diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc | 119 |
1 files changed, 102 insertions, 17 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc b/chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc index 80dd85238b9..55cca68f3c7 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc +++ b/chromium/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc @@ -5,10 +5,9 @@ #include "third_party/blink/renderer/core/frame/csp/source_list_directive.h" #include "testing/gtest/include/gtest/gtest.h" -#include "third_party/blink/renderer/core/dom/document.h" -#include "third_party/blink/renderer/core/dom/document_init.h" #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h" #include "third_party/blink/renderer/core/frame/csp/csp_source.h" +#include "third_party/blink/renderer/core/testing/null_execution_context.h" #include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/loader/fetch/resource_request.h" #include "third_party/blink/renderer/platform/weborigin/kurl.h" @@ -33,23 +32,19 @@ class SourceListDirectiveTest : public testing::Test { void SetUp() override { KURL secure_url("https://example.test/image.png"); - scoped_refptr<SecurityOrigin> secure_origin( + context = MakeGarbageCollected<NullExecutionContext>(); + context->GetSecurityContext().SetSecurityOrigin( SecurityOrigin::Create(secure_url)); - DocumentInit init = - DocumentInit::Create().WithOriginToCommit(secure_origin); - document = MakeGarbageCollected<Document>(init); - csp->BindToDelegate(document->GetContentSecurityPolicyDelegate()); + csp->BindToDelegate(context->GetContentSecurityPolicyDelegate()); } ContentSecurityPolicy* SetUpWithOrigin(const String& origin) { KURL secure_url(origin); - scoped_refptr<SecurityOrigin> secure_origin( + auto* context = MakeGarbageCollected<NullExecutionContext>(); + context->GetSecurityContext().SetSecurityOrigin( SecurityOrigin::Create(secure_url)); - DocumentInit init = - DocumentInit::Create().WithOriginToCommit(secure_origin); - auto* document = MakeGarbageCollected<Document>(init); auto* csp = MakeGarbageCollected<ContentSecurityPolicy>(); - csp->BindToDelegate(document->GetContentSecurityPolicyDelegate()); + csp->BindToDelegate(context->GetContentSecurityPolicyDelegate()); return csp; } @@ -60,7 +55,7 @@ class SourceListDirectiveTest : public testing::Test { } Persistent<ContentSecurityPolicy> csp; - Persistent<Document> document; + Persistent<ExecutionContext> context; }; TEST_F(SourceListDirectiveTest, BasicMatchingNone) { @@ -827,14 +822,104 @@ TEST_F(SourceListDirectiveTest, IsNone) { }; for (const auto& test : cases) { + SCOPED_TRACE(test.sources); SourceListDirective script_src("script-src", test.sources, csp.Get()); EXPECT_EQ(script_src.IsNone(), test.expected); - SourceListDirective style_src("form-action", test.sources, csp.Get()); - EXPECT_EQ(style_src.IsNone(), test.expected); + SourceListDirective form_action("form-action", test.sources, csp.Get()); + EXPECT_EQ(form_action.IsNone(), test.expected); - SourceListDirective img_src("frame-src", test.sources, csp.Get()); - EXPECT_EQ(style_src.IsNone(), test.expected); + SourceListDirective frame_src("frame-src", test.sources, csp.Get()); + EXPECT_EQ(frame_src.IsNone(), test.expected); + } +} + +TEST_F(SourceListDirectiveTest, IsSelf) { + struct TestCase { + String sources; + bool expected; + } cases[] = { + // Source list is 'self'. + {"'self'", true}, + {"'self' 'none'", true}, + + // Source list is not 'self'. + {"'none'", false}, + {"http://example1.com/foo/", false}, + {"'sha512-321cba'", false}, + {"'nonce-yay'", false}, + {"'strict-dynamic'", false}, + {"'sha512-321cba' http://example1.com/foo/", false}, + {"http://example1.com/foo/ 'sha512-321cba'", false}, + {"http://example1.com/foo/ 'nonce-yay'", false}, + {"'self' 'sha512-321cba' http://example1.com/foo/", false}, + {"'self' http://example1.com/foo/ 'sha512-321cba'", false}, + {"'self' http://example1.com/foo/ 'nonce-yay'", false}, + {"'sha512-321cba' 'nonce-yay'", false}, + {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, + {"http://example1.com/foo/ 'sha512-321cba' 'nonce-yay'", false}, + {" 'sha512-321cba' 'nonce-yay' 'strict-dynamic'", false}, + }; + + for (const auto& test : cases) { + SCOPED_TRACE(test.sources); + SourceListDirective script_src("script-src", test.sources, csp.Get()); + EXPECT_EQ(script_src.IsSelf(), test.expected); + + SourceListDirective form_action("form-action", test.sources, csp.Get()); + EXPECT_EQ(form_action.IsSelf(), test.expected); + + SourceListDirective frame_src("frame-src", test.sources, csp.Get()); + EXPECT_EQ(frame_src.IsSelf(), test.expected); + } +} + +TEST_F(SourceListDirectiveTest, AllowsURLBasedMatching) { + struct TestCase { + String sources; + bool expected; + } cases[] = { + // No URL-based matching. + {"'none'", false}, + {"'sha256-abcdefg'", false}, + {"'nonce-abc'", false}, + {"'nonce-abce' 'sha256-abcdefg'", false}, + + // Strict-dynamic. + {"'sha256-abcdefg' 'strict-dynamic'", false}, + {"'nonce-abce' 'strict-dynamic'", false}, + {"'nonce-abce' 'sha256-abcdefg' 'strict-dynamic'", false}, + {"'sha256-abcdefg' 'strict-dynamic' https:", false}, + {"'nonce-abce' 'strict-dynamic' http://example.test", false}, + {"'nonce-abce' 'sha256-abcdefg' 'strict-dynamic' *://example.test", + false}, + + // URL-based. + {"*", true}, + {"'self'", true}, + {"http:", true}, + {"http: https:", true}, + {"http: 'none'", true}, + {"http: https: 'none'", true}, + {"'sha256-abcdefg' https://example.test", true}, + {"'nonce-abc' https://example.test", true}, + {"'nonce-abce' 'sha256-abcdefg' https://example.test", true}, + {"'sha256-abcdefg' https://example.test 'none'", true}, + {"'nonce-abc' https://example.test 'none'", true}, + {"'nonce-abce' 'sha256-abcdefg' https://example.test 'none'", true}, + + }; + + for (const auto& test : cases) { + SCOPED_TRACE(test.sources); + SourceListDirective script_src("script-src", test.sources, csp.Get()); + EXPECT_EQ(script_src.AllowsURLBasedMatching(), test.expected); + + SourceListDirective form_action("form-action", test.sources, csp.Get()); + EXPECT_EQ(form_action.AllowsURLBasedMatching(), test.expected); + + SourceListDirective frame_src("frame-src", test.sources, csp.Get()); + EXPECT_EQ(frame_src.AllowsURLBasedMatching(), test.expected); } } |