Chromium Code Reviews Chromium Code Reviews
Issue 299253003:
[webcrypto] Only allow crypto.subtle.* to be used from "secure origins". (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2013 Google Inc. All rights reserved. | 2 * Copyright (C) 2013 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 53 TEST(SecurityOriginTest, ValidPortsCreateNonUniqueOrigins) | 53 TEST(SecurityOriginTest, ValidPortsCreateNonUniqueOrigins) |
| 54 { | 54 { |
| 55 int ports[] = { 0, 80, 443, 5000, MaxAllowedPort }; | 55 int ports[] = { 0, 80, 443, 5000, MaxAllowedPort }; |
| 56 | 56 |
| 57 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(ports); ++i) { | 57 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(ports); ++i) { |
| 58 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("http", "example. com", ports[i]); | 58 RefPtr<SecurityOrigin> origin = SecurityOrigin::create("http", "example. com", ports[i]); |
| 59 EXPECT_FALSE(origin->isUnique()) << "Port " << ports[i] << " should not have generated a unique origin."; | 59 EXPECT_FALSE(origin->isUnique()) << "Port " << ports[i] << " should not have generated a unique origin."; |
| 60 } | 60 } |
| 61 } | 61 } |
| 62 | 62 |
| 63 TEST(SecurityOriginTest, CanAccessFeatureRequringSecureOrigin) | |
| 64 { | |
| 65 struct TestCase { | |
| 66 bool accessGranted; | |
| 67 const char* url; | |
| 68 }; | |
| 69 | |
| 70 TestCase inputs[] = { | |
| 71 // Access is granted to webservers running on localhost. | |
| 72 { true, "http://localhost" }, | |
| 73 { true, "http://localhost:100" }, | |
| 74 { true, "http://127.0.0.1" }, | |
| 75 { true, "http://[::1]" }, | |
| 76 { true, "http://[::1]:21" }, | |
| 77 { true, "http://127.0.0.1:8080" }, | |
| 78 { true, "ftp://127.0.0.1" }, | |
| 79 { true, "ftp://127.0.0.1:443" }, | |
| 80 { true, "ws://127.0.0.1" }, | |
| 81 | |
| 82 // Access is granted to all secure transports. | |
|
darin (slow to review)
2014/05/29 05:08:14
What about blob URLs generated from https:// pages
| |
| 83 { true, "https://foobar.com" }, | |
| 84 { true, "wss://foobar.com" }, | |
| 85 | |
| 86 // Access is denied to insecure transports. | |
| 87 { false, "ftp://foobar.com" }, | |
| 88 { false, "http://foobar.com" }, | |
| 89 { false, "http://foobar.com:443" }, | |
| 90 { false, "ws://foobar.com" }, | |
| 91 { false, "data:text/html;charset=utf-8;base64,PHNjcmlwdD5hbGVydCgnaGkhJy k8L3NjcmlwdD4=" }, | |
| 92 { false, "javascript:alert('hi')" }, | |
| 93 | |
| 94 // Access is granted to local files | |
| 95 { true, "file:///home/foobar/index.html" }, | |
| 96 }; | |
| 97 | |
| 98 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(inputs); ++i) { | |
| 99 SCOPED_TRACE(i); | |
| 100 RefPtr<SecurityOrigin> origin = SecurityOrigin::createFromString(inputs[ i].url); | |
| 101 EXPECT_EQ(inputs[i].accessGranted, origin->canAccessFeatureRequiringSecu reOrigin()); | |
| 102 } | |
| 103 | |
| 104 // Unique origins are not considered secure. | |
| 105 RefPtr<SecurityOrigin> uniqueOrigin = SecurityOrigin::createUnique(); | |
| 106 EXPECT_FALSE(uniqueOrigin->canAccessFeatureRequiringSecureOrigin()); | |
| 107 } | |
| 108 | |
| 63 } // namespace | 109 } // namespace |
| 64 | 110 |
| OLD | NEW |
