OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/ContentSecurityPolicy.h" | 5 #include "core/frame/csp/ContentSecurityPolicy.h" |
6 | 6 |
7 #include "core/frame/csp/CSPDirectiveList.h" | 7 #include "core/frame/csp/CSPDirectiveList.h" |
8 #include "core/html/HTMLScriptElement.h" | 8 #include "core/html/HTMLScriptElement.h" |
9 #include "core/testing/NullExecutionContext.h" | 9 #include "core/testing/NullExecutionContext.h" |
10 #include "platform/Crypto.h" | 10 #include "platform/Crypto.h" |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
51 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, | 51 } cases[] = {{"default-src 'none'", kLeaveInsecureRequestsAlone}, |
52 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, | 52 {"upgrade-insecure-requests", kUpgradeInsecureRequests}, |
53 {"block-all-mixed-content", kBlockAllMixedContent}, | 53 {"block-all-mixed-content", kBlockAllMixedContent}, |
54 {"upgrade-insecure-requests; block-all-mixed-content", | 54 {"upgrade-insecure-requests; block-all-mixed-content", |
55 kUpgradeInsecureRequests | kBlockAllMixedContent}, | 55 kUpgradeInsecureRequests | kBlockAllMixedContent}, |
56 {"upgrade-insecure-requests, block-all-mixed-content", | 56 {"upgrade-insecure-requests, block-all-mixed-content", |
57 kUpgradeInsecureRequests | kBlockAllMixedContent}}; | 57 kUpgradeInsecureRequests | kBlockAllMixedContent}}; |
58 | 58 |
59 // Enforced | 59 // Enforced |
60 for (const auto& test : cases) { | 60 for (const auto& test : cases) { |
61 SCOPED_TRACE(testing::Message() << "[Enforce] Header: `" << test.header | 61 SCOPED_TRACE(testing::Message() |
62 << "`"); | 62 << "[Enforce] Header: `" << test.header << "`"); |
63 csp = ContentSecurityPolicy::Create(); | 63 csp = ContentSecurityPolicy::Create(); |
64 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeEnforce, | 64 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeEnforce, |
65 kContentSecurityPolicyHeaderSourceHTTP); | 65 kContentSecurityPolicyHeaderSourceHTTP); |
66 EXPECT_EQ(test.expected_policy, csp->GetInsecureRequestPolicy()); | 66 EXPECT_EQ(test.expected_policy, csp->GetInsecureRequestPolicy()); |
67 | 67 |
68 execution_context = CreateExecutionContext(); | 68 execution_context = CreateExecutionContext(); |
69 execution_context->SetSecurityOrigin(secure_origin); | 69 execution_context->SetSecurityOrigin(secure_origin); |
70 execution_context->SetURL(secure_url); | 70 execution_context->SetURL(secure_url); |
71 csp->BindToExecutionContext(execution_context.Get()); | 71 csp->BindToExecutionContext(execution_context.Get()); |
72 EXPECT_EQ(test.expected_policy, | 72 EXPECT_EQ(test.expected_policy, |
73 execution_context->GetInsecureRequestPolicy()); | 73 execution_context->GetInsecureRequestPolicy()); |
74 bool expect_upgrade = test.expected_policy & kUpgradeInsecureRequests; | 74 bool expect_upgrade = test.expected_policy & kUpgradeInsecureRequests; |
75 EXPECT_EQ(expect_upgrade, | 75 EXPECT_EQ(expect_upgrade, |
76 execution_context->InsecureNavigationsToUpgrade()->Contains( | 76 execution_context->InsecureNavigationsToUpgrade()->Contains( |
77 execution_context->Url().Host().Impl()->GetHash())); | 77 execution_context->Url().Host().Impl()->GetHash())); |
78 } | 78 } |
79 | 79 |
80 // Report-Only | 80 // Report-Only |
81 for (const auto& test : cases) { | 81 for (const auto& test : cases) { |
82 SCOPED_TRACE(testing::Message() << "[Report-Only] Header: `" << test.header | 82 SCOPED_TRACE(testing::Message() |
83 << "`"); | 83 << "[Report-Only] Header: `" << test.header << "`"); |
84 csp = ContentSecurityPolicy::Create(); | 84 csp = ContentSecurityPolicy::Create(); |
85 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeReport, | 85 csp->DidReceiveHeader(test.header, kContentSecurityPolicyHeaderTypeReport, |
86 kContentSecurityPolicyHeaderSourceHTTP); | 86 kContentSecurityPolicyHeaderSourceHTTP); |
87 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->GetInsecureRequestPolicy()); | 87 EXPECT_EQ(kLeaveInsecureRequestsAlone, csp->GetInsecureRequestPolicy()); |
88 | 88 |
89 execution_context = CreateExecutionContext(); | 89 execution_context = CreateExecutionContext(); |
90 execution_context->SetSecurityOrigin(secure_origin); | 90 execution_context->SetSecurityOrigin(secure_origin); |
91 csp->BindToExecutionContext(execution_context.Get()); | 91 csp->BindToExecutionContext(execution_context.Get()); |
92 EXPECT_EQ(kLeaveInsecureRequestsAlone, | 92 EXPECT_EQ(kLeaveInsecureRequestsAlone, |
93 execution_context->GetInsecureRequestPolicy()); | 93 execution_context->GetInsecureRequestPolicy()); |
(...skipping 564 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
658 {"script-src 'nonce-yay'", "https://example.com/js", "yay", true}, | 658 {"script-src 'nonce-yay'", "https://example.com/js", "yay", true}, |
659 {"script-src https://example.com", "https://example.com/js", "", true}, | 659 {"script-src https://example.com", "https://example.com/js", "", true}, |
660 {"script-src https://example.com", "https://example.com/js", "yay", true}, | 660 {"script-src https://example.com", "https://example.com/js", "yay", true}, |
661 {"script-src https://example.com 'nonce-yay'", | 661 {"script-src https://example.com 'nonce-yay'", |
662 "https://not.example.com/js", "", false}, | 662 "https://not.example.com/js", "", false}, |
663 {"script-src https://example.com 'nonce-yay'", | 663 {"script-src https://example.com 'nonce-yay'", |
664 "https://not.example.com/js", "yay", true}, | 664 "https://not.example.com/js", "yay", true}, |
665 }; | 665 }; |
666 | 666 |
667 for (const auto& test : cases) { | 667 for (const auto& test : cases) { |
668 SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, URL: `" | 668 SCOPED_TRACE(testing::Message() |
669 << test.url << "`, Nonce: `" << test.nonce | 669 << "Policy: `" << test.policy << "`, URL: `" << test.url |
670 << "`"); | 670 << "`, Nonce: `" << test.nonce << "`"); |
671 KURL resource = KURL(KURL(), test.url); | 671 KURL resource = KURL(KURL(), test.url); |
672 | 672 |
673 unsigned expected_reports = test.allowed ? 0u : 1u; | 673 unsigned expected_reports = test.allowed ? 0u : 1u; |
674 | 674 |
675 // Single enforce-mode policy should match `test.expected`: | 675 // Single enforce-mode policy should match `test.expected`: |
676 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); | 676 Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::Create(); |
677 policy->BindToExecutionContext(execution_context.Get()); | 677 policy->BindToExecutionContext(execution_context.Get()); |
678 policy->DidReceiveHeader(test.policy, | 678 policy->DidReceiveHeader(test.policy, |
679 kContentSecurityPolicyHeaderTypeEnforce, | 679 kContentSecurityPolicyHeaderTypeEnforce, |
680 kContentSecurityPolicyHeaderSourceHTTP); | 680 kContentSecurityPolicyHeaderSourceHTTP); |
(...skipping 577 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1258 "script-src http://127.0.0.1:8000 'none'")); | 1258 "script-src http://127.0.0.1:8000 'none'")); |
1259 EXPECT_FALSE( | 1259 EXPECT_FALSE( |
1260 ContentSecurityPolicy::IsValidCSPAttr("script-src 'none' 'none' 'none'")); | 1260 ContentSecurityPolicy::IsValidCSPAttr("script-src 'none' 'none' 'none'")); |
1261 | 1261 |
1262 // comma separated | 1262 // comma separated |
1263 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( | 1263 EXPECT_FALSE(ContentSecurityPolicy::IsValidCSPAttr( |
1264 "script-src 'none', object-src 'none'")); | 1264 "script-src 'none', object-src 'none'")); |
1265 } | 1265 } |
1266 | 1266 |
1267 } // namespace blink | 1267 } // namespace blink |
OLD | NEW |