TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) { struct TestCase { const char* list; const char* url; const char* nonce; bool expected; } cases[] = { // Doesn't affect lists without nonces: { "https://example.com", "https://example.com/file", "yay", true }, { "https://example.com", "https://example.com/file", "boo", true }, { "https://example.com", "https://example.com/file", "", true }, { "https://example.com", "https://not.example.com/file", "yay", false }, { "https://example.com", "https://not.example.com/file", "boo", false }, { "https://example.com", "https://not.example.com/file", "", false }, // Doesn't affect URLs that match the whitelist. { "https://example.com 'nonce-yay'", "https://example.com/file", "yay", true }, { "https://example.com 'nonce-yay'", "https://example.com/file", "boo", true }, { "https://example.com 'nonce-yay'", "https://example.com/file", "", true }, // Does affect URLs that don't. { "https://example.com 'nonce-yay'", "https://not.example.com/file", "yay", true }, { "https://example.com 'nonce-yay'", "https://not.example.com/file", "boo", false }, { "https://example.com 'nonce-yay'", "https://not.example.com/file", "", false }, }; for (const auto& test : cases) { SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" << test.url << "`"); KURL resource = KURL(KURL(), test.url); // Report-only 'script-src' Member<CSPDirectiveList> directiveList = createList(String("script-src ") + test.list, ContentSecurityPolicyHeaderTypeReport); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Enforce 'script-src' directiveList = createList(String("script-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Report-only 'style-src' directiveList = createList(String("style-src ") + test.list, ContentSecurityPolicyHeaderTypeReport); EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Enforce 'style-src' directiveList = createList(String("style-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce); EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Report-only 'style-src' directiveList = createList(String("default-src ") + test.list, ContentSecurityPolicyHeaderTypeReport); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Enforce 'style-src' directiveList = createList(String("default-src ") + test.list, ContentSecurityPolicyHeaderTypeEnforce); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); EXPECT_EQ(test.expected, directiveList->allowStyleFromSource(resource, String(test.nonce), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); } }
TEST_F(CSPDirectiveListTest, AllowScriptFromSourceNoNonce) { struct TestCase { const char* list; const char* url; bool expected; } cases[] = { { "script-src https://example.com", "https://example.com/script.js", true }, { "script-src https://example.com/", "https://example.com/script.js", true }, { "script-src https://example.com/", "https://example.com/script/script.js", true }, { "script-src https://example.com/script", "https://example.com/script.js", false }, { "script-src https://example.com/script", "https://example.com/script/script.js", false }, { "script-src https://example.com/script/", "https://example.com/script.js", false }, { "script-src https://example.com/script/", "https://example.com/script/script.js", true }, { "script-src https://example.com", "https://not.example.com/script.js", false }, { "script-src https://*.example.com", "https://not.example.com/script.js", true }, { "script-src https://*.example.com", "https://example.com/script.js", false }, // Falls back to default-src: { "default-src https://example.com", "https://example.com/script.js", true }, { "default-src https://example.com/", "https://example.com/script.js", true }, { "default-src https://example.com/", "https://example.com/script/script.js", true }, { "default-src https://example.com/script", "https://example.com/script.js", false }, { "default-src https://example.com/script", "https://example.com/script/script.js", false }, { "default-src https://example.com/script/", "https://example.com/script.js", false }, { "default-src https://example.com/script/", "https://example.com/script/script.js", true }, { "default-src https://example.com", "https://not.example.com/script.js", false }, { "default-src https://*.example.com", "https://not.example.com/script.js", true }, { "default-src https://*.example.com", "https://example.com/script.js", false }, }; for (const auto& test : cases) { SCOPED_TRACE(testing::Message() << "List: `" << test.list << "`, URL: `" << test.url << "`"); KURL scriptSrc = KURL(KURL(), test.url); // Report-only Member<CSPDirectiveList> directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeReport); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(scriptSrc, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); // Enforce directiveList = createList(test.list, ContentSecurityPolicyHeaderTypeEnforce); EXPECT_EQ(test.expected, directiveList->allowScriptFromSource(scriptSrc, String(), ResourceRequest::RedirectStatus::NoRedirect, ContentSecurityPolicy::SuppressReport)); } }