| Index: Source/core/frame/SubresourceIntegrityTest.cpp
|
| diff --git a/Source/core/frame/SubresourceIntegrityTest.cpp b/Source/core/frame/SubresourceIntegrityTest.cpp
|
| index 560a37f5b76b8031a96c674f59c0863af545b0f0..ecfdeed38952f1c74298e5595e8d0ed55a8a2eec 100644
|
| --- a/Source/core/frame/SubresourceIntegrityTest.cpp
|
| +++ b/Source/core/frame/SubresourceIntegrityTest.cpp
|
| @@ -7,6 +7,8 @@
|
|
|
| #include "core/HTMLNames.h"
|
| #include "core/dom/Document.h"
|
| +#include "core/fetch/Resource.h"
|
| +#include "core/fetch/ResourcePtr.h"
|
| #include "core/html/HTMLScriptElement.h"
|
| #include "platform/Crypto.h"
|
| #include "platform/weborigin/KURL.h"
|
| @@ -136,16 +138,35 @@ protected:
|
| EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttribute, digest, algorithm, type, *document));
|
| }
|
|
|
| - void expectIntegrity(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
|
| + enum CorsStatus {
|
| + WithCors,
|
| + NoCors
|
| + };
|
| +
|
| + void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors)
|
| {
|
| scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
|
| - EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
|
| + EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get()));
|
| }
|
|
|
| - void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
|
| + void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors)
|
| {
|
| scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
|
| - EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
|
| + EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get()));
|
| + }
|
| +
|
| + ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowOriginUrl, CorsStatus corsStatus)
|
| + {
|
| + OwnPtr<ResourceResponse> response = adoptPtr(new ResourceResponse);
|
| + response->setURL(url);
|
| + response->setHTTPStatusCode(200);
|
| + if (corsStatus == WithCors) {
|
| + response->setHTTPHeaderField("access-control-allow-origin", SecurityOrigin::create(allowOriginUrl)->toAtomicString());
|
| + response->setHTTPHeaderField("access-control-allow-credentials", "true");
|
| + }
|
| + ResourcePtr<Resource> resource = new Resource(ResourceRequest(response->url()), Resource::Raw);
|
| + resource->setResponse(*response);
|
| + return resource;
|
| }
|
|
|
| KURL secureURL;
|
| @@ -273,27 +294,37 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)
|
| document->updateSecurityOrigin(secureOrigin->isolatedCopy());
|
|
|
| // Verify basic sha256, sha384, and sha512 integrity checks.
|
| - expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
|
| - expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
|
| - expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
|
| + expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL);
|
| + expectIntegrity(kSha384Integrity, kBasicScript, secureURL, secureURL);
|
| + expectIntegrity(kSha512Integrity, kBasicScript, secureURL, secureURL);
|
|
|
| // The hash label must match the hash value.
|
| - expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
|
| + expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, secureURL);
|
|
|
| // Unsupported hash functions should fail.
|
| - expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
|
| + expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, secureURL);
|
| +
|
| + // All parameters are fine, and because this is not cross origin, CORS is
|
| + // not needed.
|
| + expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String(), NoCors);
|
| }
|
|
|
| TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
|
| {
|
| - // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass here.
|
| + // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass
|
| + // here, with the expection of the NoCors check at the end.
|
| document->updateSecurityOrigin(insecureOrigin->isolatedCopy());
|
|
|
| - expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
|
| - expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
|
| - expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
|
| - expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
|
| - expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
|
| + expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL);
|
| + expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL);
|
| + expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL);
|
| + expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, insecureURL);
|
| + expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, insecureURL);
|
| +
|
| + // This check should fail because, unlike in the
|
| + // CheckSubresourceIntegirtyInSecureOrigin case, this is cross origin
|
| + // (secure origin requesting a resource on an insecure origin)
|
| + expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureURL, String(), NoCors);
|
| }
|
|
|
| } // namespace blink
|
|
|
Chromium Code Reviews
Issue 954233003:
Enable SRI only for same origin and CORS content. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master