TEST_F(ContentSecurityPolicyTest, NonceInline)
{
struct TestCase {
const char* policy;
const char* nonce;
bool allowed;
} cases[] = {
{ "'unsafe-inline'", "", true },
{ "'unsafe-inline'", "yay", true },
{ "'nonce-yay'", "", false },
{ "'nonce-yay'", "yay", true },
{ "'unsafe-inline' 'nonce-yay'", "", false },
{ "'unsafe-inline' 'nonce-yay'", "yay", true },
};
String contextURL;
String content;
WTF::OrdinalNumber contextLine;
for (const auto& test : cases) {
SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, Nonce: `" << test.nonce << "`");
unsigned expectedReports = test.allowed ? 0u : 1u;
// Enforce 'script-src'
Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create();
policy->bindToExecutionContext(document.get());
policy->didReceiveHeader(String("script-src ") + test.policy, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
EXPECT_EQ(test.allowed, policy->allowInlineScript(contextURL, String(test.nonce), contextLine, content));
EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
// Enforce 'style-src'
policy = ContentSecurityPolicy::create();
policy->bindToExecutionContext(document.get());
policy->didReceiveHeader(String("style-src ") + test.policy, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
EXPECT_EQ(test.allowed, policy->allowInlineStyle(contextURL, String(test.nonce), contextLine, content));
EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
// Report 'script-src'
policy = ContentSecurityPolicy::create();
policy->bindToExecutionContext(document.get());
policy->didReceiveHeader(String("script-src ") + test.policy, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
EXPECT_TRUE(policy->allowInlineScript(contextURL, String(test.nonce), contextLine, content));
EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
// Report 'style-src'
policy = ContentSecurityPolicy::create();
policy->bindToExecutionContext(document.get());
policy->didReceiveHeader(String("style-src ") + test.policy, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
EXPECT_TRUE(policy->allowInlineStyle(contextURL, String(test.nonce), contextLine, content));
EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
}
}
