Chromium Code Reviews Chromium Code Reviews
Issue 901903003:
CSP: Adding the 'upgrade-insecure-requests' directive. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (c) 2013, Google Inc. All rights reserved. | 2 * Copyright (c) 2013, Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 33 | 33 |
| 34 #include <gtest/gtest.h> | 34 #include <gtest/gtest.h> |
| 35 #include "core/fetch/FetchInitiatorInfo.h" | 35 #include "core/fetch/FetchInitiatorInfo.h" |
| 36 #include "core/fetch/FetchRequest.h" | 36 #include "core/fetch/FetchRequest.h" |
| 37 #include "core/fetch/ImageResource.h" | 37 #include "core/fetch/ImageResource.h" |
| 38 #include "core/fetch/MemoryCache.h" | 38 #include "core/fetch/MemoryCache.h" |
| 39 #include "core/fetch/ResourcePtr.h" | 39 #include "core/fetch/ResourcePtr.h" |
| 40 #include "core/html/HTMLDocument.h" | 40 #include "core/html/HTMLDocument.h" |
| 41 #include "core/loader/DocumentLoader.h" | 41 #include "core/loader/DocumentLoader.h" |
| 42 #include "platform/network/ResourceRequest.h" | 42 #include "platform/network/ResourceRequest.h" |
| 43 #include "platform/weborigin/KURL.h" | |
| 44 #include "platform/weborigin/SecurityOrigin.h" | |
| 43 | 45 |
| 44 using namespace blink; | 46 namespace blink { |
| 45 | 47 |
| 46 namespace { | 48 class ResourceFetcherTest : public ::testing::Test { |
| 49 public: | |
| 50 ResourceFetcherTest() | |
| 51 : secureURL(ParsedURLString, "https://example.test/image.png") | |
| 52 , insecureURL(ParsedURLString, "http://example.test/image.png") | |
| 53 , secureOrigin(SecurityOrigin::create(secureURL)) | |
| 54 , insecureOrigin(SecurityOrigin::create(insecureURL)) | |
| 55 { | |
| 56 } | |
| 47 | 57 |
| 48 TEST(ResourceFetcherTest, StartLoadAfterFrameDetach) | 58 protected: |
| 59 virtual void SetUp() | |
| 60 { | |
| 61 // Create a ResourceFetcher that has a real DocumentLoader and Document, but is not attached to a LocalFrame. | |
| 62 // Technically, we're concerned about what happens after a LocalFrame is detached (rather than before | |
| 63 // any attach occurs), but ResourceFetcher can't tell the difference. | |
| 64 documentLoader = DocumentLoader::create(0, ResourceRequest(secureURL), S ubstituteData()); | |
| 65 document = Document::create(); | |
| 66 fetcher = documentLoader->fetcher(); | |
| 67 fetcher->setDocument(document.get()); | |
| 68 } | |
| 69 | |
| 70 void expectUpgrade(const char* input, const char* expected) | |
| 71 { | |
| 72 KURL inputURL(ParsedURLString, input); | |
| 73 KURL expectedURL(ParsedURLString, expected); | |
| 74 | |
| 75 FetchRequest fetchRequest = FetchRequest(ResourceRequest(inputURL), Fetc hInitiatorInfo()); | |
| 76 fetcher->maybeUpgradeInsecureRequestURL(fetchRequest); | |
| 77 EXPECT_STREQ(expectedURL.string().utf8().data(), fetchRequest.resourceRe quest().url().string().utf8().data()); | |
| 78 EXPECT_EQ(expectedURL.protocol(), fetchRequest.resourceRequest().url().p rotocol()); | |
| 79 EXPECT_EQ(expectedURL.host(), fetchRequest.resourceRequest().url().host( )); | |
| 80 EXPECT_EQ(expectedURL.port(), fetchRequest.resourceRequest().url().port( )); | |
| 81 EXPECT_EQ(expectedURL.hasPort(), fetchRequest.resourceRequest().url().ha sPort()); | |
| 82 EXPECT_EQ(expectedURL.path(), fetchRequest.resourceRequest().url().path( )); | |
| 83 } | |
| 84 | |
| 85 KURL secureURL; | |
| 86 KURL insecureURL; | |
| 87 RefPtr<SecurityOrigin> secureOrigin; | |
| 88 RefPtr<SecurityOrigin> insecureOrigin; | |
|
Yoav Weiss
2015/02/06 09:58:36
Is insecureOrigin used anywhere?
| |
| 89 RefPtr<DocumentLoader> documentLoader; | |
|
Yoav Weiss
2015/02/06 09:58:36
documentLoader is a member only because we want to
| |
| 90 RefPtrWillBeRawPtr<ResourceFetcher> fetcher; | |
| 91 | |
| 92 RefPtrWillBePersistent<Document> document; | |
|
Yoav Weiss
2015/02/06 09:58:36
Not sure if it's a requirement or just commonly us
| |
| 93 }; | |
| 94 | |
| 95 TEST_F(ResourceFetcherTest, StartLoadAfterFrameDetach) | |
| 49 { | 96 { |
| 50 KURL testURL(ParsedURLString, "http://www.test.com/cancelTest.jpg"); | |
| 51 | |
| 52 // Create a ResourceFetcher that has a real DocumentLoader and Document, but is not attached to a LocalFrame. | |
| 53 // Technically, we're concerned about what happens after a LocalFrame is det ached (rather than before | |
| 54 // any attach occurs), but ResourceFetcher can't tell the difference. | |
| 55 RefPtr<DocumentLoader> documentLoader = DocumentLoader::create(0, ResourceRe quest(testURL), SubstituteData()); | |
| 56 RefPtrWillBeRawPtr<HTMLDocument> document = HTMLDocument::create(); | |
| 57 RefPtrWillBeRawPtr<ResourceFetcher> fetcher(documentLoader->fetcher()); | |
| 58 fetcher->setDocument(document.get()); | |
| 59 EXPECT_EQ(fetcher->frame(), static_cast<LocalFrame*>(0)); | 97 EXPECT_EQ(fetcher->frame(), static_cast<LocalFrame*>(0)); |
| 60 | 98 |
| 61 // Try to request a url. The request should fail, no resource should be retu rned, | 99 // Try to request a url. The request should fail, no resource should be retu rned, |
| 62 // and no resource should be present in the cache. | 100 // and no resource should be present in the cache. |
| 63 FetchRequest fetchRequest = FetchRequest(ResourceRequest(testURL), FetchInit iatorInfo()); | 101 FetchRequest fetchRequest = FetchRequest(ResourceRequest(insecureURL), Fetch InitiatorInfo()); |
| 64 ResourcePtr<ImageResource> image = fetcher->fetchImage(fetchRequest); | 102 ResourcePtr<ImageResource> image = fetcher->fetchImage(fetchRequest); |
| 65 EXPECT_EQ(image.get(), static_cast<ImageResource*>(0)); | 103 EXPECT_EQ(image.get(), static_cast<ImageResource*>(0)); |
| 66 EXPECT_EQ(memoryCache()->resourceForURL(testURL), static_cast<Resource*>(0)) ; | 104 EXPECT_EQ(memoryCache()->resourceForURL(insecureURL), static_cast<Resource*> (0)); |
| 105 } | |
| 106 | |
| 107 TEST_F(ResourceFetcherTest, UpgradeInsecureResourceRequests) | |
| 108 { | |
| 109 document->setSecurityOrigin(secureOrigin); | |
| 110 document->setInsecureContentPolicy(SecurityContext::InsecureContentUpgrade); | |
| 111 | |
| 112 expectUpgrade("http://example.test/image.png", "https://example.test/image.p ng"); | |
| 113 expectUpgrade("http://example.test:80/image.png", "https://example.test:443/ image.png"); | |
| 114 expectUpgrade("http://example.test:1212/image.png", "https://example.test:12 12/image.png"); | |
| 115 | |
| 116 expectUpgrade("https://example.test/image.png", "https://example.test/image. png"); | |
| 117 expectUpgrade("https://example.test:80/image.png", "https://example.test:80/ image.png"); | |
| 118 expectUpgrade("https://example.test:1212/image.png", "https://example.test:1 212/image.png"); | |
| 119 | |
| 120 expectUpgrade("ftp://example.test/image.png", "ftp://example.test/image.png" ); | |
| 121 expectUpgrade("ftp://example.test:21/image.png", "ftp://example.test:21/imag e.png"); | |
| 122 expectUpgrade("ftp://example.test:1212/image.png", "ftp://example.test:1212/ image.png"); | |
| 123 } | |
| 124 | |
| 125 TEST_F(ResourceFetcherTest, DoNotUpgradeInsecureResourceRequests) | |
| 126 { | |
| 127 document->setSecurityOrigin(secureOrigin); | |
| 128 document->setInsecureContentPolicy(SecurityContext::InsecureContentDoNotUpgr ade); | |
| 129 | |
| 130 expectUpgrade("http://example.test/image.png", "http://example.test/image.pn g"); | |
| 131 expectUpgrade("http://example.test:80/image.png", "http://example.test:80/im age.png"); | |
| 132 expectUpgrade("http://example.test:1212/image.png", "http://example.test:121 2/image.png"); | |
| 133 | |
| 134 expectUpgrade("https://example.test/image.png", "https://example.test/image. png"); | |
| 135 expectUpgrade("https://example.test:80/image.png", "https://example.test:80/ image.png"); | |
| 136 expectUpgrade("https://example.test:1212/image.png", "https://example.test:1 212/image.png"); | |
| 137 | |
| 138 expectUpgrade("ftp://example.test/image.png", "ftp://example.test/image.png" ); | |
| 139 expectUpgrade("ftp://example.test:21/image.png", "ftp://example.test:21/imag e.png"); | |
| 140 expectUpgrade("ftp://example.test:1212/image.png", "ftp://example.test:1212/ image.png"); | |
| 141 } | |
| 142 | |
| 143 TEST_F(ResourceFetcherTest, MonitorInsecureResourceRequests) | |
| 144 { | |
| 145 document->setSecurityOrigin(secureOrigin); | |
| 146 document->setInsecureContentPolicy(SecurityContext::InsecureContentMonitor); | |
| 147 | |
| 148 expectUpgrade("http://example.test/image.png", "http://example.test/image.pn g"); | |
| 149 expectUpgrade("http://example.test:80/image.png", "http://example.test:80/im age.png"); | |
| 150 expectUpgrade("http://example.test:1212/image.png", "http://example.test:121 2/image.png"); | |
| 151 | |
| 152 expectUpgrade("https://example.test/image.png", "https://example.test/image. png"); | |
| 153 expectUpgrade("https://example.test:80/image.png", "https://example.test:80/ image.png"); | |
| 154 expectUpgrade("https://example.test:1212/image.png", "https://example.test:1 212/image.png"); | |
| 155 | |
| 156 expectUpgrade("ftp://example.test/image.png", "ftp://example.test/image.png" ); | |
| 157 expectUpgrade("ftp://example.test:21/image.png", "ftp://example.test:21/imag e.png"); | |
| 158 expectUpgrade("ftp://example.test:1212/image.png", "ftp://example.test:1212/ image.png"); | |
| 67 } | 159 } |
| 68 | 160 |
| 69 } // namespace | 161 } // namespace |
| OLD | NEW |
