Fix CSP source list intersection for CSPEE in blink

As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95
web-platform-tests · Sep 1, 2020 · 9ed635a · 9ed635a
1 parent 0891f4b
commit 9ed635a
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html b/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
@@ -45,11 +45,28 @@
         "required_csp": "frame-src http://b.com:80", 
         "returned_csp": "child-src https://b.com:443", 
         "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Iframe should block if intersection allows sources which are not in required_csp.",
+        "required_csp": "style-src http://*.example.com:*",
+        "returned_csp": "style-src http://*.com:*",
+        "returned_csp_2": "style-src http://*.com http://*.example.com:*",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe should block if intersection allows sources which are not in required_csp (other ordering).",
+        "required_csp": "style-src http://*.example.com:*",
+        "returned_csp": "style-src http://*.com:*",
+        "returned_csp_2": "style-src http://*.example.com:* http://*.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Iframe should load if intersection allows only sources which are in required_csp.",
+        "required_csp": "style-src http://*.example.com",
+        "returned_csp": "style-src http://*.example.com:*",
+        "returned_csp_2": "style-src http://*.com",
+        "expected": IframeLoad.EXPECT_LOAD },
     ];
 
     tests.forEach(test => {
       async_test(t =>  {
         var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp);
+        if (test.returned_csp_2)
+          url.searchParams.append("policy2", test.returned_csp_2);
         assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
       }, test.name);
     });