Chromium Code Reviews Chromium Code Reviews
Issue 2563843002:
Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stddef.h> | 5 #include <stddef.h> |
| 6 | 6 |
| 7 #include "base/strings/string_split.h" | |
| 7 #include "extensions/common/csp_validator.h" | 8 #include "extensions/common/csp_validator.h" |
| 8 #include "extensions/common/error_utils.h" | 9 #include "extensions/common/error_utils.h" |
| 9 #include "extensions/common/install_warning.h" | 10 #include "extensions/common/install_warning.h" |
| 10 #include "extensions/common/manifest_constants.h" | 11 #include "extensions/common/manifest_constants.h" |
| 11 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
| 12 | 13 |
| 13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP; | |
| 14 using extensions::csp_validator::SanitizeContentSecurityPolicy; | 16 using extensions::csp_validator::SanitizeContentSecurityPolicy; |
| 15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| 16 using extensions::csp_validator::OPTIONS_NONE; | 18 using extensions::csp_validator::OPTIONS_NONE; |
| 17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
| 18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
| 19 using extensions::ErrorUtils; | 21 using extensions::ErrorUtils; |
| 20 using extensions::InstallWarning; | 22 using extensions::InstallWarning; |
| 21 using extensions::Manifest; | 23 using extensions::Manifest; |
| 22 | 24 |
| 23 namespace { | 25 namespace { |
| 24 | 26 |
| 25 std::string InsecureValueWarning(const std::string& directive, | 27 std::string InsecureValueWarning(const std::string& directive, |
| 26 const std::string& value) { | 28 const std::string& value) { |
| 27 return ErrorUtils::FormatErrorMessage( | 29 return ErrorUtils::FormatErrorMessage( |
| 28 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); | 30 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); |
| 29 } | 31 } |
| 30 | 32 |
| 31 std::string MissingSecureSrcWarning(const std::string& directive) { | 33 std::string MissingSecureSrcWarning(const std::string& directive) { |
| 32 return ErrorUtils::FormatErrorMessage( | 34 return ErrorUtils::FormatErrorMessage( |
| 33 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); | 35 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); |
| 34 } | 36 } |
| 35 | 37 |
| 36 testing::AssertionResult CheckSanitizeCSP( | 38 bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
| 37 const std::string& policy, | 39 std::vector<std::string> csp1_parts = base::SplitString( |
| 38 int options, | 40 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 41 std::sort(csp1_parts.begin(), csp1_parts.end()); | |
| 42 std::vector<std::string> csp2_parts = base::SplitString( | |
| 43 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
| 44 std::sort(csp2_parts.begin(), csp2_parts.end()); | |
| 45 return csp1_parts == csp2_parts; | |
| 46 } | |
| 47 | |
| 48 struct SanitizedCSPResult { | |
| 49 std::string csp; | |
| 50 std::vector<InstallWarning> warnings; | |
| 51 }; | |
| 52 | |
| 53 SanitizedCSPResult SanitizeCSP(const std::string& policy, int options) { | |
| 54 SanitizedCSPResult result; | |
| 55 result.csp = SanitizeContentSecurityPolicy(policy, options, &result.warnings); | |
| 56 return result; | |
| 57 } | |
| 58 | |
| 59 SanitizedCSPResult SanitizeSandboxPageCSP(const std::string& policy) { | |
| 60 SanitizedCSPResult result; | |
| 61 result.csp = GetEffectiveSandoxedPageCSP(policy, &result.warnings); | |
| 62 return result; | |
| 63 } | |
| 64 | |
| 65 testing::AssertionResult CheckCSP( | |
| 66 const SanitizedCSPResult& actual, | |
| 39 const std::string& expected_csp, | 67 const std::string& expected_csp, |
| 40 const std::vector<std::string>& expected_warnings) { | 68 const std::vector<std::string>& expected_warnings) { |
| 41 std::vector<InstallWarning> actual_warnings; | 69 if (!CSPEquals(expected_csp, actual.csp)) { |
| 42 std::string actual_csp = SanitizeContentSecurityPolicy(policy, | |
| 43 options, | |
| 44 &actual_warnings); | |
| 45 if (actual_csp != expected_csp) | |
| 46 return testing::AssertionFailure() | 70 return testing::AssertionFailure() |
| 47 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" | 71 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" |
| 48 << "Expected CSP: " << expected_csp << "\n" | 72 << "Expected CSP: " << expected_csp << "\n" |
| 49 << " Actual CSP: " << actual_csp; | 73 << " Actual CSP: " << actual.csp; |
| 74 } | |
| 50 | 75 |
| 51 if (expected_warnings.size() != actual_warnings.size()) { | 76 if (expected_warnings.size() != actual.warnings.size()) { |
| 52 testing::Message msg; | 77 testing::Message msg; |
| 53 msg << "Expected " << expected_warnings.size() | 78 msg << "Expected " << expected_warnings.size() << " warnings, but got " |
| 54 << " warnings, but got " << actual_warnings.size(); | 79 << actual.warnings.size(); |
| 55 for (size_t i = 0; i < actual_warnings.size(); ++i) | 80 for (size_t i = 0; i < actual.warnings.size(); ++i) |
| 56 msg << "\nWarning " << i << " " << actual_warnings[i].message; | 81 msg << "\nWarning " << i << " " << actual.warnings[i].message; |
| 57 return testing::AssertionFailure() << msg; | 82 return testing::AssertionFailure() << msg; |
| 58 } | 83 } |
| 59 | 84 |
| 60 for (size_t i = 0; i < expected_warnings.size(); ++i) { | 85 for (size_t i = 0; i < expected_warnings.size(); ++i) { |
| 61 if (expected_warnings[i] != actual_warnings[i].message) | 86 if (expected_warnings[i] != actual.warnings[i].message) |
| 62 return testing::AssertionFailure() | 87 return testing::AssertionFailure() |
| 63 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" | 88 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" |
| 64 << "Expected warning[" << i << "]: " << expected_warnings[i] | 89 << "Expected warning[" << i << "]: " << expected_warnings[i] |
| 65 << " Actual warning[" << i << "]: " << actual_warnings[i].message; | 90 << " Actual warning[" << i << "]: " << actual.warnings[i].message; |
| 66 } | 91 } |
| 67 return testing::AssertionSuccess(); | 92 return testing::AssertionSuccess(); |
| 68 } | 93 } |
| 69 | 94 |
| 70 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 95 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual) { |
| 71 int options) { | 96 return CheckCSP(actual, actual.csp, std::vector<std::string>()); |
| 72 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>()); | |
| 73 } | 97 } |
| 74 | 98 |
| 75 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 99 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 76 int options, | 100 const std::string& expected_csp) { |
| 77 const std::string& expected_csp) { | |
| 78 std::vector<std::string> expected_warnings; | 101 std::vector<std::string> expected_warnings; |
| 79 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 102 return CheckCSP(actual, expected_csp, expected_warnings); |
| 80 } | 103 } |
| 81 | 104 |
| 82 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 105 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 83 int options, | 106 const std::string& expected_csp, |
| 84 const std::string& expected_csp, | 107 const std::string& warning1) { |
| 85 const std::string& warning1) { | |
| 86 std::vector<std::string> expected_warnings(1, warning1); | 108 std::vector<std::string> expected_warnings(1, warning1); |
| 87 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 109 return CheckCSP(actual, expected_csp, expected_warnings); |
| 88 } | 110 } |
| 89 | 111 |
| 90 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 112 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 91 int options, | 113 const std::string& expected_csp, |
| 92 const std::string& expected_csp, | 114 const std::string& warning1, |
| 93 const std::string& warning1, | 115 const std::string& warning2) { |
| 94 const std::string& warning2) { | |
| 95 std::vector<std::string> expected_warnings(1, warning1); | 116 std::vector<std::string> expected_warnings(1, warning1); |
| 96 expected_warnings.push_back(warning2); | 117 expected_warnings.push_back(warning2); |
| 97 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 118 return CheckCSP(actual, expected_csp, expected_warnings); |
| 98 } | 119 } |
| 99 | 120 |
| 100 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 121 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 101 int options, | 122 const std::string& expected_csp, |
| 102 const std::string& expected_csp, | 123 const std::string& warning1, |
| 103 const std::string& warning1, | 124 const std::string& warning2, |
| 104 const std::string& warning2, | 125 const std::string& warning3) { |
| 105 const std::string& warning3) { | |
| 106 std::vector<std::string> expected_warnings(1, warning1); | 126 std::vector<std::string> expected_warnings(1, warning1); |
| 107 expected_warnings.push_back(warning2); | 127 expected_warnings.push_back(warning2); |
| 108 expected_warnings.push_back(warning3); | 128 expected_warnings.push_back(warning3); |
| 109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 129 return CheckCSP(actual, expected_csp, expected_warnings); |
| 110 } | 130 } |
| 111 | 131 |
| 112 }; // namespace | 132 }; // namespace |
| 113 | 133 |
| 114 TEST(ExtensionCSPValidator, IsLegal) { | 134 TEST(ExtensionCSPValidator, IsLegal) { |
| 115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 135 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
| 116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 136 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
| 117 "default-src 'self'; script-src http://www.google.com")); | 137 "default-src 'self'; script-src http://www.google.com")); |
| 118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 138 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 119 "default-src 'self';\nscript-src http://www.google.com")); | 139 "default-src 'self';\nscript-src http://www.google.com")); |
| 120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 140 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 121 "default-src 'self';\rscript-src http://www.google.com")); | 141 "default-src 'self';\rscript-src http://www.google.com")); |
| 122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 142 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 123 "default-src 'self';,script-src http://www.google.com")); | 143 "default-src 'self';,script-src http://www.google.com")); |
| 124 } | 144 } |
| 125 | 145 |
| 126 TEST(ExtensionCSPValidator, IsSecure) { | 146 TEST(ExtensionCSPValidator, IsSecure) { |
|
Devlin
2016/12/20 17:36:39
Are all the test changes the result of renames and
lazyboy
2016/12/22 03:07:30
Yes.
I've reverted some git cl format changes to m
| |
| 127 EXPECT_TRUE(CheckSanitizeCSP( | 147 EXPECT_TRUE(CheckCSP( |
| 128 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, | 148 SanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL), |
| 129 "script-src 'self' chrome-extension-resource:; object-src 'self';", | 149 "script-src 'self' chrome-extension-resource:; object-src 'self';", |
| 130 MissingSecureSrcWarning("script-src"), | 150 MissingSecureSrcWarning("script-src"), |
| 131 MissingSecureSrcWarning("object-src"))); | 151 MissingSecureSrcWarning("object-src"))); |
| 132 EXPECT_TRUE(CheckSanitizeCSP( | 152 EXPECT_TRUE(CheckCSP( |
| 133 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 153 SanitizeCSP("img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 134 "img-src https://google.com; script-src 'self'" | 154 "img-src https://google.com; script-src 'self'" |
| 135 " chrome-extension-resource:; object-src 'self';", | 155 " chrome-extension-resource:; object-src 'self';", |
| 136 MissingSecureSrcWarning("script-src"), | 156 MissingSecureSrcWarning("script-src"), |
| 137 MissingSecureSrcWarning("object-src"))); | 157 MissingSecureSrcWarning("object-src"))); |
| 138 EXPECT_TRUE(CheckSanitizeCSP( | 158 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 139 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, | 159 "script-src; object-src 'self';", |
| 140 "script-src; object-src 'self';", | 160 InsecureValueWarning("script-src", "a"), |
| 141 InsecureValueWarning("script-src", "a"), | 161 InsecureValueWarning("script-src", "b"), |
| 142 InsecureValueWarning("script-src", "b"), | 162 MissingSecureSrcWarning("object-src"))); |
| 143 MissingSecureSrcWarning("object-src"))); | 163 |
| 144 | 164 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 145 EXPECT_TRUE(CheckSanitizeCSP( | 165 "default-src;", |
| 146 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, | 166 InsecureValueWarning("default-src", "*"))); |
| 147 "default-src;", | 167 EXPECT_TRUE( |
| 148 InsecureValueWarning("default-src", "*"))); | 168 CheckCSP(SanitizeCSP("default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 149 EXPECT_TRUE(CheckSanitizeCSP( | 169 EXPECT_TRUE( |
| 150 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 170 CheckCSP(SanitizeCSP("default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 151 EXPECT_TRUE(CheckSanitizeCSP( | 171 EXPECT_TRUE( |
| 152 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 172 CheckCSP(SanitizeCSP("default-src 'self' ftp://google.com", |
| 153 EXPECT_TRUE(CheckSanitizeCSP( | 173 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 154 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 174 "default-src 'self';", |
| 155 "default-src 'self';", | 175 InsecureValueWarning("default-src", "ftp://google.com"))); |
| 156 InsecureValueWarning("default-src", "ftp://google.com"))); | 176 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;", |
| 157 EXPECT_TRUE(CheckSanitizeCSP( | 177 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 158 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 178 |
| 159 | 179 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; default-src 'self'", |
| 160 EXPECT_TRUE(CheckSanitizeCSP( | 180 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 161 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 181 "default-src; default-src 'self';", |
| 162 "default-src; default-src 'self';", | 182 InsecureValueWarning("default-src", "*"))); |
| 163 InsecureValueWarning("default-src", "*"))); | 183 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self'; default-src *;", |
| 164 EXPECT_TRUE(CheckSanitizeCSP( | 184 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 165 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL, | 185 "default-src 'self'; default-src;")); |
| 166 "default-src 'self'; default-src;")); | 186 EXPECT_TRUE(CheckCSP( |
| 167 EXPECT_TRUE(CheckSanitizeCSP( | 187 SanitizeCSP( |
| 168 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 188 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| 169 OPTIONS_ALLOW_UNSAFE_EVAL, | 189 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 170 "default-src 'self'; default-src; script-src; script-src 'self';", | 190 "default-src 'self'; default-src; script-src; script-src 'self';", |
| 171 InsecureValueWarning("script-src", "*"))); | 191 InsecureValueWarning("script-src", "*"))); |
| 172 EXPECT_TRUE(CheckSanitizeCSP( | 192 EXPECT_TRUE(CheckCSP( |
| 173 "default-src 'self'; default-src *; script-src 'self'; script-src *;", | 193 SanitizeCSP( |
| 174 OPTIONS_ALLOW_UNSAFE_EVAL, | 194 "default-src 'self'; default-src *; script-src 'self'; script-src *;", |
| 195 OPTIONS_ALLOW_UNSAFE_EVAL), | |
| 175 "default-src 'self'; default-src; script-src 'self'; script-src;")); | 196 "default-src 'self'; default-src; script-src 'self'; script-src;")); |
| 176 EXPECT_TRUE(CheckSanitizeCSP( | 197 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; script-src 'self'", |
| 177 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 198 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 178 "default-src; script-src 'self';", | 199 "default-src; script-src 'self';", |
| 179 InsecureValueWarning("default-src", "*"))); | 200 InsecureValueWarning("default-src", "*"))); |
| 180 EXPECT_TRUE(CheckSanitizeCSP( | 201 EXPECT_TRUE( |
| 181 "default-src *; script-src 'self'; img-src 'self'", | 202 CheckCSP(SanitizeCSP("default-src *; script-src 'self'; img-src 'self'", |
| 182 OPTIONS_ALLOW_UNSAFE_EVAL, | 203 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 183 "default-src; script-src 'self'; img-src 'self';", | 204 "default-src; script-src 'self'; img-src 'self';", |
| 184 InsecureValueWarning("default-src", "*"))); | 205 InsecureValueWarning("default-src", "*"))); |
| 185 EXPECT_TRUE(CheckSanitizeCSP( | 206 EXPECT_TRUE(CheckCSP( |
| 186 "default-src *; script-src 'self'; object-src 'self';", | 207 SanitizeCSP("default-src *; script-src 'self'; object-src 'self';", |
| 187 OPTIONS_ALLOW_UNSAFE_EVAL, | 208 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 188 "default-src; script-src 'self'; object-src 'self';")); | 209 "default-src; script-src 'self'; object-src 'self';")); |
| 189 EXPECT_TRUE(CheckSanitizeCSP( | 210 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src 'self';", |
| 190 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 211 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 191 EXPECT_TRUE(CheckSanitizeCSP( | 212 EXPECT_TRUE(CheckCSP( |
| 192 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 213 SanitizeCSP("default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 193 | 214 |
| 194 EXPECT_TRUE(CheckSanitizeCSP( | 215 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-eval'", OPTIONS_NONE), |
| 195 "default-src 'unsafe-eval'", OPTIONS_NONE, | 216 "default-src;", |
| 196 "default-src;", | 217 InsecureValueWarning("default-src", "'unsafe-eval'"))); |
| 197 InsecureValueWarning("default-src", "'unsafe-eval'"))); | 218 EXPECT_TRUE(CheckCSP( |
| 198 EXPECT_TRUE(CheckSanitizeCSP( | 219 SanitizeCSP("default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 199 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, | 220 "default-src;", InsecureValueWarning("default-src", "'unsafe-inline'"))); |
| 200 "default-src;", | 221 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-inline' 'none'", |
| 201 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 222 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 202 EXPECT_TRUE(CheckSanitizeCSP( | 223 "default-src 'none';", |
| 203 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, | 224 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
| 204 "default-src 'none';", | 225 EXPECT_TRUE( |
| 205 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 226 CheckCSP(SanitizeCSP("default-src 'self' http://google.com", |
| 206 EXPECT_TRUE(CheckSanitizeCSP( | 227 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 207 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 228 "default-src 'self';", |
| 208 "default-src 'self';", | 229 InsecureValueWarning("default-src", "http://google.com"))); |
| 209 InsecureValueWarning("default-src", "http://google.com"))); | 230 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;", |
| 210 EXPECT_TRUE(CheckSanitizeCSP( | 231 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 211 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 232 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' chrome://resources;", |
| 212 EXPECT_TRUE(CheckSanitizeCSP( | 233 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 213 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 234 EXPECT_TRUE( |
| 214 EXPECT_TRUE(CheckSanitizeCSP( | 235 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://aabbcc;", |
| 215 "default-src 'self' chrome-extension://aabbcc;", | 236 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 216 OPTIONS_ALLOW_UNSAFE_EVAL)); | 237 EXPECT_TRUE(CheckCSP( |
| 217 EXPECT_TRUE(CheckSanitizeCSP( | 238 SanitizeCSP("default-src 'self' chrome-extension-resource://aabbcc;", |
| 218 "default-src 'self' chrome-extension-resource://aabbcc;", | 239 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 219 OPTIONS_ALLOW_UNSAFE_EVAL)); | 240 EXPECT_TRUE(CheckCSP( |
| 220 EXPECT_TRUE(CheckSanitizeCSP( | 241 SanitizeCSP("default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 221 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, | 242 "default-src 'self';", InsecureValueWarning("default-src", "https:"))); |
| 222 "default-src 'self';", | 243 EXPECT_TRUE(CheckCSP( |
| 223 InsecureValueWarning("default-src", "https:"))); | 244 SanitizeCSP("default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 224 EXPECT_TRUE(CheckSanitizeCSP( | 245 "default-src 'self';", InsecureValueWarning("default-src", "http:"))); |
| 225 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, | 246 EXPECT_TRUE(CheckCSP( |
| 226 "default-src 'self';", | 247 SanitizeCSP("default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 227 InsecureValueWarning("default-src", "http:"))); | |
| 228 EXPECT_TRUE(CheckSanitizeCSP( | |
| 229 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | |
| 230 "default-src 'self';", | 248 "default-src 'self';", |
| 231 InsecureValueWarning("default-src", "google.com"))); | 249 InsecureValueWarning("default-src", "google.com"))); |
| 232 | 250 |
| 233 EXPECT_TRUE(CheckSanitizeCSP( | 251 EXPECT_TRUE(CheckCSP( |
| 234 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, | 252 SanitizeCSP("default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 235 "default-src 'self';", | 253 "default-src 'self';", InsecureValueWarning("default-src", "*"))); |
| 236 InsecureValueWarning("default-src", "*"))); | 254 EXPECT_TRUE(CheckCSP( |
| 237 EXPECT_TRUE(CheckSanitizeCSP( | 255 SanitizeCSP("default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 238 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 256 "default-src 'self';", InsecureValueWarning("default-src", "*:*"))); |
| 239 "default-src 'self';", | 257 EXPECT_TRUE(CheckCSP( |
| 240 InsecureValueWarning("default-src", "*:*"))); | 258 SanitizeCSP("default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 241 EXPECT_TRUE(CheckSanitizeCSP( | 259 "default-src 'self';", InsecureValueWarning("default-src", "*:*/"))); |
| 242 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 260 EXPECT_TRUE(CheckCSP( |
| 243 "default-src 'self';", | 261 SanitizeCSP("default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 244 InsecureValueWarning("default-src", "*:*/"))); | 262 "default-src 'self';", InsecureValueWarning("default-src", "*:*/path"))); |
| 245 EXPECT_TRUE(CheckSanitizeCSP( | 263 EXPECT_TRUE(CheckCSP( |
| 246 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 264 SanitizeCSP("default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 247 "default-src 'self';", | 265 "default-src 'self';", InsecureValueWarning("default-src", "https://"))); |
| 248 InsecureValueWarning("default-src", "*:*/path"))); | 266 EXPECT_TRUE(CheckCSP( |
| 249 EXPECT_TRUE(CheckSanitizeCSP( | 267 SanitizeCSP("default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 250 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, | |
| 251 "default-src 'self';", | |
| 252 InsecureValueWarning("default-src", "https://"))); | |
| 253 EXPECT_TRUE(CheckSanitizeCSP( | |
| 254 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, | |
| 255 "default-src 'self';", | 268 "default-src 'self';", |
| 256 InsecureValueWarning("default-src", "https://*:*"))); | 269 InsecureValueWarning("default-src", "https://*:*"))); |
| 257 EXPECT_TRUE(CheckSanitizeCSP( | 270 EXPECT_TRUE(CheckCSP( |
| 258 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 271 SanitizeCSP("default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 259 "default-src 'self';", | 272 "default-src 'self';", |
| 260 InsecureValueWarning("default-src", "https://*:*/"))); | 273 InsecureValueWarning("default-src", "https://*:*/"))); |
| 261 EXPECT_TRUE(CheckSanitizeCSP( | 274 EXPECT_TRUE( |
| 262 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 275 CheckCSP(SanitizeCSP("default-src 'self' https://*:*/path", |
| 263 "default-src 'self';", | 276 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 264 InsecureValueWarning("default-src", "https://*:*/path"))); | 277 "default-src 'self';", |
| 265 EXPECT_TRUE(CheckSanitizeCSP( | 278 InsecureValueWarning("default-src", "https://*:*/path"))); |
| 266 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 279 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.com", |
| 267 "default-src 'self';", | 280 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 268 InsecureValueWarning("default-src", "https://*.com"))); | 281 "default-src 'self';", |
| 269 EXPECT_TRUE(CheckSanitizeCSP( | 282 InsecureValueWarning("default-src", "https://*.com"))); |
| 270 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 283 EXPECT_TRUE( |
| 271 "default-src 'self';", | 284 CheckCSP(SanitizeCSP("default-src 'self' https://*.*.google.com/", |
| 272 InsecureValueWarning("default-src", "https://*.*.google.com/"))); | 285 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 273 EXPECT_TRUE(CheckSanitizeCSP( | 286 "default-src 'self';", |
| 274 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 287 InsecureValueWarning("default-src", "https://*.*.google.com/"))); |
| 288 EXPECT_TRUE(CheckCSP( | |
| 289 SanitizeCSP("default-src 'self' https://*.*.google.com:*/", | |
| 290 OPTIONS_ALLOW_UNSAFE_EVAL), | |
| 275 "default-src 'self';", | 291 "default-src 'self';", |
| 276 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); | 292 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); |
| 277 EXPECT_TRUE(CheckSanitizeCSP( | 293 EXPECT_TRUE(CheckCSP( |
| 278 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 294 SanitizeCSP("default-src 'self' https://www.*.google.com/", |
| 295 OPTIONS_ALLOW_UNSAFE_EVAL), | |
| 279 "default-src 'self';", | 296 "default-src 'self';", |
| 280 InsecureValueWarning("default-src", "https://www.*.google.com/"))); | 297 InsecureValueWarning("default-src", "https://www.*.google.com/"))); |
| 281 EXPECT_TRUE(CheckSanitizeCSP( | 298 EXPECT_TRUE(CheckCSP( |
| 282 "default-src 'self' https://www.*.google.com:*/", | 299 SanitizeCSP("default-src 'self' https://www.*.google.com:*/", |
| 283 OPTIONS_ALLOW_UNSAFE_EVAL, | 300 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 284 "default-src 'self';", | 301 "default-src 'self';", |
| 285 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); | 302 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); |
| 286 EXPECT_TRUE(CheckSanitizeCSP( | 303 EXPECT_TRUE(CheckCSP( |
| 287 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 304 SanitizeCSP("default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 288 "default-src 'self';", | 305 "default-src 'self';", |
| 289 InsecureValueWarning("default-src", "chrome://*"))); | 306 InsecureValueWarning("default-src", "chrome://*"))); |
| 290 EXPECT_TRUE(CheckSanitizeCSP( | 307 EXPECT_TRUE( |
| 291 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 308 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://*", |
| 292 "default-src 'self';", | 309 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 293 InsecureValueWarning("default-src", "chrome-extension://*"))); | 310 "default-src 'self';", |
| 294 EXPECT_TRUE(CheckSanitizeCSP( | 311 InsecureValueWarning("default-src", "chrome-extension://*"))); |
| 295 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, | 312 EXPECT_TRUE( |
| 296 "default-src 'self';", | 313 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://", |
| 297 InsecureValueWarning("default-src", "chrome-extension://"))); | 314 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 298 | 315 "default-src 'self';", |
| 299 EXPECT_TRUE(CheckSanitizeCSP( | 316 InsecureValueWarning("default-src", "chrome-extension://"))); |
| 300 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 317 |
| 301 EXPECT_TRUE(CheckSanitizeCSP( | 318 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com;", |
| 302 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 319 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 303 EXPECT_TRUE(CheckSanitizeCSP( | 320 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1;", |
| 304 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 321 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 305 EXPECT_TRUE(CheckSanitizeCSP( | 322 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*;", |
| 306 "default-src 'self' https://*.google.com:1/;", | 323 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 307 OPTIONS_ALLOW_UNSAFE_EVAL)); | 324 EXPECT_TRUE( |
| 308 EXPECT_TRUE(CheckSanitizeCSP( | 325 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1/;", |
| 309 "default-src 'self' https://*.google.com:*/;", | 326 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 310 OPTIONS_ALLOW_UNSAFE_EVAL)); | 327 EXPECT_TRUE( |
| 311 | 328 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*/;", |
| 312 EXPECT_TRUE(CheckSanitizeCSP( | 329 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 313 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 330 |
| 314 EXPECT_TRUE(CheckSanitizeCSP( | 331 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1;", |
| 315 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 332 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 316 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", | 333 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost;", |
| 317 OPTIONS_ALLOW_UNSAFE_EVAL, | 334 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 318 "default-src 'self' http://lOcAlHoSt;")); | 335 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://lOcAlHoSt;", |
| 319 EXPECT_TRUE(CheckSanitizeCSP( | 336 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 320 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 337 "default-src 'self' http://lOcAlHoSt;")); |
| 321 EXPECT_TRUE(CheckSanitizeCSP( | 338 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1:9999;", |
| 322 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 339 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 323 EXPECT_TRUE(CheckSanitizeCSP( | 340 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost:8888;", |
| 324 "default-src 'self' http://127.0.0.1.example.com", | 341 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 325 OPTIONS_ALLOW_UNSAFE_EVAL, | 342 EXPECT_TRUE(CheckCSP( |
| 343 SanitizeCSP("default-src 'self' http://127.0.0.1.example.com", | |
| 344 OPTIONS_ALLOW_UNSAFE_EVAL), | |
| 326 "default-src 'self';", | 345 "default-src 'self';", |
| 327 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); | 346 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); |
| 328 EXPECT_TRUE(CheckSanitizeCSP( | 347 EXPECT_TRUE(CheckCSP( |
| 329 "default-src 'self' http://localhost.example.com", | 348 SanitizeCSP("default-src 'self' http://localhost.example.com", |
| 330 OPTIONS_ALLOW_UNSAFE_EVAL, | 349 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 331 "default-src 'self';", | 350 "default-src 'self';", |
| 332 InsecureValueWarning("default-src", "http://localhost.example.com"))); | 351 InsecureValueWarning("default-src", "http://localhost.example.com"))); |
| 333 | 352 |
| 334 EXPECT_TRUE(CheckSanitizeCSP( | 353 EXPECT_TRUE(CheckCSP( |
| 335 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 354 SanitizeCSP("default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 336 EXPECT_TRUE(CheckSanitizeCSP( | 355 EXPECT_TRUE(CheckCSP( |
| 337 "default-src 'self' blob:http://example.com/XXX", | 356 SanitizeCSP("default-src 'self' blob:http://example.com/XXX", |
| 338 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 357 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 358 "default-src 'self';", | |
| 339 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); | 359 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); |
| 340 EXPECT_TRUE(CheckSanitizeCSP( | 360 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' filesystem:;", |
| 341 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 361 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 342 EXPECT_TRUE(CheckSanitizeCSP( | 362 EXPECT_TRUE(CheckCSP( |
| 343 "default-src 'self' filesystem:http://example.com/XX", | 363 SanitizeCSP("default-src 'self' filesystem:http://example.com/XX", |
| 344 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 364 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 365 "default-src 'self';", | |
| 345 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); | 366 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); |
| 346 | 367 |
| 347 EXPECT_TRUE(CheckSanitizeCSP( | 368 EXPECT_TRUE( |
| 348 "default-src 'self' https://*.googleapis.com;", | 369 CheckCSP(SanitizeCSP("default-src 'self' https://*.googleapis.com;", |
| 349 OPTIONS_ALLOW_UNSAFE_EVAL)); | 370 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 350 EXPECT_TRUE(CheckSanitizeCSP( | 371 EXPECT_TRUE( |
| 351 "default-src 'self' https://x.googleapis.com;", | 372 CheckCSP(SanitizeCSP("default-src 'self' https://x.googleapis.com;", |
| 352 OPTIONS_ALLOW_UNSAFE_EVAL)); | 373 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 353 | 374 |
| 354 EXPECT_TRUE(CheckSanitizeCSP( | 375 EXPECT_TRUE( |
| 355 "script-src 'self'; object-src *", OPTIONS_NONE, | 376 CheckCSP(SanitizeCSP("script-src 'self'; object-src *", OPTIONS_NONE), |
| 356 "script-src 'self'; object-src;", | 377 "script-src 'self'; object-src;", |
| 357 InsecureValueWarning("object-src", "*"))); | 378 InsecureValueWarning("object-src", "*"))); |
| 358 EXPECT_TRUE(CheckSanitizeCSP( | 379 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *", |
| 359 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 360 "script-src 'self'; object-src;", | 381 "script-src 'self'; object-src;", |
| 361 InsecureValueWarning("object-src", "*"))); | 382 InsecureValueWarning("object-src", "*"))); |
| 362 EXPECT_TRUE(CheckSanitizeCSP( | 383 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 363 "script-src 'self'; object-src *; plugin-types application/pdf;", | 384 "script-src 'self'; object-src *; plugin-types application/pdf;", |
| 364 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 385 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 365 EXPECT_TRUE(CheckSanitizeCSP( | 386 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *; " |
| 366 "script-src 'self'; object-src *; " | 387 "plugin-types application/x-shockwave-flash", |
| 367 "plugin-types application/x-shockwave-flash", | 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 368 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 389 "script-src 'self'; object-src; " |
| 369 "script-src 'self'; object-src; " | 390 "plugin-types application/x-shockwave-flash;", |
| 370 "plugin-types application/x-shockwave-flash;", | 391 InsecureValueWarning("object-src", "*"))); |
| 371 InsecureValueWarning("object-src", "*"))); | 392 EXPECT_TRUE(CheckCSP( |
| 372 EXPECT_TRUE(CheckSanitizeCSP( | 393 SanitizeCSP("script-src 'self'; object-src *; " |
| 373 "script-src 'self'; object-src *; " | 394 "plugin-types application/x-shockwave-flash application/pdf;", |
| 374 "plugin-types application/x-shockwave-flash application/pdf;", | 395 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 375 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | |
| 376 "script-src 'self'; object-src; " | 396 "script-src 'self'; object-src; " |
| 377 "plugin-types application/x-shockwave-flash application/pdf;", | 397 "plugin-types application/x-shockwave-flash application/pdf;", |
| 378 InsecureValueWarning("object-src", "*"))); | 398 InsecureValueWarning("object-src", "*"))); |
| 379 EXPECT_TRUE(CheckSanitizeCSP( | 399 EXPECT_TRUE(CheckCSP( |
| 380 "script-src 'self'; object-src http://www.example.com; " | 400 SanitizeCSP("script-src 'self'; object-src http://www.example.com; " |
| 381 "plugin-types application/pdf;", | 401 "plugin-types application/pdf;", |
| 382 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 402 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 383 EXPECT_TRUE(CheckSanitizeCSP( | 403 EXPECT_TRUE(CheckCSP( |
| 384 "object-src http://www.example.com blob:; script-src 'self'; " | 404 SanitizeCSP("object-src http://www.example.com blob:; script-src 'self'; " |
| 385 "plugin-types application/pdf;", | 405 "plugin-types application/pdf;", |
| 386 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 406 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 387 EXPECT_TRUE(CheckSanitizeCSP( | 407 EXPECT_TRUE(CheckCSP( |
| 388 "script-src 'self'; object-src http://*.example.com; " | 408 SanitizeCSP("script-src 'self'; object-src http://*.example.com; " |
| 389 "plugin-types application/pdf;", | 409 "plugin-types application/pdf;", |
| 390 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 410 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 391 EXPECT_TRUE(CheckSanitizeCSP( | 411 EXPECT_TRUE(CheckCSP( |
| 392 "script-src *; object-src *; plugin-types application/pdf;", | 412 SanitizeCSP("script-src *; object-src *; plugin-types application/pdf;", |
| 393 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 413 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 394 "script-src; object-src *; plugin-types application/pdf;", | 414 "script-src; object-src *; plugin-types application/pdf;", |
| 395 InsecureValueWarning("script-src", "*"))); | 415 InsecureValueWarning("script-src", "*"))); |
| 396 | 416 |
| 397 EXPECT_TRUE(CheckSanitizeCSP( | 417 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 398 "default-src; script-src" | 418 "default-src; script-src" |
| 399 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" | 419 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" |
| 400 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" | 420 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" |
| 401 "t'" | 421 "t'" |
| 402 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" | 422 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" |
| 403 "vCSapSz5CVoUGHQcxv43UQg==';", | 423 "vCSapSz5CVoUGHQcxv43UQg==';", |
| 404 OPTIONS_NONE)); | 424 OPTIONS_NONE))); |
| 405 | 425 |
| 406 // Reject non-standard algorithms, even if they are still supported by Blink. | 426 // Reject non-standard algorithms, even if they are still supported by Blink. |
| 407 EXPECT_TRUE(CheckSanitizeCSP( | 427 EXPECT_TRUE(CheckCSP( |
| 408 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", | 428 SanitizeCSP( |
| 409 OPTIONS_NONE, "default-src; script-src;", | 429 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", |
| 430 OPTIONS_NONE), | |
| 431 "default-src; script-src;", | |
| 410 InsecureValueWarning("script-src", | 432 InsecureValueWarning("script-src", |
| 411 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); | 433 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); |
| 412 | 434 |
| 413 EXPECT_TRUE(CheckSanitizeCSP( | 435 EXPECT_TRUE(CheckCSP( |
| 414 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" | 436 SanitizeCSP("default-src; script-src " |
| 415 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", | 437 "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" |
| 416 OPTIONS_NONE, "default-src; script-src;", | 438 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", |
| 439 OPTIONS_NONE), | |
| 440 "default-src; script-src;", | |
| 417 InsecureValueWarning( | 441 InsecureValueWarning( |
| 418 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), | 442 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), |
| 419 InsecureValueWarning( | 443 InsecureValueWarning( |
| 420 "script-src", | 444 "script-src", |
| 421 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); | 445 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); |
| 422 } | 446 } |
| 423 | 447 |
| 424 TEST(ExtensionCSPValidator, IsSandboxed) { | 448 TEST(ExtensionCSPValidator, IsSandboxed) { |
| 425 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 449 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
| 426 Manifest::TYPE_EXTENSION)); | 450 Manifest::TYPE_EXTENSION)); |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 447 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 471 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 448 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 472 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 449 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 473 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 450 | 474 |
| 451 // Popups are OK. | 475 // Popups are OK. |
| 452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 476 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 453 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 477 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 454 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 478 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 455 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 479 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 456 } | 480 } |
| 481 | |
| 482 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { | |
| 483 EXPECT_TRUE(CheckCSP( | |
| 484 SanitizeSandboxPageCSP(""), | |
| 485 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); | |
| 486 EXPECT_TRUE(CheckCSP( | |
| 487 SanitizeSandboxPageCSP("child-src http://www.google.com"), | |
| 488 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", | |
| 489 InsecureValueWarning("child-src", "http://www.google.com"))); | |
| 490 EXPECT_TRUE(CheckCSP( | |
| 491 SanitizeSandboxPageCSP("child-src *"), | |
| 492 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", | |
| 493 InsecureValueWarning("child-src", "*"))); | |
| 494 EXPECT_TRUE(CheckCSP( | |
| 495 SanitizeSandboxPageCSP("child-src 'none'"), | |
| 496 "child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); | |
| 497 | |
| 498 // Directive values of 'none' and 'self' are preserved. | |
| 499 EXPECT_TRUE( | |
| 500 CheckCSP(SanitizeSandboxPageCSP("script-src 'none'; frame-src 'self';"), | |
| 501 "frame-src 'self'; script-src 'none';")); | |
| 502 EXPECT_TRUE(CheckCSP( | |
| 503 SanitizeSandboxPageCSP( | |
| 504 "script-src 'none'; frame-src 'self' http://www.google.com;"), | |
| 505 "frame-src 'self'; script-src 'none';", | |
| 506 InsecureValueWarning("frame-src", "http://www.google.com"))); | |
| 507 | |
| 508 // script-src will add 'unsafe-inline' and 'unsafe-eval' only if script-src is | |
| 509 // not specified. | |
| 510 EXPECT_TRUE(CheckCSP(SanitizeSandboxPageCSP("script-src 'self'"), | |
| 511 "script-src 'self'; child-src 'self'")); | |
| 512 EXPECT_TRUE( | |
| 513 CheckCSP(SanitizeSandboxPageCSP( | |
| 514 "script-src 'self' 'unsafe-inline'; child-src 'self';"), | |
| 515 "child-src 'self'; script-src 'self' 'unsafe-inline';")); | |
| 516 EXPECT_TRUE( | |
| 517 CheckCSP(SanitizeSandboxPageCSP( | |
| 518 "script-src 'self' 'unsafe-eval'; child-src 'self';"), | |
| 519 "child-src 'self'; script-src 'self' 'unsafe-eval';")); | |
| 520 | |
| 521 // child-src and frame-src are handled correctly. | |
| 522 EXPECT_TRUE(CheckCSP( | |
| 523 SanitizeSandboxPageCSP( | |
| 524 "script-src 'none'; frame-src 'self' http://www.google.com;"), | |
| 525 "frame-src 'self'; script-src 'none';", | |
| 526 InsecureValueWarning("frame-src", "http://www.google.com"))); | |
| 527 EXPECT_TRUE(CheckCSP( | |
| 528 SanitizeSandboxPageCSP( | |
| 529 "script-src 'none'; child-src 'self' http://www.google.com;"), | |
| 530 "child-src 'self'; script-src 'none';", | |
| 531 InsecureValueWarning("child-src", "http://www.google.com"))); | |
| 532 | |
| 533 // Multiple insecure values. | |
| 534 EXPECT_TRUE(CheckCSP( | |
| 535 SanitizeSandboxPageCSP( | |
| 536 "script-src 'none'; child-src http://bar.com 'self' http://foo.com;"), | |
| 537 "child-src 'self'; script-src 'none';", | |
| 538 InsecureValueWarning("child-src", "http://bar.com"), | |
| 539 InsecureValueWarning("child-src", "http://foo.com"))); | |
| 540 } | |
| OLD | NEW |
