OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stddef.h> | 5 #include <stddef.h> |
6 | 6 |
7 #include "base/strings/string_split.h" | |
7 #include "extensions/common/csp_validator.h" | 8 #include "extensions/common/csp_validator.h" |
8 #include "extensions/common/error_utils.h" | 9 #include "extensions/common/error_utils.h" |
9 #include "extensions/common/install_warning.h" | 10 #include "extensions/common/install_warning.h" |
10 #include "extensions/common/manifest_constants.h" | 11 #include "extensions/common/manifest_constants.h" |
11 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
12 | 13 |
13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP; | |
14 using extensions::csp_validator::SanitizeContentSecurityPolicy; | 16 using extensions::csp_validator::SanitizeContentSecurityPolicy; |
15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
16 using extensions::csp_validator::OPTIONS_NONE; | 18 using extensions::csp_validator::OPTIONS_NONE; |
17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
19 using extensions::ErrorUtils; | 21 using extensions::ErrorUtils; |
20 using extensions::InstallWarning; | 22 using extensions::InstallWarning; |
21 using extensions::Manifest; | 23 using extensions::Manifest; |
22 | 24 |
23 namespace { | 25 namespace { |
24 | 26 |
25 std::string InsecureValueWarning(const std::string& directive, | 27 std::string InsecureValueWarning(const std::string& directive, |
26 const std::string& value) { | 28 const std::string& value) { |
27 return ErrorUtils::FormatErrorMessage( | 29 return ErrorUtils::FormatErrorMessage( |
28 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); | 30 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); |
29 } | 31 } |
30 | 32 |
31 std::string MissingSecureSrcWarning(const std::string& directive) { | 33 std::string MissingSecureSrcWarning(const std::string& directive) { |
32 return ErrorUtils::FormatErrorMessage( | 34 return ErrorUtils::FormatErrorMessage( |
33 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); | 35 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); |
34 } | 36 } |
35 | 37 |
36 testing::AssertionResult CheckSanitizeCSP( | 38 bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
37 const std::string& policy, | 39 std::vector<std::string> csp1_parts = base::SplitString( |
38 int options, | 40 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
41 std::sort(csp1_parts.begin(), csp1_parts.end()); | |
42 std::vector<std::string> csp2_parts = base::SplitString( | |
43 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
44 std::sort(csp2_parts.begin(), csp2_parts.end()); | |
45 return csp1_parts == csp2_parts; | |
46 } | |
47 | |
48 struct SanitizedCSPResult { | |
49 std::string csp; | |
50 std::vector<InstallWarning> warnings; | |
51 }; | |
52 | |
53 SanitizedCSPResult SanitizeCSP(const std::string& policy, int options) { | |
54 SanitizedCSPResult result; | |
55 result.csp = SanitizeContentSecurityPolicy(policy, options, &result.warnings); | |
56 return result; | |
57 } | |
58 | |
59 SanitizedCSPResult SanitizeSandboxPageCSP(const std::string& policy) { | |
60 SanitizedCSPResult result; | |
61 result.csp = GetEffectiveSandoxedPageCSP(policy, &result.warnings); | |
62 return result; | |
63 } | |
64 | |
65 testing::AssertionResult CheckCSP( | |
66 const SanitizedCSPResult& actual, | |
39 const std::string& expected_csp, | 67 const std::string& expected_csp, |
40 const std::vector<std::string>& expected_warnings) { | 68 const std::vector<std::string>& expected_warnings) { |
41 std::vector<InstallWarning> actual_warnings; | 69 if (!CSPEquals(expected_csp, actual.csp)) { |
42 std::string actual_csp = SanitizeContentSecurityPolicy(policy, | |
43 options, | |
44 &actual_warnings); | |
45 if (actual_csp != expected_csp) | |
46 return testing::AssertionFailure() | 70 return testing::AssertionFailure() |
47 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" | 71 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" |
48 << "Expected CSP: " << expected_csp << "\n" | 72 << "Expected CSP: " << expected_csp << "\n" |
49 << " Actual CSP: " << actual_csp; | 73 << " Actual CSP: " << actual.csp; |
74 } | |
50 | 75 |
51 if (expected_warnings.size() != actual_warnings.size()) { | 76 if (expected_warnings.size() != actual.warnings.size()) { |
52 testing::Message msg; | 77 testing::Message msg; |
53 msg << "Expected " << expected_warnings.size() | 78 msg << "Expected " << expected_warnings.size() << " warnings, but got " |
54 << " warnings, but got " << actual_warnings.size(); | 79 << actual.warnings.size(); |
55 for (size_t i = 0; i < actual_warnings.size(); ++i) | 80 for (size_t i = 0; i < actual.warnings.size(); ++i) |
56 msg << "\nWarning " << i << " " << actual_warnings[i].message; | 81 msg << "\nWarning " << i << " " << actual.warnings[i].message; |
57 return testing::AssertionFailure() << msg; | 82 return testing::AssertionFailure() << msg; |
58 } | 83 } |
59 | 84 |
60 for (size_t i = 0; i < expected_warnings.size(); ++i) { | 85 for (size_t i = 0; i < expected_warnings.size(); ++i) { |
61 if (expected_warnings[i] != actual_warnings[i].message) | 86 if (expected_warnings[i] != actual.warnings[i].message) |
62 return testing::AssertionFailure() | 87 return testing::AssertionFailure() |
63 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" | 88 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" |
64 << "Expected warning[" << i << "]: " << expected_warnings[i] | 89 << "Expected warning[" << i << "]: " << expected_warnings[i] |
65 << " Actual warning[" << i << "]: " << actual_warnings[i].message; | 90 << " Actual warning[" << i << "]: " << actual.warnings[i].message; |
66 } | 91 } |
67 return testing::AssertionSuccess(); | 92 return testing::AssertionSuccess(); |
68 } | 93 } |
69 | 94 |
70 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 95 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual) { |
71 int options) { | 96 return CheckCSP(actual, actual.csp, std::vector<std::string>()); |
72 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>()); | |
73 } | 97 } |
74 | 98 |
75 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 99 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
76 int options, | 100 const std::string& expected_csp) { |
77 const std::string& expected_csp) { | |
78 std::vector<std::string> expected_warnings; | 101 std::vector<std::string> expected_warnings; |
79 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 102 return CheckCSP(actual, expected_csp, expected_warnings); |
80 } | 103 } |
81 | 104 |
82 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 105 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
83 int options, | 106 const std::string& expected_csp, |
84 const std::string& expected_csp, | 107 const std::string& warning1) { |
85 const std::string& warning1) { | |
86 std::vector<std::string> expected_warnings(1, warning1); | 108 std::vector<std::string> expected_warnings(1, warning1); |
87 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 109 return CheckCSP(actual, expected_csp, expected_warnings); |
88 } | 110 } |
89 | 111 |
90 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 112 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
91 int options, | 113 const std::string& expected_csp, |
92 const std::string& expected_csp, | 114 const std::string& warning1, |
93 const std::string& warning1, | 115 const std::string& warning2) { |
94 const std::string& warning2) { | |
95 std::vector<std::string> expected_warnings(1, warning1); | 116 std::vector<std::string> expected_warnings(1, warning1); |
96 expected_warnings.push_back(warning2); | 117 expected_warnings.push_back(warning2); |
97 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 118 return CheckCSP(actual, expected_csp, expected_warnings); |
98 } | 119 } |
99 | 120 |
100 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 121 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
101 int options, | 122 const std::string& expected_csp, |
102 const std::string& expected_csp, | 123 const std::string& warning1, |
103 const std::string& warning1, | 124 const std::string& warning2, |
104 const std::string& warning2, | 125 const std::string& warning3) { |
105 const std::string& warning3) { | |
106 std::vector<std::string> expected_warnings(1, warning1); | 126 std::vector<std::string> expected_warnings(1, warning1); |
107 expected_warnings.push_back(warning2); | 127 expected_warnings.push_back(warning2); |
108 expected_warnings.push_back(warning3); | 128 expected_warnings.push_back(warning3); |
109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 129 return CheckCSP(actual, expected_csp, expected_warnings); |
110 } | 130 } |
111 | 131 |
112 }; // namespace | 132 }; // namespace |
113 | 133 |
114 TEST(ExtensionCSPValidator, IsLegal) { | 134 TEST(ExtensionCSPValidator, IsLegal) { |
115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 135 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 136 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
117 "default-src 'self'; script-src http://www.google.com")); | 137 "default-src 'self'; script-src http://www.google.com")); |
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 138 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
119 "default-src 'self';\nscript-src http://www.google.com")); | 139 "default-src 'self';\nscript-src http://www.google.com")); |
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 140 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
121 "default-src 'self';\rscript-src http://www.google.com")); | 141 "default-src 'self';\rscript-src http://www.google.com")); |
122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 142 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
123 "default-src 'self';,script-src http://www.google.com")); | 143 "default-src 'self';,script-src http://www.google.com")); |
124 } | 144 } |
125 | 145 |
126 TEST(ExtensionCSPValidator, IsSecure) { | 146 TEST(ExtensionCSPValidator, IsSecure) { |
Devlin
2016/12/20 17:36:39
Are all the test changes the result of renames and
lazyboy
2016/12/22 03:07:30
Yes.
I've reverted some git cl format changes to m
| |
127 EXPECT_TRUE(CheckSanitizeCSP( | 147 EXPECT_TRUE(CheckCSP( |
128 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, | 148 SanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL), |
129 "script-src 'self' chrome-extension-resource:; object-src 'self';", | 149 "script-src 'self' chrome-extension-resource:; object-src 'self';", |
130 MissingSecureSrcWarning("script-src"), | 150 MissingSecureSrcWarning("script-src"), |
131 MissingSecureSrcWarning("object-src"))); | 151 MissingSecureSrcWarning("object-src"))); |
132 EXPECT_TRUE(CheckSanitizeCSP( | 152 EXPECT_TRUE(CheckCSP( |
133 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 153 SanitizeCSP("img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
134 "img-src https://google.com; script-src 'self'" | 154 "img-src https://google.com; script-src 'self'" |
135 " chrome-extension-resource:; object-src 'self';", | 155 " chrome-extension-resource:; object-src 'self';", |
136 MissingSecureSrcWarning("script-src"), | 156 MissingSecureSrcWarning("script-src"), |
137 MissingSecureSrcWarning("object-src"))); | 157 MissingSecureSrcWarning("object-src"))); |
138 EXPECT_TRUE(CheckSanitizeCSP( | 158 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL), |
139 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, | 159 "script-src; object-src 'self';", |
140 "script-src; object-src 'self';", | 160 InsecureValueWarning("script-src", "a"), |
141 InsecureValueWarning("script-src", "a"), | 161 InsecureValueWarning("script-src", "b"), |
142 InsecureValueWarning("script-src", "b"), | 162 MissingSecureSrcWarning("object-src"))); |
143 MissingSecureSrcWarning("object-src"))); | 163 |
144 | 164 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *", OPTIONS_ALLOW_UNSAFE_EVAL), |
145 EXPECT_TRUE(CheckSanitizeCSP( | 165 "default-src;", |
146 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, | 166 InsecureValueWarning("default-src", "*"))); |
147 "default-src;", | 167 EXPECT_TRUE( |
148 InsecureValueWarning("default-src", "*"))); | 168 CheckCSP(SanitizeCSP("default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
149 EXPECT_TRUE(CheckSanitizeCSP( | 169 EXPECT_TRUE( |
150 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 170 CheckCSP(SanitizeCSP("default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
151 EXPECT_TRUE(CheckSanitizeCSP( | 171 EXPECT_TRUE( |
152 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 172 CheckCSP(SanitizeCSP("default-src 'self' ftp://google.com", |
153 EXPECT_TRUE(CheckSanitizeCSP( | 173 OPTIONS_ALLOW_UNSAFE_EVAL), |
154 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 174 "default-src 'self';", |
155 "default-src 'self';", | 175 InsecureValueWarning("default-src", "ftp://google.com"))); |
156 InsecureValueWarning("default-src", "ftp://google.com"))); | 176 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;", |
157 EXPECT_TRUE(CheckSanitizeCSP( | 177 OPTIONS_ALLOW_UNSAFE_EVAL))); |
158 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 178 |
159 | 179 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; default-src 'self'", |
160 EXPECT_TRUE(CheckSanitizeCSP( | 180 OPTIONS_ALLOW_UNSAFE_EVAL), |
161 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 181 "default-src; default-src 'self';", |
162 "default-src; default-src 'self';", | 182 InsecureValueWarning("default-src", "*"))); |
163 InsecureValueWarning("default-src", "*"))); | 183 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self'; default-src *;", |
164 EXPECT_TRUE(CheckSanitizeCSP( | 184 OPTIONS_ALLOW_UNSAFE_EVAL), |
165 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL, | 185 "default-src 'self'; default-src;")); |
166 "default-src 'self'; default-src;")); | 186 EXPECT_TRUE(CheckCSP( |
167 EXPECT_TRUE(CheckSanitizeCSP( | 187 SanitizeCSP( |
168 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 188 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
169 OPTIONS_ALLOW_UNSAFE_EVAL, | 189 OPTIONS_ALLOW_UNSAFE_EVAL), |
170 "default-src 'self'; default-src; script-src; script-src 'self';", | 190 "default-src 'self'; default-src; script-src; script-src 'self';", |
171 InsecureValueWarning("script-src", "*"))); | 191 InsecureValueWarning("script-src", "*"))); |
172 EXPECT_TRUE(CheckSanitizeCSP( | 192 EXPECT_TRUE(CheckCSP( |
173 "default-src 'self'; default-src *; script-src 'self'; script-src *;", | 193 SanitizeCSP( |
174 OPTIONS_ALLOW_UNSAFE_EVAL, | 194 "default-src 'self'; default-src *; script-src 'self'; script-src *;", |
195 OPTIONS_ALLOW_UNSAFE_EVAL), | |
175 "default-src 'self'; default-src; script-src 'self'; script-src;")); | 196 "default-src 'self'; default-src; script-src 'self'; script-src;")); |
176 EXPECT_TRUE(CheckSanitizeCSP( | 197 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; script-src 'self'", |
177 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 198 OPTIONS_ALLOW_UNSAFE_EVAL), |
178 "default-src; script-src 'self';", | 199 "default-src; script-src 'self';", |
179 InsecureValueWarning("default-src", "*"))); | 200 InsecureValueWarning("default-src", "*"))); |
180 EXPECT_TRUE(CheckSanitizeCSP( | 201 EXPECT_TRUE( |
181 "default-src *; script-src 'self'; img-src 'self'", | 202 CheckCSP(SanitizeCSP("default-src *; script-src 'self'; img-src 'self'", |
182 OPTIONS_ALLOW_UNSAFE_EVAL, | 203 OPTIONS_ALLOW_UNSAFE_EVAL), |
183 "default-src; script-src 'self'; img-src 'self';", | 204 "default-src; script-src 'self'; img-src 'self';", |
184 InsecureValueWarning("default-src", "*"))); | 205 InsecureValueWarning("default-src", "*"))); |
185 EXPECT_TRUE(CheckSanitizeCSP( | 206 EXPECT_TRUE(CheckCSP( |
186 "default-src *; script-src 'self'; object-src 'self';", | 207 SanitizeCSP("default-src *; script-src 'self'; object-src 'self';", |
187 OPTIONS_ALLOW_UNSAFE_EVAL, | 208 OPTIONS_ALLOW_UNSAFE_EVAL), |
188 "default-src; script-src 'self'; object-src 'self';")); | 209 "default-src; script-src 'self'; object-src 'self';")); |
189 EXPECT_TRUE(CheckSanitizeCSP( | 210 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src 'self';", |
190 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 211 OPTIONS_ALLOW_UNSAFE_EVAL))); |
191 EXPECT_TRUE(CheckSanitizeCSP( | 212 EXPECT_TRUE(CheckCSP( |
192 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 213 SanitizeCSP("default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
193 | 214 |
194 EXPECT_TRUE(CheckSanitizeCSP( | 215 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-eval'", OPTIONS_NONE), |
195 "default-src 'unsafe-eval'", OPTIONS_NONE, | 216 "default-src;", |
196 "default-src;", | 217 InsecureValueWarning("default-src", "'unsafe-eval'"))); |
197 InsecureValueWarning("default-src", "'unsafe-eval'"))); | 218 EXPECT_TRUE(CheckCSP( |
198 EXPECT_TRUE(CheckSanitizeCSP( | 219 SanitizeCSP("default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL), |
199 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, | 220 "default-src;", InsecureValueWarning("default-src", "'unsafe-inline'"))); |
200 "default-src;", | 221 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-inline' 'none'", |
201 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 222 OPTIONS_ALLOW_UNSAFE_EVAL), |
202 EXPECT_TRUE(CheckSanitizeCSP( | 223 "default-src 'none';", |
203 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, | 224 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
204 "default-src 'none';", | 225 EXPECT_TRUE( |
205 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 226 CheckCSP(SanitizeCSP("default-src 'self' http://google.com", |
206 EXPECT_TRUE(CheckSanitizeCSP( | 227 OPTIONS_ALLOW_UNSAFE_EVAL), |
207 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 228 "default-src 'self';", |
208 "default-src 'self';", | 229 InsecureValueWarning("default-src", "http://google.com"))); |
209 InsecureValueWarning("default-src", "http://google.com"))); | 230 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;", |
210 EXPECT_TRUE(CheckSanitizeCSP( | 231 OPTIONS_ALLOW_UNSAFE_EVAL))); |
211 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 232 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' chrome://resources;", |
212 EXPECT_TRUE(CheckSanitizeCSP( | 233 OPTIONS_ALLOW_UNSAFE_EVAL))); |
213 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 234 EXPECT_TRUE( |
214 EXPECT_TRUE(CheckSanitizeCSP( | 235 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://aabbcc;", |
215 "default-src 'self' chrome-extension://aabbcc;", | 236 OPTIONS_ALLOW_UNSAFE_EVAL))); |
216 OPTIONS_ALLOW_UNSAFE_EVAL)); | 237 EXPECT_TRUE(CheckCSP( |
217 EXPECT_TRUE(CheckSanitizeCSP( | 238 SanitizeCSP("default-src 'self' chrome-extension-resource://aabbcc;", |
218 "default-src 'self' chrome-extension-resource://aabbcc;", | 239 OPTIONS_ALLOW_UNSAFE_EVAL))); |
219 OPTIONS_ALLOW_UNSAFE_EVAL)); | 240 EXPECT_TRUE(CheckCSP( |
220 EXPECT_TRUE(CheckSanitizeCSP( | 241 SanitizeCSP("default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL), |
221 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, | 242 "default-src 'self';", InsecureValueWarning("default-src", "https:"))); |
222 "default-src 'self';", | 243 EXPECT_TRUE(CheckCSP( |
223 InsecureValueWarning("default-src", "https:"))); | 244 SanitizeCSP("default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL), |
224 EXPECT_TRUE(CheckSanitizeCSP( | 245 "default-src 'self';", InsecureValueWarning("default-src", "http:"))); |
225 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, | 246 EXPECT_TRUE(CheckCSP( |
226 "default-src 'self';", | 247 SanitizeCSP("default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
227 InsecureValueWarning("default-src", "http:"))); | |
228 EXPECT_TRUE(CheckSanitizeCSP( | |
229 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | |
230 "default-src 'self';", | 248 "default-src 'self';", |
231 InsecureValueWarning("default-src", "google.com"))); | 249 InsecureValueWarning("default-src", "google.com"))); |
232 | 250 |
233 EXPECT_TRUE(CheckSanitizeCSP( | 251 EXPECT_TRUE(CheckCSP( |
234 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, | 252 SanitizeCSP("default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL), |
235 "default-src 'self';", | 253 "default-src 'self';", InsecureValueWarning("default-src", "*"))); |
236 InsecureValueWarning("default-src", "*"))); | 254 EXPECT_TRUE(CheckCSP( |
237 EXPECT_TRUE(CheckSanitizeCSP( | 255 SanitizeCSP("default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
238 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 256 "default-src 'self';", InsecureValueWarning("default-src", "*:*"))); |
239 "default-src 'self';", | 257 EXPECT_TRUE(CheckCSP( |
240 InsecureValueWarning("default-src", "*:*"))); | 258 SanitizeCSP("default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
241 EXPECT_TRUE(CheckSanitizeCSP( | 259 "default-src 'self';", InsecureValueWarning("default-src", "*:*/"))); |
242 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 260 EXPECT_TRUE(CheckCSP( |
243 "default-src 'self';", | 261 SanitizeCSP("default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
244 InsecureValueWarning("default-src", "*:*/"))); | 262 "default-src 'self';", InsecureValueWarning("default-src", "*:*/path"))); |
245 EXPECT_TRUE(CheckSanitizeCSP( | 263 EXPECT_TRUE(CheckCSP( |
246 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 264 SanitizeCSP("default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL), |
247 "default-src 'self';", | 265 "default-src 'self';", InsecureValueWarning("default-src", "https://"))); |
248 InsecureValueWarning("default-src", "*:*/path"))); | 266 EXPECT_TRUE(CheckCSP( |
249 EXPECT_TRUE(CheckSanitizeCSP( | 267 SanitizeCSP("default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
250 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, | |
251 "default-src 'self';", | |
252 InsecureValueWarning("default-src", "https://"))); | |
253 EXPECT_TRUE(CheckSanitizeCSP( | |
254 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, | |
255 "default-src 'self';", | 268 "default-src 'self';", |
256 InsecureValueWarning("default-src", "https://*:*"))); | 269 InsecureValueWarning("default-src", "https://*:*"))); |
257 EXPECT_TRUE(CheckSanitizeCSP( | 270 EXPECT_TRUE(CheckCSP( |
258 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 271 SanitizeCSP("default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
259 "default-src 'self';", | 272 "default-src 'self';", |
260 InsecureValueWarning("default-src", "https://*:*/"))); | 273 InsecureValueWarning("default-src", "https://*:*/"))); |
261 EXPECT_TRUE(CheckSanitizeCSP( | 274 EXPECT_TRUE( |
262 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 275 CheckCSP(SanitizeCSP("default-src 'self' https://*:*/path", |
263 "default-src 'self';", | 276 OPTIONS_ALLOW_UNSAFE_EVAL), |
264 InsecureValueWarning("default-src", "https://*:*/path"))); | 277 "default-src 'self';", |
265 EXPECT_TRUE(CheckSanitizeCSP( | 278 InsecureValueWarning("default-src", "https://*:*/path"))); |
266 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 279 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.com", |
267 "default-src 'self';", | 280 OPTIONS_ALLOW_UNSAFE_EVAL), |
268 InsecureValueWarning("default-src", "https://*.com"))); | 281 "default-src 'self';", |
269 EXPECT_TRUE(CheckSanitizeCSP( | 282 InsecureValueWarning("default-src", "https://*.com"))); |
270 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 283 EXPECT_TRUE( |
271 "default-src 'self';", | 284 CheckCSP(SanitizeCSP("default-src 'self' https://*.*.google.com/", |
272 InsecureValueWarning("default-src", "https://*.*.google.com/"))); | 285 OPTIONS_ALLOW_UNSAFE_EVAL), |
273 EXPECT_TRUE(CheckSanitizeCSP( | 286 "default-src 'self';", |
274 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 287 InsecureValueWarning("default-src", "https://*.*.google.com/"))); |
288 EXPECT_TRUE(CheckCSP( | |
289 SanitizeCSP("default-src 'self' https://*.*.google.com:*/", | |
290 OPTIONS_ALLOW_UNSAFE_EVAL), | |
275 "default-src 'self';", | 291 "default-src 'self';", |
276 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); | 292 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); |
277 EXPECT_TRUE(CheckSanitizeCSP( | 293 EXPECT_TRUE(CheckCSP( |
278 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 294 SanitizeCSP("default-src 'self' https://www.*.google.com/", |
295 OPTIONS_ALLOW_UNSAFE_EVAL), | |
279 "default-src 'self';", | 296 "default-src 'self';", |
280 InsecureValueWarning("default-src", "https://www.*.google.com/"))); | 297 InsecureValueWarning("default-src", "https://www.*.google.com/"))); |
281 EXPECT_TRUE(CheckSanitizeCSP( | 298 EXPECT_TRUE(CheckCSP( |
282 "default-src 'self' https://www.*.google.com:*/", | 299 SanitizeCSP("default-src 'self' https://www.*.google.com:*/", |
283 OPTIONS_ALLOW_UNSAFE_EVAL, | 300 OPTIONS_ALLOW_UNSAFE_EVAL), |
284 "default-src 'self';", | 301 "default-src 'self';", |
285 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); | 302 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); |
286 EXPECT_TRUE(CheckSanitizeCSP( | 303 EXPECT_TRUE(CheckCSP( |
287 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 304 SanitizeCSP("default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
288 "default-src 'self';", | 305 "default-src 'self';", |
289 InsecureValueWarning("default-src", "chrome://*"))); | 306 InsecureValueWarning("default-src", "chrome://*"))); |
290 EXPECT_TRUE(CheckSanitizeCSP( | 307 EXPECT_TRUE( |
291 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 308 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://*", |
292 "default-src 'self';", | 309 OPTIONS_ALLOW_UNSAFE_EVAL), |
293 InsecureValueWarning("default-src", "chrome-extension://*"))); | 310 "default-src 'self';", |
294 EXPECT_TRUE(CheckSanitizeCSP( | 311 InsecureValueWarning("default-src", "chrome-extension://*"))); |
295 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, | 312 EXPECT_TRUE( |
296 "default-src 'self';", | 313 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://", |
297 InsecureValueWarning("default-src", "chrome-extension://"))); | 314 OPTIONS_ALLOW_UNSAFE_EVAL), |
298 | 315 "default-src 'self';", |
299 EXPECT_TRUE(CheckSanitizeCSP( | 316 InsecureValueWarning("default-src", "chrome-extension://"))); |
300 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 317 |
301 EXPECT_TRUE(CheckSanitizeCSP( | 318 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com;", |
302 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 319 OPTIONS_ALLOW_UNSAFE_EVAL))); |
303 EXPECT_TRUE(CheckSanitizeCSP( | 320 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1;", |
304 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 321 OPTIONS_ALLOW_UNSAFE_EVAL))); |
305 EXPECT_TRUE(CheckSanitizeCSP( | 322 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*;", |
306 "default-src 'self' https://*.google.com:1/;", | 323 OPTIONS_ALLOW_UNSAFE_EVAL))); |
307 OPTIONS_ALLOW_UNSAFE_EVAL)); | 324 EXPECT_TRUE( |
308 EXPECT_TRUE(CheckSanitizeCSP( | 325 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1/;", |
309 "default-src 'self' https://*.google.com:*/;", | 326 OPTIONS_ALLOW_UNSAFE_EVAL))); |
310 OPTIONS_ALLOW_UNSAFE_EVAL)); | 327 EXPECT_TRUE( |
311 | 328 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*/;", |
312 EXPECT_TRUE(CheckSanitizeCSP( | 329 OPTIONS_ALLOW_UNSAFE_EVAL))); |
313 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 330 |
314 EXPECT_TRUE(CheckSanitizeCSP( | 331 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1;", |
315 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 332 OPTIONS_ALLOW_UNSAFE_EVAL))); |
316 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", | 333 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost;", |
317 OPTIONS_ALLOW_UNSAFE_EVAL, | 334 OPTIONS_ALLOW_UNSAFE_EVAL))); |
318 "default-src 'self' http://lOcAlHoSt;")); | 335 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://lOcAlHoSt;", |
319 EXPECT_TRUE(CheckSanitizeCSP( | 336 OPTIONS_ALLOW_UNSAFE_EVAL), |
320 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 337 "default-src 'self' http://lOcAlHoSt;")); |
321 EXPECT_TRUE(CheckSanitizeCSP( | 338 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1:9999;", |
322 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 339 OPTIONS_ALLOW_UNSAFE_EVAL))); |
323 EXPECT_TRUE(CheckSanitizeCSP( | 340 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost:8888;", |
324 "default-src 'self' http://127.0.0.1.example.com", | 341 OPTIONS_ALLOW_UNSAFE_EVAL))); |
325 OPTIONS_ALLOW_UNSAFE_EVAL, | 342 EXPECT_TRUE(CheckCSP( |
343 SanitizeCSP("default-src 'self' http://127.0.0.1.example.com", | |
344 OPTIONS_ALLOW_UNSAFE_EVAL), | |
326 "default-src 'self';", | 345 "default-src 'self';", |
327 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); | 346 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); |
328 EXPECT_TRUE(CheckSanitizeCSP( | 347 EXPECT_TRUE(CheckCSP( |
329 "default-src 'self' http://localhost.example.com", | 348 SanitizeCSP("default-src 'self' http://localhost.example.com", |
330 OPTIONS_ALLOW_UNSAFE_EVAL, | 349 OPTIONS_ALLOW_UNSAFE_EVAL), |
331 "default-src 'self';", | 350 "default-src 'self';", |
332 InsecureValueWarning("default-src", "http://localhost.example.com"))); | 351 InsecureValueWarning("default-src", "http://localhost.example.com"))); |
333 | 352 |
334 EXPECT_TRUE(CheckSanitizeCSP( | 353 EXPECT_TRUE(CheckCSP( |
335 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 354 SanitizeCSP("default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
336 EXPECT_TRUE(CheckSanitizeCSP( | 355 EXPECT_TRUE(CheckCSP( |
337 "default-src 'self' blob:http://example.com/XXX", | 356 SanitizeCSP("default-src 'self' blob:http://example.com/XXX", |
338 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 357 OPTIONS_ALLOW_UNSAFE_EVAL), |
358 "default-src 'self';", | |
339 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); | 359 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); |
340 EXPECT_TRUE(CheckSanitizeCSP( | 360 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' filesystem:;", |
341 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 361 OPTIONS_ALLOW_UNSAFE_EVAL))); |
342 EXPECT_TRUE(CheckSanitizeCSP( | 362 EXPECT_TRUE(CheckCSP( |
343 "default-src 'self' filesystem:http://example.com/XX", | 363 SanitizeCSP("default-src 'self' filesystem:http://example.com/XX", |
344 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 364 OPTIONS_ALLOW_UNSAFE_EVAL), |
365 "default-src 'self';", | |
345 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); | 366 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); |
346 | 367 |
347 EXPECT_TRUE(CheckSanitizeCSP( | 368 EXPECT_TRUE( |
348 "default-src 'self' https://*.googleapis.com;", | 369 CheckCSP(SanitizeCSP("default-src 'self' https://*.googleapis.com;", |
349 OPTIONS_ALLOW_UNSAFE_EVAL)); | 370 OPTIONS_ALLOW_UNSAFE_EVAL))); |
350 EXPECT_TRUE(CheckSanitizeCSP( | 371 EXPECT_TRUE( |
351 "default-src 'self' https://x.googleapis.com;", | 372 CheckCSP(SanitizeCSP("default-src 'self' https://x.googleapis.com;", |
352 OPTIONS_ALLOW_UNSAFE_EVAL)); | 373 OPTIONS_ALLOW_UNSAFE_EVAL))); |
353 | 374 |
354 EXPECT_TRUE(CheckSanitizeCSP( | 375 EXPECT_TRUE( |
355 "script-src 'self'; object-src *", OPTIONS_NONE, | 376 CheckCSP(SanitizeCSP("script-src 'self'; object-src *", OPTIONS_NONE), |
356 "script-src 'self'; object-src;", | 377 "script-src 'self'; object-src;", |
357 InsecureValueWarning("object-src", "*"))); | 378 InsecureValueWarning("object-src", "*"))); |
358 EXPECT_TRUE(CheckSanitizeCSP( | 379 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *", |
359 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
360 "script-src 'self'; object-src;", | 381 "script-src 'self'; object-src;", |
361 InsecureValueWarning("object-src", "*"))); | 382 InsecureValueWarning("object-src", "*"))); |
362 EXPECT_TRUE(CheckSanitizeCSP( | 383 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
363 "script-src 'self'; object-src *; plugin-types application/pdf;", | 384 "script-src 'self'; object-src *; plugin-types application/pdf;", |
364 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 385 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
365 EXPECT_TRUE(CheckSanitizeCSP( | 386 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *; " |
366 "script-src 'self'; object-src *; " | 387 "plugin-types application/x-shockwave-flash", |
367 "plugin-types application/x-shockwave-flash", | 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
368 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 389 "script-src 'self'; object-src; " |
369 "script-src 'self'; object-src; " | 390 "plugin-types application/x-shockwave-flash;", |
370 "plugin-types application/x-shockwave-flash;", | 391 InsecureValueWarning("object-src", "*"))); |
371 InsecureValueWarning("object-src", "*"))); | 392 EXPECT_TRUE(CheckCSP( |
372 EXPECT_TRUE(CheckSanitizeCSP( | 393 SanitizeCSP("script-src 'self'; object-src *; " |
373 "script-src 'self'; object-src *; " | 394 "plugin-types application/x-shockwave-flash application/pdf;", |
374 "plugin-types application/x-shockwave-flash application/pdf;", | 395 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
375 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | |
376 "script-src 'self'; object-src; " | 396 "script-src 'self'; object-src; " |
377 "plugin-types application/x-shockwave-flash application/pdf;", | 397 "plugin-types application/x-shockwave-flash application/pdf;", |
378 InsecureValueWarning("object-src", "*"))); | 398 InsecureValueWarning("object-src", "*"))); |
379 EXPECT_TRUE(CheckSanitizeCSP( | 399 EXPECT_TRUE(CheckCSP( |
380 "script-src 'self'; object-src http://www.example.com; " | 400 SanitizeCSP("script-src 'self'; object-src http://www.example.com; " |
381 "plugin-types application/pdf;", | 401 "plugin-types application/pdf;", |
382 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 402 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
383 EXPECT_TRUE(CheckSanitizeCSP( | 403 EXPECT_TRUE(CheckCSP( |
384 "object-src http://www.example.com blob:; script-src 'self'; " | 404 SanitizeCSP("object-src http://www.example.com blob:; script-src 'self'; " |
385 "plugin-types application/pdf;", | 405 "plugin-types application/pdf;", |
386 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 406 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
387 EXPECT_TRUE(CheckSanitizeCSP( | 407 EXPECT_TRUE(CheckCSP( |
388 "script-src 'self'; object-src http://*.example.com; " | 408 SanitizeCSP("script-src 'self'; object-src http://*.example.com; " |
389 "plugin-types application/pdf;", | 409 "plugin-types application/pdf;", |
390 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 410 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
391 EXPECT_TRUE(CheckSanitizeCSP( | 411 EXPECT_TRUE(CheckCSP( |
392 "script-src *; object-src *; plugin-types application/pdf;", | 412 SanitizeCSP("script-src *; object-src *; plugin-types application/pdf;", |
393 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 413 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
394 "script-src; object-src *; plugin-types application/pdf;", | 414 "script-src; object-src *; plugin-types application/pdf;", |
395 InsecureValueWarning("script-src", "*"))); | 415 InsecureValueWarning("script-src", "*"))); |
396 | 416 |
397 EXPECT_TRUE(CheckSanitizeCSP( | 417 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
398 "default-src; script-src" | 418 "default-src; script-src" |
399 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" | 419 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" |
400 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" | 420 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" |
401 "t'" | 421 "t'" |
402 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" | 422 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" |
403 "vCSapSz5CVoUGHQcxv43UQg==';", | 423 "vCSapSz5CVoUGHQcxv43UQg==';", |
404 OPTIONS_NONE)); | 424 OPTIONS_NONE))); |
405 | 425 |
406 // Reject non-standard algorithms, even if they are still supported by Blink. | 426 // Reject non-standard algorithms, even if they are still supported by Blink. |
407 EXPECT_TRUE(CheckSanitizeCSP( | 427 EXPECT_TRUE(CheckCSP( |
408 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", | 428 SanitizeCSP( |
409 OPTIONS_NONE, "default-src; script-src;", | 429 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", |
430 OPTIONS_NONE), | |
431 "default-src; script-src;", | |
410 InsecureValueWarning("script-src", | 432 InsecureValueWarning("script-src", |
411 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); | 433 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); |
412 | 434 |
413 EXPECT_TRUE(CheckSanitizeCSP( | 435 EXPECT_TRUE(CheckCSP( |
414 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" | 436 SanitizeCSP("default-src; script-src " |
415 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", | 437 "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" |
416 OPTIONS_NONE, "default-src; script-src;", | 438 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", |
439 OPTIONS_NONE), | |
440 "default-src; script-src;", | |
417 InsecureValueWarning( | 441 InsecureValueWarning( |
418 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), | 442 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), |
419 InsecureValueWarning( | 443 InsecureValueWarning( |
420 "script-src", | 444 "script-src", |
421 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); | 445 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); |
422 } | 446 } |
423 | 447 |
424 TEST(ExtensionCSPValidator, IsSandboxed) { | 448 TEST(ExtensionCSPValidator, IsSandboxed) { |
425 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 449 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
426 Manifest::TYPE_EXTENSION)); | 450 Manifest::TYPE_EXTENSION)); |
(...skipping 20 matching lines...) Expand all Loading... | |
447 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 471 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
448 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 472 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
449 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 473 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
450 | 474 |
451 // Popups are OK. | 475 // Popups are OK. |
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 476 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
453 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 477 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
454 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 478 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
455 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 479 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
456 } | 480 } |
481 | |
482 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { | |
483 EXPECT_TRUE(CheckCSP( | |
484 SanitizeSandboxPageCSP(""), | |
485 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); | |
486 EXPECT_TRUE(CheckCSP( | |
487 SanitizeSandboxPageCSP("child-src http://www.google.com"), | |
488 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", | |
489 InsecureValueWarning("child-src", "http://www.google.com"))); | |
490 EXPECT_TRUE(CheckCSP( | |
491 SanitizeSandboxPageCSP("child-src *"), | |
492 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", | |
493 InsecureValueWarning("child-src", "*"))); | |
494 EXPECT_TRUE(CheckCSP( | |
495 SanitizeSandboxPageCSP("child-src 'none'"), | |
496 "child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); | |
497 | |
498 // Directive values of 'none' and 'self' are preserved. | |
499 EXPECT_TRUE( | |
500 CheckCSP(SanitizeSandboxPageCSP("script-src 'none'; frame-src 'self';"), | |
501 "frame-src 'self'; script-src 'none';")); | |
502 EXPECT_TRUE(CheckCSP( | |
503 SanitizeSandboxPageCSP( | |
504 "script-src 'none'; frame-src 'self' http://www.google.com;"), | |
505 "frame-src 'self'; script-src 'none';", | |
506 InsecureValueWarning("frame-src", "http://www.google.com"))); | |
507 | |
508 // script-src will add 'unsafe-inline' and 'unsafe-eval' only if script-src is | |
509 // not specified. | |
510 EXPECT_TRUE(CheckCSP(SanitizeSandboxPageCSP("script-src 'self'"), | |
511 "script-src 'self'; child-src 'self'")); | |
512 EXPECT_TRUE( | |
513 CheckCSP(SanitizeSandboxPageCSP( | |
514 "script-src 'self' 'unsafe-inline'; child-src 'self';"), | |
515 "child-src 'self'; script-src 'self' 'unsafe-inline';")); | |
516 EXPECT_TRUE( | |
517 CheckCSP(SanitizeSandboxPageCSP( | |
518 "script-src 'self' 'unsafe-eval'; child-src 'self';"), | |
519 "child-src 'self'; script-src 'self' 'unsafe-eval';")); | |
520 | |
521 // child-src and frame-src are handled correctly. | |
522 EXPECT_TRUE(CheckCSP( | |
523 SanitizeSandboxPageCSP( | |
524 "script-src 'none'; frame-src 'self' http://www.google.com;"), | |
525 "frame-src 'self'; script-src 'none';", | |
526 InsecureValueWarning("frame-src", "http://www.google.com"))); | |
527 EXPECT_TRUE(CheckCSP( | |
528 SanitizeSandboxPageCSP( | |
529 "script-src 'none'; child-src 'self' http://www.google.com;"), | |
530 "child-src 'self'; script-src 'none';", | |
531 InsecureValueWarning("child-src", "http://www.google.com"))); | |
532 | |
533 // Multiple insecure values. | |
534 EXPECT_TRUE(CheckCSP( | |
535 SanitizeSandboxPageCSP( | |
536 "script-src 'none'; child-src http://bar.com 'self' http://foo.com;"), | |
537 "child-src 'self'; script-src 'none';", | |
538 InsecureValueWarning("child-src", "http://bar.com"), | |
539 InsecureValueWarning("child-src", "http://foo.com"))); | |
540 } | |
OLD | NEW |