-
Notifications
You must be signed in to change notification settings - Fork 6.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
IsolatedWorldCSP: Enforce isolated world CSP checks for img resources.
This CL ensures that the isolated world CSP is used for CSP checks while loading images from isolated worlds. It also simplifies the ImageLoader code. BUG=1099975 Change-Id: I9ea9be9c0b960e49b0420c1db17b7eed4a1ed47e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2276816 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Karan Bhatia <karandeepb@chromium.org> Cr-Commit-Position: refs/heads/master@{#785608}
- Loading branch information
Karandeep Bhatia
authored and
Commit Bot
committed
Jul 7, 2020
1 parent
edb1628
commit 10111bd
Showing
7 changed files
with
77 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 11 additions & 18 deletions
29
...arty/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,23 @@ | ||
ALERT: Running test #6 | ||
ALERT: Running test #4 | ||
|
||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?6' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
ALERT: Test in main world. | ||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?4' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Running test #5 | ||
ALERT: Running test #3 | ||
|
||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?5' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
ALERT: Test in isolated world without a CSP. | ||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?3' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Running test #4 | ||
|
||
ALERT: Starting to bypass main world's CSP: | ||
ALERT: LOADED | ||
ALERT: Running test #3 | ||
|
||
ALERT: LOADED | ||
ALERT: Running test #2 | ||
|
||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?2' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Test in isolated world with lax CSP | ||
ALERT: LOADED | ||
ALERT: Running test #1 | ||
|
||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?1' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Test in isolated world with restrictive CSP | ||
ALERT: LOADED | ||
ALERT: Running test #0 | ||
|
||
This test ensures that scripts run in isolated worlds marked with their own Content Security Policy aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like. | ||
This test ensures that img-src checks respect the isolated world CSP when the IsolatedWorldCSP feature is enabled and bypass the main world CSP checks otherwise. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
...l/isolated_world_csp/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
ALERT: Running test #4 | ||
|
||
ALERT: Test in main world. | ||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?4' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Running test #3 | ||
|
||
ALERT: Test in isolated world without a CSP. | ||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?3' because it violates the following Content Security Policy directive: "img-src 'none'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Running test #2 | ||
|
||
ALERT: Test in isolated world with lax CSP | ||
ALERT: LOADED | ||
ALERT: Running test #1 | ||
|
||
ALERT: Test in isolated world with restrictive CSP | ||
CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png?0' because it violates the following Content Security Policy directive: "img-src 'self'". | ||
|
||
ALERT: BLOCKED | ||
ALERT: Running test #0 | ||
|
||
This test ensures that img-src checks respect the isolated world CSP when the IsolatedWorldCSP feature is enabled and bypass the main world CSP checks otherwise. |