OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stddef.h> | 5 #include <stddef.h> |
6 | 6 |
7 #include "base/strings/string_split.h" | |
7 #include "extensions/common/csp_validator.h" | 8 #include "extensions/common/csp_validator.h" |
8 #include "extensions/common/error_utils.h" | 9 #include "extensions/common/error_utils.h" |
9 #include "extensions/common/install_warning.h" | 10 #include "extensions/common/install_warning.h" |
10 #include "extensions/common/manifest_constants.h" | 11 #include "extensions/common/manifest_constants.h" |
11 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
12 | 13 |
13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP; | |
14 using extensions::csp_validator::SanitizeContentSecurityPolicy; | 16 using extensions::csp_validator::SanitizeContentSecurityPolicy; |
15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
16 using extensions::csp_validator::OPTIONS_NONE; | 18 using extensions::csp_validator::OPTIONS_NONE; |
17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
19 using extensions::ErrorUtils; | 21 using extensions::ErrorUtils; |
20 using extensions::InstallWarning; | 22 using extensions::InstallWarning; |
21 using extensions::Manifest; | 23 using extensions::Manifest; |
22 | 24 |
23 namespace { | 25 namespace { |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
102 const std::string& expected_csp, | 104 const std::string& expected_csp, |
103 const std::string& warning1, | 105 const std::string& warning1, |
104 const std::string& warning2, | 106 const std::string& warning2, |
105 const std::string& warning3) { | 107 const std::string& warning3) { |
106 std::vector<std::string> expected_warnings(1, warning1); | 108 std::vector<std::string> expected_warnings(1, warning1); |
107 expected_warnings.push_back(warning2); | 109 expected_warnings.push_back(warning2); |
108 expected_warnings.push_back(warning3); | 110 expected_warnings.push_back(warning3); |
109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 111 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); |
110 } | 112 } |
111 | 113 |
114 bool CSPEquals(const std::string& csp1, const std::string& csp2) { | |
115 std::vector<std::string> csp1_parts = base::SplitString( | |
116 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
117 std::sort(csp1_parts.begin(), csp1_parts.end()); | |
118 std::vector<std::string> csp2_parts = base::SplitString( | |
119 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
120 std::sort(csp2_parts.begin(), csp2_parts.end()); | |
121 return csp1_parts == csp2_parts; | |
122 } | |
123 | |
112 }; // namespace | 124 }; // namespace |
113 | 125 |
114 TEST(ExtensionCSPValidator, IsLegal) { | 126 TEST(ExtensionCSPValidator, IsLegal) { |
115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 127 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 128 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
117 "default-src 'self'; script-src http://www.google.com")); | 129 "default-src 'self'; script-src http://www.google.com")); |
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 130 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
119 "default-src 'self';\nscript-src http://www.google.com")); | 131 "default-src 'self';\nscript-src http://www.google.com")); |
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 132 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
121 "default-src 'self';\rscript-src http://www.google.com")); | 133 "default-src 'self';\rscript-src http://www.google.com")); |
(...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
447 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 459 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
448 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 460 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
449 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 461 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
450 | 462 |
451 // Popups are OK. | 463 // Popups are OK. |
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 464 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
453 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 465 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
454 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 466 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
455 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 467 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
456 } | 468 } |
469 | |
470 // TODO(lazyboy): Add comprehensive test cases. | |
Devlin
2016/12/09 15:46:01
Can we address this TODO before landing? ;)
lazyboy
2016/12/14 00:49:05
I've expanded the tests a bit and added an api_tes
| |
471 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { | |
472 EXPECT_TRUE(CSPEquals("child-src 'self'; script-src 'self';", | |
473 GetEffectiveSandoxedPageCSP(""))); | |
474 EXPECT_TRUE(CSPEquals( | |
475 "child-src 'self'; script-src 'self';", | |
476 GetEffectiveSandoxedPageCSP("child-src http://www.google.com"))); | |
477 EXPECT_TRUE(CSPEquals("child-src 'none'; script-src 'self';", | |
478 GetEffectiveSandoxedPageCSP("child-src 'none'"))); | |
479 | |
480 // Directive values of 'none' and 'self' are preserved. | |
481 EXPECT_TRUE(CSPEquals( | |
482 "frame-src 'self'; script-src 'none';", | |
483 GetEffectiveSandoxedPageCSP("script-src 'none'; frame-src 'self';"))); | |
484 EXPECT_TRUE(CSPEquals( | |
485 "frame-src 'self'; script-src 'none';", | |
486 GetEffectiveSandoxedPageCSP( | |
487 "script-src 'none'; frame-src 'self' http://www.google.com;"))); | |
488 | |
489 // child-src and frame-src are handled correctly. | |
490 EXPECT_TRUE(CSPEquals( | |
491 "frame-src 'self'; script-src 'none';", | |
492 GetEffectiveSandoxedPageCSP( | |
493 "script-src 'none'; frame-src 'self' http://www.google.com;"))); | |
494 } | |
OLD | NEW |