TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce)
{
struct TestCase {
const char* list;
const char* url;
const char* nonce;
bool expected;
} cases[] = {
// Doesn't affect lists without nonces:
{ "https://example.com", "https://example.com/file", "yay", true },
{ "https://example.com", "https://example.com/file", "boo", true },
{ "https://example.com", "https://example.com/file", "", true },
{ "https://example.com", "https://not.example.com/file", "yay", false },
{ "https://example.com", "https://not.example.com/file", "boo", false },
{ "https://example.com", "https://not.example.com/file", "", false },
// Doesn't affect URLs that match the whitelist.
{ "https://example.com 'nonce-yay'", "https://example.com/file", "yay", true },
{ "https://example.com 'nonce-yay'", "https://example.com/file", "boo", true },
{ "https://example.com 'nonce-yay'", "https://example.com/file", "", true },
// Does affect URLs that don't.
{ "https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", true },
{ "https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", false },
{ "https://example.com 'nonce-yay'", "https://not.example.com/file", "", false },
};
for (const auto& test : cases) {
SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" << test.url << "`");
KURL resource = KURL(KURL(), test.url);
// Report-only 'script-src'
Member<CSPDirectiveList> directiveList = createList(String("script-src ") + test.list, ContentSecurityPolicyHeaderTypeReport);
EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
// Enforce 'script-src'
directiveList = createList(String("script-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce);
EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
// Report-only 'style-src'
directiveList = createList(String("style-src ") + test.list, ContentSecurityPolicyHeaderTypeReport);
EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
// Enforce 'style-src'
directiveList = createList(String("style-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce);
EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
// Report-only 'style-src'
directiveList = createList(String("default-src ") + test.list, ContentSecurityPolicyHeaderTypeReport);
EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
// Enforce 'style-src'
directiveList = createList(String("default-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce);
EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport));
}
}