chrome/common/extensions/csp_validator_unittest.cc - Issue 10873060: Adding 'blob:' and 'filesystem:' URLs as secure sources for extensions.

Side by Side Diff: chrome/common/extensions/csp_validator_unittest.cc

Issue 10873060: Adding 'blob:' and 'filesystem:' URLs as secure sources for extensions. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« chrome/common/extensions/csp_validator.cc ('K') | « chrome/common/extensions/csp_validator.cc ('k') | no next file » | no next file with comments »

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/common/extensions/csp_validator.h"	5 #include "chrome/common/extensions/csp_validator.h"

6 #include "testing/gtest/include/gtest/gtest.h"	6 #include "testing/gtest/include/gtest/gtest.h"

7	7

8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;	8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;

9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;	9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;

10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;	10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;

(...skipping 73 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
84 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	84 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

85 "default-src 'self' http://lOcAlHoSt"));	85 "default-src 'self' http://lOcAlHoSt"));

86 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	86 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

87 "default-src 'self' http://127.0.0.1:9999"));	87 "default-src 'self' http://127.0.0.1:9999"));

88 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	88 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

89 "default-src 'self' http://localhost:8888"));	89 "default-src 'self' http://localhost:8888"));

90 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	90 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

91 "default-src 'self' http://127.0.0.1.example.com"));	91 "default-src 'self' http://127.0.0.1.example.com"));

92 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	92 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

93 "default-src 'self' http://localhost.example.com"));	93 "default-src 'self' http://localhost.example.com"));

	94

	95 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	96 "default-src 'self' blob:"));

	97 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	98 "default-src 'self' blob:http://example.com/XXX"));
	abarth-chromium 2012/08/24 14:55:00 I would EXPECT_FALSE here. You can't load cross-o I would EXPECT_FALSE here. You can't load cross-origin blob URLs anyway. Mike West 2012/08/24 15:13:36 I can certainly change it to only accept the proto Show quoted text On 2012/08/24 14:55:00, abarth wrote: > I would EXPECT_FALSE here. You can't load cross-origin blob URLs anyway. I can certainly change it to only accept the protocol-only source. I think you're right; that's really all that makes sense.
	99 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	100 "default-src 'self' filesystem:"));

	101 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	102 "default-src 'self' filesystem:http://example.com/XXX"));
	abarth-chromium 2012/08/24 14:55:00 Same for filesystem. Same for filesystem.
94 }	103 }

95	104

96 TEST(ExtensionCSPValidator, IsSandboxed) {	105 TEST(ExtensionCSPValidator, IsSandboxed) {

97 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("", Extension::TYPE_EXTENSION));	106 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("", Extension::TYPE_EXTENSION));

98 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(	107 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(

99 "img-src https://google.com", Extension::TYPE_EXTENSION));	108 "img-src https://google.com", Extension::TYPE_EXTENSION));

100	109

101 // Sandbox directive is required.	110 // Sandbox directive is required.

102 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	111 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

103 "sandbox", Extension::TYPE_EXTENSION));	112 "sandbox", Extension::TYPE_EXTENSION));

(...skipping 12 matching lines...) Expand all Loading...
116 // Extensions allow navigation and popups, platform apps don't.	125 // Extensions allow navigation and popups, platform apps don't.

117 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	126 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

118 "sandbox allow-top-navigation", Extension::TYPE_EXTENSION));	127 "sandbox allow-top-navigation", Extension::TYPE_EXTENSION));

119 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(	128 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(

120 "sandbox allow-top-navigation", Extension::TYPE_PLATFORM_APP));	129 "sandbox allow-top-navigation", Extension::TYPE_PLATFORM_APP));

121 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	130 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

122 "sandbox allow-popups", Extension::TYPE_EXTENSION));	131 "sandbox allow-popups", Extension::TYPE_EXTENSION));

123 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(	132 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(

124 "sandbox allow-popups", Extension::TYPE_PLATFORM_APP));	133 "sandbox allow-popups", Extension::TYPE_PLATFORM_APP));

125 }	134 }

OLD	NEW