Source/core/frame/SubresourceIntegrityTest.cpp - Issue 954233003: Enable SRI only for same origin and CORS content.

Side by Side Diff: Source/core/frame/SubresourceIntegrityTest.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Rebase on ToT Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors.html ('K') | « Source/core/frame/SubresourceIntegrity.cpp ('k') | Source/core/html/HTMLLinkElement.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "config.h"	5 #include "config.h"

6 #include "core/frame/SubresourceIntegrity.h"	6 #include "core/frame/SubresourceIntegrity.h"

7	7

8 #include "core/HTMLNames.h"	8 #include "core/HTMLNames.h"

9 #include "core/dom/Document.h"	9 #include "core/dom/Document.h"

	10 #include "core/fetch/Resource.h"

	11 #include "core/fetch/ResourcePtr.h"

10 #include "core/html/HTMLScriptElement.h"	12 #include "core/html/HTMLScriptElement.h"

11 #include "platform/Crypto.h"	13 #include "platform/Crypto.h"

12 #include "platform/weborigin/KURL.h"	14 #include "platform/weborigin/KURL.h"

13 #include "platform/weborigin/SecurityOrigin.h"	15 #include "platform/weborigin/SecurityOrigin.h"

14 #include "wtf/RefPtr.h"	16 #include "wtf/RefPtr.h"

15 #include "wtf/text/WTFString.h"	17 #include "wtf/text/WTFString.h"

16 #include <gtest/gtest.h>	18 #include <gtest/gtest.h>

17	19

18 namespace blink {	20 namespace blink {

19	21

(...skipping 109 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
129	131

130 void expectParseFailure(const char* integrityAttribute)	132 void expectParseFailure(const char* integrityAttribute)

131 {	133 {

132 String digest;	134 String digest;

133 HashAlgorithm algorithm;	135 HashAlgorithm algorithm;

134 String type;	136 String type;

135	137

136 EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttr ibute, digest, algorithm, type, *document));	138 EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttr ibute, digest, algorithm, type, *document));

137 }	139 }

138	140

139 void expectIntegrity(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())	141 void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String())

140 {	142 {

141 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);	143 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);

142 EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptEleme nt, script, url, mimeType));	144 EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(scriptEleme nt, script, url, mimeType, createTestResource(url, requestorUrl).get()));

143 }	145 }

144	146

145 void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())	147 void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String())

146 {	148 {

147 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);	149 scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);

148 EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElem ent, script, url, mimeType));	150 EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(scriptElem ent, script, url, mimeType, createTestResource(url, requestorUrl).get()));

	151 }

	152

	153 ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowO riginUrl)

	154 {

	155 OwnPtr<ResourceResponse> response = adoptPtr(new ResourceResponse);

	156 response->setURL(url);

	157 response->setHTTPStatusCode(200);

	158 response->setHTTPHeaderField("access-control-allow-origin", SecurityOrig in::create(allowOriginUrl)->toAtomicString());
	Mike West 2015/03/06 03:19:37 It would be nice if this bit was parameterized; ri It would be nice if this bit was parameterized; right now you're testing that CORS headers allow a resource to be integrity-checked cross-origin, but you're not yet verifying that lacking CORS headers blocks integrity checking. jww 2015/03/06 08:24:21 Done. Show quoted text On 2015/03/06 03:19:37, Mike West wrote: > It would be nice if this bit was parameterized; right now you're testing that > CORS headers allow a resource to be integrity-checked cross-origin, but you're > not yet verifying that lacking CORS headers blocks integrity checking. Done.
	159 response->setHTTPHeaderField("access-control-allow-credentials", "true") ;

	160 ResourcePtr<Resource> resource = new Resource(ResourceRequest(response-> url()), Resource::Raw);

	161 resource->setResponse(*response);

	162 return resource;

149 }	163 }

150	164

151 KURL secureURL;	165 KURL secureURL;

152 KURL insecureURL;	166 KURL insecureURL;

153 RefPtr<SecurityOrigin> secureOrigin;	167 RefPtr<SecurityOrigin> secureOrigin;

154 RefPtr<SecurityOrigin> insecureOrigin;	168 RefPtr<SecurityOrigin> insecureOrigin;

155	169

156 RefPtrWillBePersistent<Document> document;	170 RefPtrWillBePersistent<Document> document;

157 RefPtrWillBePersistent<HTMLScriptElement> scriptElement;	171 RefPtrWillBePersistent<HTMLScriptElement> scriptElement;

158 };	172 };

(...skipping 107 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
266	280

267 //	281 //

268 // End-to-end tests of ::CheckSubresourceIntegrity.	282 // End-to-end tests of ::CheckSubresourceIntegrity.

269 //	283 //

270	284

271 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)	285 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)

272 {	286 {

273 document->updateSecurityOrigin(secureOrigin->isolatedCopy());	287 document->updateSecurityOrigin(secureOrigin->isolatedCopy());

274	288

275 // Verify basic sha256, sha384, and sha512 integrity checks.	289 // Verify basic sha256, sha384, and sha512 integrity checks.

276 expectIntegrity(kSha256Integrity, kBasicScript, secureURL);	290 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL);

277 expectIntegrity(kSha384Integrity, kBasicScript, secureURL);	291 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, secureURL);

278 expectIntegrity(kSha512Integrity, kBasicScript, secureURL);	292 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, secureURL);

279	293

280 // The hash label must match the hash value.	294 // The hash label must match the hash value.

281 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL );	295 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , secureURL);

282	296

283 // Unsupported hash functions should fail.	297 // Unsupported hash functions should fail.

284 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL);	298 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL, secureURL);

285 }	299 }

286	300

287 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)	301 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)

288 {	302 {

289 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass he re.	303 // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass he re.

290 document->updateSecurityOrigin(insecureOrigin->isolatedCopy());	304 document->updateSecurityOrigin(insecureOrigin->isolatedCopy());

291	305

292 expectIntegrity(kSha256Integrity, kBasicScript, secureURL);	306 expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL);

293 expectIntegrity(kSha384Integrity, kBasicScript, secureURL);	307 expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL);

294 expectIntegrity(kSha512Integrity, kBasicScript, secureURL);	308 expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL);

295 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL );	309 expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL , insecureURL);

296 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL);	310 expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secu reURL, insecureURL);

297 }	311 }

298	312

299 } // namespace blink	313 } // namespace blink

OLD	NEW