TEST_F(CSPDirectiveListTest, allowRequestWithoutIntegrity) {
struct TestCase {
const char* list;
const char* url;
const WebURLRequest::RequestContext context;
bool expected;
} cases[] = {
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
// Extra WSP
{"require-sri-for script script ", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for style script", "https://example.com/file",
WebURLRequest::RequestContextStyle, false},
{"require-sri-for style script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for style script", "https://example.com/file",
WebURLRequest::RequestContextImport, false},
{"require-sri-for style script", "https://example.com/file",
WebURLRequest::RequestContextImage, true},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextAudio, true},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextImport, false},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextServiceWorker, false},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextSharedWorker, false},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextWorker, false},
{"require-sri-for script", "https://example.com/file",
WebURLRequest::RequestContextStyle, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextAudio, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextScript, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextImport, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextServiceWorker, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextSharedWorker, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextWorker, true},
{"require-sri-for style", "https://example.com/file",
WebURLRequest::RequestContextStyle, false},
// Multiple tokens
{"require-sri-for script style", "https://example.com/file",
WebURLRequest::RequestContextStyle, false},
{"require-sri-for script style", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for script style", "https://example.com/file",
WebURLRequest::RequestContextImport, false},
{"require-sri-for script style", "https://example.com/file",
WebURLRequest::RequestContextImage, true},
// Matching is case-insensitive
{"require-sri-for Script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
// Unknown tokens do not affect result
{"require-sri-for blabla12 as", "https://example.com/file",
WebURLRequest::RequestContextScript, true},
{"require-sri-for blabla12 as script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for script style img", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for script style img", "https://example.com/file",
WebURLRequest::RequestContextImport, false},
{"require-sri-for script style img", "https://example.com/file",
WebURLRequest::RequestContextStyle, false},
{"require-sri-for script style img", "https://example.com/file",
WebURLRequest::RequestContextImage, true},
// Empty token list has no effect
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextScript, true},
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextImport, true},
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextStyle, true},
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextServiceWorker, true},
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextSharedWorker, true},
{"require-sri-for ", "https://example.com/file",
WebURLRequest::RequestContextWorker, true},
// Order does not matter
{"require-sri-for a b script", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
{"require-sri-for a script b", "https://example.com/file",
WebURLRequest::RequestContextScript, false},
};
for (const auto& test : cases) {
KURL resource = KURL(KURL(), test.url);
// Report-only
Member<CSPDirectiveList> directiveList =
createList(test.list, ContentSecurityPolicyHeaderTypeReport);
EXPECT_EQ(true, directiveList->allowRequestWithoutIntegrity(
test.context, resource,
ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport));
// Enforce
directiveList =
createList(test.list, ContentSecurityPolicyHeaderTypeEnforce);
EXPECT_EQ(test.expected, directiveList->allowRequestWithoutIntegrity(
test.context, resource,
ResourceRequest::RedirectStatus::NoRedirect,
ContentSecurityPolicy::SuppressReport));
}
}
