Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(130)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/SubresourceIntegrityTest.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed test failures Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.cpp ('k') | Source/core/html/HTMLLinkElement.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/SubresourceIntegrity.h" 6 #include "core/frame/SubresourceIntegrity.h"
7 7
8 #include "core/HTMLNames.h" 8 #include "core/HTMLNames.h"
9 #include "core/dom/Document.h" 9 #include "core/dom/Document.h"
10 #include "core/fetch/Resource.h"
11 #include "core/fetch/ResourcePtr.h"
10 #include "core/html/HTMLScriptElement.h" 12 #include "core/html/HTMLScriptElement.h"
11 #include "platform/Crypto.h" 13 #include "platform/Crypto.h"
12 #include "platform/weborigin/KURL.h" 14 #include "platform/weborigin/KURL.h"
13 #include "platform/weborigin/SecurityOrigin.h" 15 #include "platform/weborigin/SecurityOrigin.h"
14 #include "wtf/RefPtr.h" 16 #include "wtf/RefPtr.h"
15 #include "wtf/text/WTFString.h" 17 #include "wtf/text/WTFString.h"
16 #include <gtest/gtest.h> 18 #include <gtest/gtest.h>
17 19
18 namespace blink { 20 namespace blink {
19 21
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
129 131
130 void expectParseFailure(const char* integrityAttribute) 132 void expectParseFailure(const char* integrityAttribute)
131 { 133 {
132 String digest; 134 String digest;
133 HashAlgorithm algorithm; 135 HashAlgorithm algorithm;
134 String type; 136 String type;
135 137
136 EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttr ibute, digest, algorithm, type, *document)); 138 EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttr ibute, digest, algorithm, type, *document));
137 } 139 }
138 140
139 void expectIntegrity(const char* integrity, const char* script, const KURL& url, const String& mimeType = String()) 141 enum CorsStatus {
142 WithCors,
143 NoCors
144 };
145
146 void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus cor sStatus = WithCors)
140 { 147 {
141 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity); 148 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
142 EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptEleme nt, script, url, mimeType)); 149 EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptEleme nt, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).ge t()));
143 } 150 }
144 151
145 void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const String& mimeType = String()) 152 void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsSta tus corsStatus = WithCors)
146 { 153 {
147 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity); 154 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
148 EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElem ent, script, url, mimeType)); 155 EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElem ent, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).g et()));
156 }
157
158 ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowO riginUrl, CorsStatus corsStatus)
159 {
160 OwnPtr<ResourceResponse> response = adoptPtr(new ResourceResponse);
161 response->setURL(url);
162 response->setHTTPStatusCode(200);
163 if (corsStatus == WithCors) {
164 response->setHTTPHeaderField("access-control-allow-origin", Security Origin::create(allowOriginUrl)->toAtomicString());
165 response->setHTTPHeaderField("access-control-allow-credentials", "tr ue");
166 }
167 ResourcePtr<Resource> resource = new Resource(ResourceRequest(response-> url()), Resource::Raw);
168 resource->setResponse(*response);
169 return resource;
149 } 170 }
150 171
151 KURL secureURL; 172 KURL secureURL;
152 KURL insecureURL; 173 KURL insecureURL;
153 RefPtr<SecurityOrigin> secureOrigin; 174 RefPtr<SecurityOrigin> secureOrigin;
154 RefPtr<SecurityOrigin> insecureOrigin; 175 RefPtr<SecurityOrigin> insecureOrigin;
155 176
156 RefPtrWillBePersistent<Document> document; 177 RefPtrWillBePersistent<Document> document;
157 RefPtrWillBePersistent<HTMLScriptElement> scriptElement; 178 RefPtrWillBePersistent<HTMLScriptElement> scriptElement;
158 }; 179 };
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after
266 287
267 // 288 //
268 // End-to-end tests of ::CheckSubresourceIntegrity. 289 // End-to-end tests of ::CheckSubresourceIntegrity.
269 // 290 //
270 291
271 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) 292 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)
272 { 293 {
273 document->updateSecurityOrigin(secureOrigin->isolatedCopy()); 294 document->updateSecurityOrigin(secureOrigin->isolatedCopy());
274 295
275 // Verify basic sha256, sha384, and sha512 integrity checks. 296 // Verify basic sha256, sha384, and sha512 integrity checks.
276 expectIntegrity(kSha256Integrity, kBasicScript, secureURL); 297 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL);
277 expectIntegrity(kSha384Integrity, kBasicScript, secureURL); 298 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, secureURL);
278 expectIntegrity(kSha512Integrity, kBasicScript, secureURL); 299 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, secureURL);
279 300
280 // The hash label must match the hash value. 301 // The hash label must match the hash value.
281 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL ); 302 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , secureURL);
282 303
283 // Unsupported hash functions should fail. 304 // Unsupported hash functions should fail.
284 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL); 305 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL, secureURL);
306
307 // All parameters are fine, and because this is not cross origin, CORS is
308 // not needed.
309 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String (), NoCors);
285 } 310 }
286 311
287 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) 312 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
288 { 313 {
289 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass he re. 314 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass
315 // here, with the expection of the NoCors check at the end.
290 document->updateSecurityOrigin(insecureOrigin->isolatedCopy()); 316 document->updateSecurityOrigin(insecureOrigin->isolatedCopy());
291 317
292 expectIntegrity(kSha256Integrity, kBasicScript, secureURL); 318 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL);
293 expectIntegrity(kSha384Integrity, kBasicScript, secureURL); 319 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL);
294 expectIntegrity(kSha512Integrity, kBasicScript, secureURL); 320 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL);
295 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL ); 321 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , insecureURL);
296 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL); 322 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL, insecureURL);
323
324 // This check should fail because, unlike in the
325 // CheckSubresourceIntegirtyInSecureOrigin case, this is cross origin
326 // (secure origin requesting a resource on an insecure origin)
327 expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureUR L, String(), NoCors);
297 } 328 }
298 329
299 } // namespace blink 330 } // namespace blink
OLDNEW
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.cpp ('k') | Source/core/html/HTMLLinkElement.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698