author Antonio Sartori <antoniosartori@chromium.org>
Thu, 10 Sep 2020 15:53:11 +0000
changeset 548307 3b5ac5b97a79d8ceeafcb9de4b74c43c1b668fc6
parent 547824 1bc560f22f1205745b327602101708d9882a7482
child 549439 1bf583a361709eca05877399cd19ec1c5022d4d7
permissions -rw-r--r--
Bug 1662411 [wpt PR 25321] - Fix wildcard host matching in CSPEE subsume algorithm, a=testonly Automatic update from web-platform-tests Fix wildcard host matching in CSPEE subsume algorithm The previous implementation returned `true` for `*.example.com` subsumes `example.com`. However, since `*.example.com` does not match `example.com`, this should not be the case. And indeed according to 2.3.3 in https://w3c.github.io/webappsec-cspee/#subsume-source-expressions in this case the subsume algorithm should return `false`. Bug: 1086857 Change-Id: I449f72d2db0a918478fc1ba4250335ae57a4ae2d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210463 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#805286} -- wpt-commits: 4d8bfc649f692738a27b35468b7984b6061ab485 wpt-pr: 25321

<!DOCTYPE html>
<title>Embedded Enforcement: Subsumption Algorithm - Basic implementation.</title>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/testharness-helper.sub.js"></script>
    // Note that the returned csp should always allow execution of an
    // inline script with nonce "abc" (as returned by
    // support/echo-policy-multiple.py), otherwise the test might
    // return false negatives.
    var tests = [
      { "name": "If there is no required csp, iframe should load.", 
        "required_csp": null, 
        "returned_csp": null,
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Iframe with empty returned CSP should be blocked.", 
        "required_csp": "style-src 'none';", 
        "returned_csp": null,
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Iframe with matching CSP should load.", 
        "required_csp": "style-src 'none'; script-src 'unsafe-inline'", 
        "returned_csp": "style-src 'none'; script-src 'unsafe-inline'", 
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Iframe with more restricting CSP should load.", 
        "required_csp": "script-src 'nonce-abc' 'nonce-123'", 
        "returned_csp": "script-src 'nonce-abc'", 
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Iframe with less restricting CSP should be blocked.", 
        "required_csp": "style-src 'none'; script-src 'none'", 
        "returned_csp": "style-src 'none'; script-src 'self' 'nonce-abc'", 
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Iframe with a different CSP should be blocked.", 
        "required_csp": "script-src 'nonce-abc' 'nonce-123'", 
        "returned_csp": "style-src 'none'", 
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Iframe with a matching and more restrictive ports should load.", 
        "required_csp": "frame-src http://c.com:443 http://b.com", 
        "returned_csp": "frame-src http://b.com:80 http://c.com:443", 
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Host wildcard *.a.com does not match a.com",
        "required_csp": "frame-src http://*.a.com",
        "returned_csp": "frame-src http://a.com",
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Host intersection with wildcards is computed correctly.",
        "required_csp": "frame-sr 'none'",
        "returned_csp": "frame-src http://a.com",
        "returned_csp_2": "frame-src http://*.a.com",
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Iframe should load even if the ports are different but are default for the protocols.", 
        "required_csp": "frame-src http://b.com:80", 
        "returned_csp": "child-src https://b.com:443", 
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Iframe should block if intersection allows sources which are not in required_csp.",
        "required_csp": "style-src http://*.example.com:*",
        "returned_csp": "style-src http://*.com:*",
        "returned_csp_2": "style-src http://*.com http://*.example.com:*",
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Iframe should block if intersection allows sources which are not in required_csp (other ordering).",
        "required_csp": "style-src http://*.example.com:*",
        "returned_csp": "style-src http://*.com:*",
        "returned_csp_2": "style-src http://*.example.com:* http://*.com",
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Iframe should load if intersection allows only sources which are in required_csp.",
        "required_csp": "style-src http://*.example.com",
        "returned_csp": "style-src http://*.example.com:*",
        "returned_csp_2": "style-src http://*.com",
        "expected": IframeLoad.EXPECT_LOAD },

    tests.forEach(test => {
      async_test(t =>  {
        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
        if (test.returned_csp_2)
          url.searchParams.append("policy2", test.returned_csp_2);
        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
      }, test.name);