_line, content)); |
756 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 764 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
757 | 765 |
758 // Report 'style-src' | 766 // Report 'style-src' |
759 policy = ContentSecurityPolicy::Create(); | 767 policy = ContentSecurityPolicy::Create(); |
760 policy->BindToExecutionContext(document.Get()); | 768 policy->BindToExecutionContext(document); |
761 policy->DidReceiveHeader(String("style-src ") + test.policy, | 769 policy->DidReceiveHeader(String("style-src ") + test.policy, |
762 kContentSecurityPolicyHeaderTypeReport, | 770 kContentSecurityPolicyHeaderTypeReport, |
763 kContentSecurityPolicyHeaderSourceHTTP); | 771 kContentSecurityPolicyHeaderSourceHTTP); |
764 EXPECT_TRUE(policy->AllowInlineStyle( | 772 EXPECT_TRUE(policy->AllowInlineStyle( |
765 element, context_url, String(test.nonce), context_line, content)); | 773 element, context_url, String(test.nonce), context_line, content)); |
766 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 774 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
767 } | 775 } |
768 } | 776 } |
769 | 777 |
770 TEST_F(ContentSecurityPolicyTest, NonceMultiplePolicy) { | 778 TEST_F(ContentSecurityPolicyTest, NonceMultiplePolicy) { |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
819 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy1 << "`/`" | 827 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy1 << "`/`" |
820 << test.policy2 << "`, URL: `" << test.url | 828 << test.policy2 << "`, URL: `" << test.url |
821 << "`, Nonce: `" << test.nonce << "`"); | 829 << "`, Nonce: `" << test.nonce << "`"); |
822 KURL resource = KURL(KURL(), test.url); | 830 KURL resource = KURL(KURL(), test.url); |
823 | 831 |
824 unsigned expected_reports = | 832 unsigned expected_reports = |
825 test.allowed1 != test.allowed2 ? 1u : (test.allowed1 ? 0u : 2u); | 833 test.allowed1 != test.allowed2 ? 1u : (test.allowed1 ? 0u : 2u); |
826 | 834 |
827 // Enforce / Report | 835 // Enforce / Report |
828 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 836 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
829 policy->BindToExecutionContext(document.Get()); | 837 policy->BindToExecutionContext(execution_context.Get()); |
830 policy->DidReceiveHeader(test.policy1, | 838 policy->DidReceiveHeader(test.policy1, |
831 kContentSecurityPolicyHeaderTypeEnforce, | 839 kContentSecurityPolicyHeaderTypeEnforce, |
832 kContentSecurityPolicyHeaderSourceHTTP); | 840 kContentSecurityPolicyHeaderSourceHTTP); |
833 policy->DidReceiveHeader(test.policy2, | 841 policy->DidReceiveHeader(test.policy2, |
834 kContentSecurityPolicyHeaderTypeReport, | 842 kContentSecurityPolicyHeaderTypeReport, |
835 kContentSecurityPolicyHeaderSourceHTTP); | 843 kContentSecurityPolicyHeaderSourceHTTP); |
836 EXPECT_EQ(test.allowed1, | 844 EXPECT_EQ(test.allowed1, |
837 policy->AllowScriptFromSource( | 845 policy->AllowScriptFromSource( |
838 resource, String(test.nonce), IntegrityMetadataSet(), | 846 resource, String(test.nonce), IntegrityMetadataSet(), |
839 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 847 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
840 SecurityViolationReportingPolicy::kReport, | 848 SecurityViolationReportingPolicy::kReport, |
841 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); | 849 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); |
842 EXPECT_TRUE(policy->AllowScriptFromSource( | 850 EXPECT_TRUE(policy->AllowScriptFromSource( |
843 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, | 851 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, |
844 ResourceRequest::RedirectStatus::kNoRedirect, | 852 ResourceRequest::RedirectStatus::kNoRedirect, |
845 SecurityViolationReportingPolicy::kReport, | 853 SecurityViolationReportingPolicy::kReport, |
846 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); | 854 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); |
847 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 855 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
848 | 856 |
849 // Report / Enforce | 857 // Report / Enforce |
850 policy = ContentSecurityPolicy::Create(); | 858 policy = ContentSecurityPolicy::Create(); |
851 policy->BindToExecutionContext(document.Get()); | 859 policy->BindToExecutionContext(execution_context.Get()); |
852 policy->DidReceiveHeader(test.policy1, | 860 policy->DidReceiveHeader(test.policy1, |
853 kContentSecurityPolicyHeaderTypeReport, | 861 kContentSecurityPolicyHeaderTypeReport, |
854 kContentSecurityPolicyHeaderSourceHTTP); | 862 kContentSecurityPolicyHeaderSourceHTTP); |
855 policy->DidReceiveHeader(test.policy2, | 863 policy->DidReceiveHeader(test.policy2, |
856 kContentSecurityPolicyHeaderTypeEnforce, | 864 kContentSecurityPolicyHeaderTypeEnforce, |
857 kContentSecurityPolicyHeaderSourceHTTP); | 865 kContentSecurityPolicyHeaderSourceHTTP); |
858 EXPECT_TRUE(policy->AllowScriptFromSource( | 866 EXPECT_TRUE(policy->AllowScriptFromSource( |
859 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, | 867 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, |
860 ResourceRequest::RedirectStatus::kNoRedirect, | 868 ResourceRequest::RedirectStatus::kNoRedirect, |
861 SecurityViolationReportingPolicy::kReport, | 869 SecurityViolationReportingPolicy::kReport, |
862 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); | 870 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly)); |
863 EXPECT_EQ(test.allowed2, | 871 EXPECT_EQ(test.allowed2, |
864 policy->AllowScriptFromSource( | 872 policy->AllowScriptFromSource( |
865 resource, String(test.nonce), IntegrityMetadataSet(), | 873 resource, String(test.nonce), IntegrityMetadataSet(), |
866 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 874 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
867 SecurityViolationReportingPolicy::kReport, | 875 SecurityViolationReportingPolicy::kReport, |
868 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); | 876 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); |
869 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 877 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
870 | 878 |
871 // Enforce / Enforce | 879 // Enforce / Enforce |
872 policy = ContentSecurityPolicy::Create(); | 880 policy = ContentSecurityPolicy::Create(); |
873 policy->BindToExecutionContext(document.Get()); | 881 policy->BindToExecutionContext(execution_context.Get()); |
874 policy->DidReceiveHeader(test.policy1, | 882 policy->DidReceiveHeader(test.policy1, |
875 kContentSecurityPolicyHeaderTypeEnforce, | 883 kContentSecurityPolicyHeaderTypeEnforce, |
876 kContentSecurityPolicyHeaderSourceHTTP); | 884 kContentSecurityPolicyHeaderSourceHTTP); |
877 policy->DidReceiveHeader(test.policy2, | 885 policy->DidReceiveHeader(test.policy2, |
878 kContentSecurityPolicyHeaderTypeEnforce, | 886 kContentSecurityPolicyHeaderTypeEnforce, |
879 kContentSecurityPolicyHeaderSourceHTTP); | 887 kContentSecurityPolicyHeaderSourceHTTP); |
880 EXPECT_EQ(test.allowed1 && test.allowed2, | 888 EXPECT_EQ(test.allowed1 && test.allowed2, |
881 policy->AllowScriptFromSource( | 889 policy->AllowScriptFromSource( |
882 resource, String(test.nonce), IntegrityMetadataSet(), | 890 resource, String(test.nonce), IntegrityMetadataSet(), |
883 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 891 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
884 SecurityViolationReportingPolicy::kReport, | 892 SecurityViolationReportingPolicy::kReport, |
885 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); | 893 ContentSecurityPolicy::CheckHeaderType::kCheckEnforce)); |
886 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); | 894 EXPECT_EQ(expected_reports, policy->violation_reports_sent_.size()); |
887 | 895 |
888 // Report / Report | 896 // Report / Report |
889 policy = ContentSecurityPolicy::Create(); | 897 policy = ContentSecurityPolicy::Create(); |
890 policy->BindToExecutionContext(document.Get()); | 898 policy->BindToExecutionContext(execution_context.Get()); |
891 policy->DidReceiveHeader(test.policy1, | 899 policy->DidReceiveHeader(test.policy1, |
892 kContentSecurityPolicyHeaderTypeReport, | 900 kContentSecurityPolicyHeaderTypeReport, |
893 kContentSecurityPolicyHeaderSourceHTTP); | 901 kContentSecurityPolicyHeaderSourceHTTP); |
894 policy->DidReceiveHeader(test.policy2, | 902 policy->DidReceiveHeader(test.policy2, |
895 kContentSecurityPolicyHeaderTypeReport, | 903 kContentSecurityPolicyHeaderTypeReport, |
896 kContentSecurityPolicyHeaderSourceHTTP); | 904 kContentSecurityPolicyHeaderSourceHTTP); |
897 EXPECT_TRUE(policy->AllowScriptFromSource( | 905 EXPECT_TRUE(policy->AllowScriptFromSource( |
898 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, | 906 resource, String(test.nonce), IntegrityMetadataSet(), kParserInserted, |
899 ResourceRequest::RedirectStatus::kNoRedirect, | 907 ResourceRequest::RedirectStatus::kNoRedirect, |
900 SecurityViolationReportingPolicy::kReport, | 908 SecurityViolationReportingPolicy::kReport, |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1031 | 1039 |
1032 // `other` is stricter than `this`. | 1040 // `other` is stricter than `this`. |
1033 other->DidReceiveHeader("default-src https://example.com;", | 1041 other->DidReceiveHeader("default-src https://example.com;", |
1034 kContentSecurityPolicyHeaderTypeEnforce, | 1042 kContentSecurityPolicyHeaderTypeEnforce, |
1035 kContentSecurityPolicyHeaderSourceHTTP); | 1043 kContentSecurityPolicyHeaderSourceHTTP); |
1036 EXPECT_TRUE(csp->Subsumes(*other)); | 1044 EXPECT_TRUE(csp->Subsumes(*other)); |
1037 } | 1045 } |
1038 | 1046 |
1039 TEST_F(ContentSecurityPolicyTest, RequestsAllowedWhenBypassingCSP) { | 1047 TEST_F(ContentSecurityPolicyTest, RequestsAllowedWhenBypassingCSP) { |
1040 KURL base; | 1048 KURL base; |
1041 document = Document::Create(); | 1049 execution_context = CreateExecutionContext(); |
1042 document->SetSecurityOrigin(secure_origin); // https://example.com | 1050 execution_context->SetSecurityOrigin(secure_origin); // https://example.com |
1043 document->SetURL(secure_url); // https://example.com | 1051 execution_context->SetURL(secure_url); // https://example.com |
1044 csp->BindToExecutionContext(document.Get()); | 1052 csp->BindToExecutionContext(execution_context.Get()); |
1045 csp->DidReceiveHeader("default-src https://example.com", | 1053 csp->DidReceiveHeader("default-src https://example.com", |
1046 kContentSecurityPolicyHeaderTypeEnforce, | 1054 kContentSecurityPolicyHeaderTypeEnforce, |
1047 kContentSecurityPolicyHeaderSourceHTTP); | 1055 kContentSecurityPolicyHeaderSourceHTTP); |
1048 | 1056 |
1049 EXPECT_TRUE(csp->AllowRequest( | 1057 EXPECT_TRUE(csp->AllowRequest( |
1050 WebURLRequest::kRequestContextObject, KURL(base, "https://example.com/"), | 1058 WebURLRequest::kRequestContextObject, KURL(base, "https://example.com/"), |
1051 String(), IntegrityMetadataSet(), kParserInserted, | 1059 String(), IntegrityMetadataSet(), kParserInserted, |
1052 ResourceRequest::RedirectStatus::kNoRedirect, | 1060 ResourceRequest::RedirectStatus::kNoRedirect, |
1053 SecurityViolationReportingPolicy::kSuppressReporting)); | 1061 SecurityViolationReportingPolicy::kSuppressReporting)); |
1054 | 1062 |
(...skipping 16 matching lines...) Expand all Loading... |
1071 WebURLRequest::kRequestContextObject, | 1079 WebURLRequest::kRequestContextObject, |
1072 KURL(base, "https://not-example.com/"), String(), IntegrityMetadataSet(), | 1080 KURL(base, "https://not-example.com/"), String(), IntegrityMetadataSet(), |
1073 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 1081 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
1074 SecurityViolationReportingPolicy::kSuppressReporting)); | 1082 SecurityViolationReportingPolicy::kSuppressReporting)); |
1075 | 1083 |
1076 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( | 1084 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
1077 "https"); | 1085 "https"); |
1078 } | 1086 } |
1079 TEST_F(ContentSecurityPolicyTest, FilesystemAllowedWhenBypassingCSP) { | 1087 TEST_F(ContentSecurityPolicyTest, FilesystemAllowedWhenBypassingCSP) { |
1080 KURL base; | 1088 KURL base; |
1081 document = Document::Create(); | 1089 execution_context = CreateExecutionContext(); |
1082 document->SetSecurityOrigin(secure_origin); // https://example.com | 1090 execution_context->SetSecurityOrigin(secure_origin); // https://example.com |
1083 document->SetURL(secure_url); // https://example.com | 1091 execution_context->SetURL(secure_url); // https://example.com |
1084 csp->BindToExecutionContext(document.Get()); | 1092 csp->BindToExecutionContext(execution_context.Get()); |
1085 csp->DidReceiveHeader("default-src https://example.com", | 1093 csp->DidReceiveHeader("default-src https://example.com", |
1086 kContentSecurityPolicyHeaderTypeEnforce, | 1094 kContentSecurityPolicyHeaderTypeEnforce, |
1087 kContentSecurityPolicyHeaderSourceHTTP); | 1095 kContentSecurityPolicyHeaderSourceHTTP); |
1088 | 1096 |
1089 EXPECT_FALSE( | 1097 EXPECT_FALSE( |
1090 csp->AllowRequest(WebURLRequest::kRequestContextObject, | 1098 csp->AllowRequest(WebURLRequest::kRequestContextObject, |
1091 KURL(base, "filesystem:https://example.com/file.txt"), | 1099 KURL(base, "filesystem:https://example.com/file.txt"), |
1092 String(), IntegrityMetadataSet(), kParserInserted, | 1100 String(), IntegrityMetadataSet(), kParserInserted, |
1093 ResourceRequest::RedirectStatus::kNoRedirect, | 1101 ResourceRequest::RedirectStatus::kNoRedirect, |
1094 SecurityViolationReportingPolicy::kSuppressReporting)); | 1102 SecurityViolationReportingPolicy::kSuppressReporting)); |
(...skipping 21 matching lines...) Expand all Loading... |
1116 IntegrityMetadataSet(), kParserInserted, | 1124 IntegrityMetadataSet(), kParserInserted, |
1117 ResourceRequest::RedirectStatus::kNoRedirect, | 1125 ResourceRequest::RedirectStatus::kNoRedirect, |
1118 SecurityViolationReportingPolicy::kSuppressReporting)); | 1126 SecurityViolationReportingPolicy::kSuppressReporting)); |
1119 | 1127 |
1120 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( | 1128 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
1121 "https"); | 1129 "https"); |
1122 } | 1130 } |
1123 | 1131 |
1124 TEST_F(ContentSecurityPolicyTest, BlobAllowedWhenBypassingCSP) { | 1132 TEST_F(ContentSecurityPolicyTest, BlobAllowedWhenBypassingCSP) { |
1125 KURL base; | 1133 KURL base; |
1126 document = Document::Create(); | 1134 execution_context = CreateExecutionContext(); |
1127 document->SetSecurityOrigin(secure_origin); // https://example.com | 1135 execution_context->SetSecurityOrigin(secure_origin); // https://example.com |
1128 document->SetURL(secure_url); // https://example.com | 1136 execution_context->SetURL(secure_url); // https://example.com |
1129 csp->BindToExecutionContext(document.Get()); | 1137 csp->BindToExecutionContext(execution_context.Get()); |
1130 csp->DidReceiveHeader("default-src https://example.com", | 1138 csp->DidReceiveHeader("default-src https://example.com", |
1131 kContentSecurityPolicyHeaderTypeEnforce, | 1139 kContentSecurityPolicyHeaderTypeEnforce, |
1132 kContentSecurityPolicyHeaderSourceHTTP); | 1140 kContentSecurityPolicyHeaderSourceHTTP); |
1133 | 1141 |
1134 EXPECT_FALSE(csp->AllowRequest( | 1142 EXPECT_FALSE(csp->AllowRequest( |
1135 WebURLRequest::kRequestContextObject, | 1143 WebURLRequest::kRequestContextObject, |
1136 KURL(base, "blob:https://example.com/"), String(), IntegrityMetadataSet(), | 1144 KURL(base, "blob:https://example.com/"), String(), IntegrityMetadataSet(), |
1137 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, | 1145 kParserInserted, ResourceRequest::RedirectStatus::kNoRedirect, |
1138 SecurityViolationReportingPolicy::kSuppressReporting)); | 1146 SecurityViolationReportingPolicy::kSuppressReporting)); |
1139 | 1147 |
(...skipping 18 matching lines...) Expand all Loading... |
1158 KURL(base, "blob:https://not-example.com/"), String(), | 1166 KURL(base, "blob:https://not-example.com/"), String(), |
1159 IntegrityMetadataSet(), kParserInserted, | 1167 IntegrityMetadataSet(), kParserInserted, |
1160 ResourceRequest::RedirectStatus::kNoRedirect, | 1168 ResourceRequest::RedirectStatus::kNoRedirect, |
1161 SecurityViolationReportingPolicy::kSuppressReporting)); | 1169 SecurityViolationReportingPolicy::kSuppressReporting)); |
1162 | 1170 |
1163 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( | 1171 SchemeRegistry::RemoveURLSchemeRegisteredAsBypassingContentSecurityPolicy( |
1164 "https"); | 1172 "https"); |
1165 } | 1173 } |
1166 | 1174 |
1167 } // namespace blink | 1175 } // namespace blink |
OLD | NEW |