| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stddef.h> | 5 #include <stddef.h> |
| 6 | 6 |
| 7 #include "base/strings/string_split.h" |
| 7 #include "extensions/common/csp_validator.h" | 8 #include "extensions/common/csp_validator.h" |
| 8 #include "extensions/common/error_utils.h" | 9 #include "extensions/common/error_utils.h" |
| 9 #include "extensions/common/install_warning.h" | 10 #include "extensions/common/install_warning.h" |
| 10 #include "extensions/common/manifest_constants.h" | 11 #include "extensions/common/manifest_constants.h" |
| 11 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
| 12 | 13 |
| 13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP; |
| 14 using extensions::csp_validator::SanitizeContentSecurityPolicy; | 16 using extensions::csp_validator::SanitizeContentSecurityPolicy; |
| 15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| 16 using extensions::csp_validator::OPTIONS_NONE; | 18 using extensions::csp_validator::OPTIONS_NONE; |
| 17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
| 18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
| 19 using extensions::ErrorUtils; | 21 using extensions::ErrorUtils; |
| 20 using extensions::InstallWarning; | 22 using extensions::InstallWarning; |
| 21 using extensions::Manifest; | 23 using extensions::Manifest; |
| 22 | 24 |
| 23 namespace { | 25 namespace { |
| 24 | 26 |
| 25 std::string InsecureValueWarning(const std::string& directive, | 27 std::string InsecureValueWarning(const std::string& directive, |
| 26 const std::string& value) { | 28 const std::string& value) { |
| 27 return ErrorUtils::FormatErrorMessage( | 29 return ErrorUtils::FormatErrorMessage( |
| 28 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); | 30 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); |
| 29 } | 31 } |
| 30 | 32 |
| 31 std::string MissingSecureSrcWarning(const std::string& directive) { | 33 std::string MissingSecureSrcWarning(const std::string& directive) { |
| 32 return ErrorUtils::FormatErrorMessage( | 34 return ErrorUtils::FormatErrorMessage( |
| 33 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); | 35 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); |
| 34 } | 36 } |
| 35 | 37 |
| 36 testing::AssertionResult CheckSanitizeCSP( | 38 bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
| 37 const std::string& policy, | 39 std::vector<std::string> csp1_parts = base::SplitString( |
| 38 int options, | 40 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 41 std::sort(csp1_parts.begin(), csp1_parts.end()); |
| 42 std::vector<std::string> csp2_parts = base::SplitString( |
| 43 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 44 std::sort(csp2_parts.begin(), csp2_parts.end()); |
| 45 return csp1_parts == csp2_parts; |
| 46 } |
| 47 |
| 48 struct SanitizedCSPResult { |
| 49 std::string csp; |
| 50 std::vector<InstallWarning> warnings; |
| 51 }; |
| 52 |
| 53 SanitizedCSPResult SanitizeCSP(const std::string& policy, int options) { |
| 54 SanitizedCSPResult result; |
| 55 result.csp = SanitizeContentSecurityPolicy(policy, options, &result.warnings); |
| 56 return result; |
| 57 } |
| 58 |
| 59 SanitizedCSPResult SanitizeSandboxPageCSP(const std::string& policy) { |
| 60 SanitizedCSPResult result; |
| 61 result.csp = GetEffectiveSandoxedPageCSP(policy, &result.warnings); |
| 62 return result; |
| 63 } |
| 64 |
| 65 testing::AssertionResult CheckCSP( |
| 66 const SanitizedCSPResult& actual, |
| 39 const std::string& expected_csp, | 67 const std::string& expected_csp, |
| 40 const std::vector<std::string>& expected_warnings) { | 68 const std::vector<std::string>& expected_warnings) { |
| 41 std::vector<InstallWarning> actual_warnings; | 69 if (!CSPEquals(expected_csp, actual.csp)) { |
| 42 std::string actual_csp = SanitizeContentSecurityPolicy(policy, | |
| 43 options, | |
| 44 &actual_warnings); | |
| 45 if (actual_csp != expected_csp) | |
| 46 return testing::AssertionFailure() | 70 return testing::AssertionFailure() |
| 47 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" | 71 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" |
| 48 << "Expected CSP: " << expected_csp << "\n" | 72 << "Expected CSP: " << expected_csp << "\n" |
| 49 << " Actual CSP: " << actual_csp; | 73 << " Actual CSP: " << actual.csp; |
| 74 } |
| 50 | 75 |
| 51 if (expected_warnings.size() != actual_warnings.size()) { | 76 if (expected_warnings.size() != actual.warnings.size()) { |
| 52 testing::Message msg; | 77 testing::Message msg; |
| 53 msg << "Expected " << expected_warnings.size() | 78 msg << "Expected " << expected_warnings.size() << " warnings, but got " |
| 54 << " warnings, but got " << actual_warnings.size(); | 79 << actual.warnings.size(); |
| 55 for (size_t i = 0; i < actual_warnings.size(); ++i) | 80 for (size_t i = 0; i < actual.warnings.size(); ++i) |
| 56 msg << "\nWarning " << i << " " << actual_warnings[i].message; | 81 msg << "\nWarning " << i << " " << actual.warnings[i].message; |
| 57 return testing::AssertionFailure() << msg; | 82 return testing::AssertionFailure() << msg; |
| 58 } | 83 } |
| 59 | 84 |
| 60 for (size_t i = 0; i < expected_warnings.size(); ++i) { | 85 for (size_t i = 0; i < expected_warnings.size(); ++i) { |
| 61 if (expected_warnings[i] != actual_warnings[i].message) | 86 if (expected_warnings[i] != actual.warnings[i].message) |
| 62 return testing::AssertionFailure() | 87 return testing::AssertionFailure() |
| 63 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" | 88 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" |
| 64 << "Expected warning[" << i << "]: " << expected_warnings[i] | 89 << "Expected warning[" << i << "]: " << expected_warnings[i] |
| 65 << " Actual warning[" << i << "]: " << actual_warnings[i].message; | 90 << " Actual warning[" << i << "]: " << actual.warnings[i].message; |
| 66 } | 91 } |
| 67 return testing::AssertionSuccess(); | 92 return testing::AssertionSuccess(); |
| 68 } | 93 } |
| 69 | 94 |
| 70 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 95 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual) { |
| 71 int options) { | 96 return CheckCSP(actual, actual.csp, std::vector<std::string>()); |
| 72 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>()); | |
| 73 } | 97 } |
| 74 | 98 |
| 75 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 99 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 76 int options, | 100 const std::string& expected_csp) { |
| 77 const std::string& expected_csp) { | |
| 78 std::vector<std::string> expected_warnings; | 101 std::vector<std::string> expected_warnings; |
| 79 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 102 return CheckCSP(actual, expected_csp, expected_warnings); |
| 80 } | 103 } |
| 81 | 104 |
| 82 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 105 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 83 int options, | 106 const std::string& expected_csp, |
| 84 const std::string& expected_csp, | 107 const std::string& warning1) { |
| 85 const std::string& warning1) { | |
| 86 std::vector<std::string> expected_warnings(1, warning1); | 108 std::vector<std::string> expected_warnings(1, warning1); |
| 87 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 109 return CheckCSP(actual, expected_csp, expected_warnings); |
| 88 } | 110 } |
| 89 | 111 |
| 90 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 112 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 91 int options, | 113 const std::string& expected_csp, |
| 92 const std::string& expected_csp, | 114 const std::string& warning1, |
| 93 const std::string& warning1, | 115 const std::string& warning2) { |
| 94 const std::string& warning2) { | |
| 95 std::vector<std::string> expected_warnings(1, warning1); | 116 std::vector<std::string> expected_warnings(1, warning1); |
| 96 expected_warnings.push_back(warning2); | 117 expected_warnings.push_back(warning2); |
| 97 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 118 return CheckCSP(actual, expected_csp, expected_warnings); |
| 98 } | 119 } |
| 99 | 120 |
| 100 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 121 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
| 101 int options, | 122 const std::string& expected_csp, |
| 102 const std::string& expected_csp, | 123 const std::string& warning1, |
| 103 const std::string& warning1, | 124 const std::string& warning2, |
| 104 const std::string& warning2, | 125 const std::string& warning3) { |
| 105 const std::string& warning3) { | |
| 106 std::vector<std::string> expected_warnings(1, warning1); | 126 std::vector<std::string> expected_warnings(1, warning1); |
| 107 expected_warnings.push_back(warning2); | 127 expected_warnings.push_back(warning2); |
| 108 expected_warnings.push_back(warning3); | 128 expected_warnings.push_back(warning3); |
| 109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 129 return CheckCSP(actual, expected_csp, expected_warnings); |
| 110 } | 130 } |
| 111 | 131 |
| 112 }; // namespace | 132 }; // namespace |
| 113 | 133 |
| 114 TEST(ExtensionCSPValidator, IsLegal) { | 134 TEST(ExtensionCSPValidator, IsLegal) { |
| 115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 135 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
| 116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 136 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
| 117 "default-src 'self'; script-src http://www.google.com")); | 137 "default-src 'self'; script-src http://www.google.com")); |
| 118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 138 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 119 "default-src 'self';\nscript-src http://www.google.com")); | 139 "default-src 'self';\nscript-src http://www.google.com")); |
| 120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 140 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 121 "default-src 'self';\rscript-src http://www.google.com")); | 141 "default-src 'self';\rscript-src http://www.google.com")); |
| 122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 142 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 123 "default-src 'self';,script-src http://www.google.com")); | 143 "default-src 'self';,script-src http://www.google.com")); |
| 124 } | 144 } |
| 125 | 145 |
| 126 TEST(ExtensionCSPValidator, IsSecure) { | 146 TEST(ExtensionCSPValidator, IsSecure) { |
| 127 EXPECT_TRUE(CheckSanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, | 147 EXPECT_TRUE(CheckCSP(SanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL), |
| 128 "script-src 'self'; object-src 'self';", | 148 "script-src 'self'; object-src 'self';", |
| 129 MissingSecureSrcWarning("script-src"), | 149 MissingSecureSrcWarning("script-src"), |
| 130 MissingSecureSrcWarning("object-src"))); | 150 MissingSecureSrcWarning("object-src"))); |
| 131 EXPECT_TRUE(CheckSanitizeCSP( | 151 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 132 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 152 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 133 "img-src https://google.com; script-src 'self'; object-src 'self';", | 153 "img-src https://google.com; script-src 'self'; object-src 'self';", |
| 134 MissingSecureSrcWarning("script-src"), | 154 MissingSecureSrcWarning("script-src"), |
| 135 MissingSecureSrcWarning("object-src"))); | 155 MissingSecureSrcWarning("object-src"))); |
| 136 EXPECT_TRUE(CheckSanitizeCSP( | 156 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, | 157 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 138 "script-src; object-src 'self';", | 158 "script-src; object-src 'self';", |
| 139 InsecureValueWarning("script-src", "a"), | 159 InsecureValueWarning("script-src", "a"), |
| 140 InsecureValueWarning("script-src", "b"), | 160 InsecureValueWarning("script-src", "b"), |
| 141 MissingSecureSrcWarning("object-src"))); | 161 MissingSecureSrcWarning("object-src"))); |
| 142 | 162 |
| 143 EXPECT_TRUE(CheckSanitizeCSP( | 163 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, | 164 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 145 "default-src;", | 165 "default-src;", |
| 146 InsecureValueWarning("default-src", "*"))); | 166 InsecureValueWarning("default-src", "*"))); |
| 147 EXPECT_TRUE(CheckSanitizeCSP( | 167 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 148 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 168 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 149 EXPECT_TRUE(CheckSanitizeCSP( | 169 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 150 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 170 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 151 EXPECT_TRUE(CheckSanitizeCSP( | 171 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 152 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 172 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 153 "default-src 'self';", | 173 "default-src 'self';", |
| 154 InsecureValueWarning("default-src", "ftp://google.com"))); | 174 InsecureValueWarning("default-src", "ftp://google.com"))); |
| 155 EXPECT_TRUE(CheckSanitizeCSP( | 175 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 156 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 176 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 157 | 177 |
| 158 EXPECT_TRUE(CheckSanitizeCSP( | 178 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 159 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 179 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 160 "default-src; default-src 'self';", | 180 "default-src; default-src 'self';", |
| 161 InsecureValueWarning("default-src", "*"))); | 181 InsecureValueWarning("default-src", "*"))); |
| 162 EXPECT_TRUE(CheckSanitizeCSP( | 182 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 163 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL, | 183 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 164 "default-src 'self'; default-src;")); | 184 "default-src 'self'; default-src;")); |
| 165 EXPECT_TRUE(CheckSanitizeCSP( | 185 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 166 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 186 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| 167 OPTIONS_ALLOW_UNSAFE_EVAL, | 187 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 168 "default-src 'self'; default-src; script-src; script-src 'self';", | 188 "default-src 'self'; default-src; script-src; script-src 'self';", |
| 169 InsecureValueWarning("script-src", "*"))); | 189 InsecureValueWarning("script-src", "*"))); |
| 170 EXPECT_TRUE(CheckSanitizeCSP( | 190 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 171 "default-src 'self'; default-src *; script-src 'self'; script-src *;", | 191 "default-src 'self'; default-src *; script-src 'self'; script-src *;", |
| 172 OPTIONS_ALLOW_UNSAFE_EVAL, | 192 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 173 "default-src 'self'; default-src; script-src 'self'; script-src;")); | 193 "default-src 'self'; default-src; script-src 'self'; script-src;")); |
| 174 EXPECT_TRUE(CheckSanitizeCSP( | 194 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 175 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 195 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 176 "default-src; script-src 'self';", | 196 "default-src; script-src 'self';", |
| 177 InsecureValueWarning("default-src", "*"))); | 197 InsecureValueWarning("default-src", "*"))); |
| 178 EXPECT_TRUE(CheckSanitizeCSP( | 198 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 179 "default-src *; script-src 'self'; img-src 'self'", | 199 "default-src *; script-src 'self'; img-src 'self'", |
| 180 OPTIONS_ALLOW_UNSAFE_EVAL, | 200 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 181 "default-src; script-src 'self'; img-src 'self';", | 201 "default-src; script-src 'self'; img-src 'self';", |
| 182 InsecureValueWarning("default-src", "*"))); | 202 InsecureValueWarning("default-src", "*"))); |
| 183 EXPECT_TRUE(CheckSanitizeCSP( | 203 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 184 "default-src *; script-src 'self'; object-src 'self';", | 204 "default-src *; script-src 'self'; object-src 'self';", |
| 185 OPTIONS_ALLOW_UNSAFE_EVAL, | 205 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 186 "default-src; script-src 'self'; object-src 'self';")); | 206 "default-src; script-src 'self'; object-src 'self';")); |
| 187 EXPECT_TRUE(CheckSanitizeCSP( | 207 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 188 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 208 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 189 EXPECT_TRUE(CheckSanitizeCSP( | 209 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 190 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 210 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 191 | 211 |
| 192 EXPECT_TRUE(CheckSanitizeCSP( | 212 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 193 "default-src 'unsafe-eval'", OPTIONS_NONE, | 213 "default-src 'unsafe-eval'", OPTIONS_NONE), |
| 194 "default-src;", | 214 "default-src;", |
| 195 InsecureValueWarning("default-src", "'unsafe-eval'"))); | 215 InsecureValueWarning("default-src", "'unsafe-eval'"))); |
| 196 EXPECT_TRUE(CheckSanitizeCSP( | 216 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 197 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, | 217 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 198 "default-src;", | 218 "default-src;", |
| 199 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 219 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
| 200 EXPECT_TRUE(CheckSanitizeCSP( | 220 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 201 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, | 221 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 202 "default-src 'none';", | 222 "default-src 'none';", |
| 203 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 223 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
| 204 EXPECT_TRUE(CheckSanitizeCSP( | 224 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 225 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 206 "default-src 'self';", | 226 "default-src 'self';", |
| 207 InsecureValueWarning("default-src", "http://google.com"))); | 227 InsecureValueWarning("default-src", "http://google.com"))); |
| 208 EXPECT_TRUE(CheckSanitizeCSP( | 228 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 229 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 210 EXPECT_TRUE(CheckSanitizeCSP( | 230 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 231 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 212 EXPECT_TRUE(CheckSanitizeCSP( | 232 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 213 "default-src 'self' chrome-extension://aabbcc;", | 233 "default-src 'self' chrome-extension://aabbcc;", |
| 214 OPTIONS_ALLOW_UNSAFE_EVAL)); | 234 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 215 EXPECT_TRUE(CheckSanitizeCSP( | 235 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 216 "default-src 'self' chrome-extension-resource://aabbcc;", | 236 "default-src 'self' chrome-extension-resource://aabbcc;", |
| 217 OPTIONS_ALLOW_UNSAFE_EVAL)); | 237 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 218 EXPECT_TRUE(CheckSanitizeCSP( | 238 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 219 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, | 239 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 220 "default-src 'self';", | 240 "default-src 'self';", |
| 221 InsecureValueWarning("default-src", "https:"))); | 241 InsecureValueWarning("default-src", "https:"))); |
| 222 EXPECT_TRUE(CheckSanitizeCSP( | 242 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 223 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, | 243 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 224 "default-src 'self';", | 244 "default-src 'self';", |
| 225 InsecureValueWarning("default-src", "http:"))); | 245 InsecureValueWarning("default-src", "http:"))); |
| 226 EXPECT_TRUE(CheckSanitizeCSP( | 246 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 227 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 247 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 228 "default-src 'self';", | 248 "default-src 'self';", |
| 229 InsecureValueWarning("default-src", "google.com"))); | 249 InsecureValueWarning("default-src", "google.com"))); |
| 230 | 250 |
| 231 EXPECT_TRUE(CheckSanitizeCSP( | 251 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 232 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, | 252 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 233 "default-src 'self';", | 253 "default-src 'self';", |
| 234 InsecureValueWarning("default-src", "*"))); | 254 InsecureValueWarning("default-src", "*"))); |
| 235 EXPECT_TRUE(CheckSanitizeCSP( | 255 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 236 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 256 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 237 "default-src 'self';", | 257 "default-src 'self';", |
| 238 InsecureValueWarning("default-src", "*:*"))); | 258 InsecureValueWarning("default-src", "*:*"))); |
| 239 EXPECT_TRUE(CheckSanitizeCSP( | 259 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 240 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 260 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 241 "default-src 'self';", | 261 "default-src 'self';", |
| 242 InsecureValueWarning("default-src", "*:*/"))); | 262 InsecureValueWarning("default-src", "*:*/"))); |
| 243 EXPECT_TRUE(CheckSanitizeCSP( | 263 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 244 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 264 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 245 "default-src 'self';", | 265 "default-src 'self';", |
| 246 InsecureValueWarning("default-src", "*:*/path"))); | 266 InsecureValueWarning("default-src", "*:*/path"))); |
| 247 EXPECT_TRUE(CheckSanitizeCSP( | 267 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 248 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, | 268 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 249 "default-src 'self';", | 269 "default-src 'self';", |
| 250 InsecureValueWarning("default-src", "https://"))); | 270 InsecureValueWarning("default-src", "https://"))); |
| 251 EXPECT_TRUE(CheckSanitizeCSP( | 271 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 252 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 272 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 253 "default-src 'self';", | 273 "default-src 'self';", |
| 254 InsecureValueWarning("default-src", "https://*:*"))); | 274 InsecureValueWarning("default-src", "https://*:*"))); |
| 255 EXPECT_TRUE(CheckSanitizeCSP( | 275 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 256 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 276 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 257 "default-src 'self';", | 277 "default-src 'self';", |
| 258 InsecureValueWarning("default-src", "https://*:*/"))); | 278 InsecureValueWarning("default-src", "https://*:*/"))); |
| 259 EXPECT_TRUE(CheckSanitizeCSP( | 279 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 260 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 280 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 261 "default-src 'self';", | 281 "default-src 'self';", |
| 262 InsecureValueWarning("default-src", "https://*:*/path"))); | 282 InsecureValueWarning("default-src", "https://*:*/path"))); |
| 263 EXPECT_TRUE(CheckSanitizeCSP( | 283 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 264 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 284 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 265 "default-src 'self';", | 285 "default-src 'self';", |
| 266 InsecureValueWarning("default-src", "https://*.com"))); | 286 InsecureValueWarning("default-src", "https://*.com"))); |
| 267 EXPECT_TRUE(CheckSanitizeCSP( | 287 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 268 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 288 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 269 "default-src 'self';", | 289 "default-src 'self';", |
| 270 InsecureValueWarning("default-src", "https://*.*.google.com/"))); | 290 InsecureValueWarning("default-src", "https://*.*.google.com/"))); |
| 271 EXPECT_TRUE(CheckSanitizeCSP( | 291 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 272 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 292 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL)
, |
| 273 "default-src 'self';", | 293 "default-src 'self';", |
| 274 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); | 294 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); |
| 275 EXPECT_TRUE(CheckSanitizeCSP( | 295 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 276 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 296 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL)
, |
| 277 "default-src 'self';", | 297 "default-src 'self';", |
| 278 InsecureValueWarning("default-src", "https://www.*.google.com/"))); | 298 InsecureValueWarning("default-src", "https://www.*.google.com/"))); |
| 279 EXPECT_TRUE(CheckSanitizeCSP( | 299 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 280 "default-src 'self' https://www.*.google.com:*/", | 300 "default-src 'self' https://www.*.google.com:*/", |
| 281 OPTIONS_ALLOW_UNSAFE_EVAL, | 301 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 282 "default-src 'self';", | 302 "default-src 'self';", |
| 283 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); | 303 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); |
| 284 EXPECT_TRUE(CheckSanitizeCSP( | 304 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 285 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 305 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 286 "default-src 'self';", | 306 "default-src 'self';", |
| 287 InsecureValueWarning("default-src", "chrome://*"))); | 307 InsecureValueWarning("default-src", "chrome://*"))); |
| 288 EXPECT_TRUE(CheckSanitizeCSP( | 308 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 289 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 309 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 290 "default-src 'self';", | 310 "default-src 'self';", |
| 291 InsecureValueWarning("default-src", "chrome-extension://*"))); | 311 InsecureValueWarning("default-src", "chrome-extension://*"))); |
| 292 EXPECT_TRUE(CheckSanitizeCSP( | 312 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 293 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, | 313 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL), |
| 294 "default-src 'self';", | 314 "default-src 'self';", |
| 295 InsecureValueWarning("default-src", "chrome-extension://"))); | 315 InsecureValueWarning("default-src", "chrome-extension://"))); |
| 296 | 316 |
| 297 EXPECT_TRUE(CheckSanitizeCSP( | 317 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 298 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 318 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 299 EXPECT_TRUE(CheckSanitizeCSP( | 319 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 300 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 320 "default-src 'self' https://*.google.com:1;", |
| 301 EXPECT_TRUE(CheckSanitizeCSP( | 321 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 302 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 322 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 303 EXPECT_TRUE(CheckSanitizeCSP( | 323 "default-src 'self' https://*.google.com:*;", |
| 324 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 325 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 304 "default-src 'self' https://*.google.com:1/;", | 326 "default-src 'self' https://*.google.com:1/;", |
| 305 OPTIONS_ALLOW_UNSAFE_EVAL)); | 327 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 306 EXPECT_TRUE(CheckSanitizeCSP( | 328 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 307 "default-src 'self' https://*.google.com:*/;", | 329 "default-src 'self' https://*.google.com:*/;", |
| 308 OPTIONS_ALLOW_UNSAFE_EVAL)); | 330 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 309 | 331 |
| 310 EXPECT_TRUE(CheckSanitizeCSP( | 332 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 311 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 333 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 312 EXPECT_TRUE(CheckSanitizeCSP( | 334 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 313 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 335 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 314 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", | 336 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://lOcAlHoSt;", |
| 315 OPTIONS_ALLOW_UNSAFE_EVAL, | 337 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 316 "default-src 'self' http://lOcAlHoSt;")); | 338 "default-src 'self' http://lOcAlHoSt;")); |
| 317 EXPECT_TRUE(CheckSanitizeCSP( | 339 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 318 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 340 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 319 EXPECT_TRUE(CheckSanitizeCSP( | 341 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 320 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 342 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 321 EXPECT_TRUE(CheckSanitizeCSP( | 343 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 322 "default-src 'self' http://127.0.0.1.example.com", | 344 "default-src 'self' http://127.0.0.1.example.com", |
| 323 OPTIONS_ALLOW_UNSAFE_EVAL, | 345 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 324 "default-src 'self';", | 346 "default-src 'self';", |
| 325 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); | 347 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); |
| 326 EXPECT_TRUE(CheckSanitizeCSP( | 348 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 327 "default-src 'self' http://localhost.example.com", | 349 "default-src 'self' http://localhost.example.com", |
| 328 OPTIONS_ALLOW_UNSAFE_EVAL, | 350 OPTIONS_ALLOW_UNSAFE_EVAL), |
| 329 "default-src 'self';", | 351 "default-src 'self';", |
| 330 InsecureValueWarning("default-src", "http://localhost.example.com"))); | 352 InsecureValueWarning("default-src", "http://localhost.example.com"))); |
| 331 | 353 |
| 332 EXPECT_TRUE(CheckSanitizeCSP( | 354 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 333 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 355 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 334 EXPECT_TRUE(CheckSanitizeCSP( | 356 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 335 "default-src 'self' blob:http://example.com/XXX", | 357 "default-src 'self' blob:http://example.com/XXX", |
| 336 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 358 OPTIONS_ALLOW_UNSAFE_EVAL), "default-src 'self';", |
| 337 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); | 359 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); |
| 338 EXPECT_TRUE(CheckSanitizeCSP( | 360 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 339 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 361 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 340 EXPECT_TRUE(CheckSanitizeCSP( | 362 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 341 "default-src 'self' filesystem:http://example.com/XX", | 363 "default-src 'self' filesystem:http://example.com/XX", |
| 342 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 364 OPTIONS_ALLOW_UNSAFE_EVAL), "default-src 'self';", |
| 343 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); | 365 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); |
| 344 | 366 |
| 345 EXPECT_TRUE(CheckSanitizeCSP( | 367 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 346 "default-src 'self' https://*.googleapis.com;", | 368 "default-src 'self' https://*.googleapis.com;", |
| 347 OPTIONS_ALLOW_UNSAFE_EVAL)); | 369 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 348 EXPECT_TRUE(CheckSanitizeCSP( | 370 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 349 "default-src 'self' https://x.googleapis.com;", | 371 "default-src 'self' https://x.googleapis.com;", |
| 350 OPTIONS_ALLOW_UNSAFE_EVAL)); | 372 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 351 | 373 |
| 352 EXPECT_TRUE(CheckSanitizeCSP( | 374 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 353 "script-src 'self'; object-src *", OPTIONS_NONE, | 375 "script-src 'self'; object-src *", OPTIONS_NONE), |
| 354 "script-src 'self'; object-src;", | 376 "script-src 'self'; object-src;", |
| 355 InsecureValueWarning("object-src", "*"))); | 377 InsecureValueWarning("object-src", "*"))); |
| 356 EXPECT_TRUE(CheckSanitizeCSP( | 378 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 357 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 379 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 358 "script-src 'self'; object-src;", | 380 "script-src 'self'; object-src;", |
| 359 InsecureValueWarning("object-src", "*"))); | 381 InsecureValueWarning("object-src", "*"))); |
| 360 EXPECT_TRUE(CheckSanitizeCSP( | 382 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 361 "script-src 'self'; object-src *; plugin-types application/pdf;", | 383 "script-src 'self'; object-src *; plugin-types application/pdf;", |
| 362 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 363 EXPECT_TRUE(CheckSanitizeCSP( | 385 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 364 "script-src 'self'; object-src *; " | 386 "script-src 'self'; object-src *; " |
| 365 "plugin-types application/x-shockwave-flash", | 387 "plugin-types application/x-shockwave-flash", |
| 366 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 367 "script-src 'self'; object-src; " | 389 "script-src 'self'; object-src; " |
| 368 "plugin-types application/x-shockwave-flash;", | 390 "plugin-types application/x-shockwave-flash;", |
| 369 InsecureValueWarning("object-src", "*"))); | 391 InsecureValueWarning("object-src", "*"))); |
| 370 EXPECT_TRUE(CheckSanitizeCSP( | 392 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 371 "script-src 'self'; object-src *; " | 393 "script-src 'self'; object-src *; " |
| 372 "plugin-types application/x-shockwave-flash application/pdf;", | 394 "plugin-types application/x-shockwave-flash application/pdf;", |
| 373 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 395 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 374 "script-src 'self'; object-src; " | 396 "script-src 'self'; object-src; " |
| 375 "plugin-types application/x-shockwave-flash application/pdf;", | 397 "plugin-types application/x-shockwave-flash application/pdf;", |
| 376 InsecureValueWarning("object-src", "*"))); | 398 InsecureValueWarning("object-src", "*"))); |
| 377 EXPECT_TRUE(CheckSanitizeCSP( | 399 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 378 "script-src 'self'; object-src http://www.example.com; " | 400 "script-src 'self'; object-src http://www.example.com; " |
| 379 "plugin-types application/pdf;", | 401 "plugin-types application/pdf;", |
| 380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 402 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 381 EXPECT_TRUE(CheckSanitizeCSP( | 403 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 382 "object-src http://www.example.com blob:; script-src 'self'; " | 404 "object-src http://www.example.com blob:; script-src 'self'; " |
| 383 "plugin-types application/pdf;", | 405 "plugin-types application/pdf;", |
| 384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 406 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 385 EXPECT_TRUE(CheckSanitizeCSP( | 407 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 386 "script-src 'self'; object-src http://*.example.com; " | 408 "script-src 'self'; object-src http://*.example.com; " |
| 387 "plugin-types application/pdf;", | 409 "plugin-types application/pdf;", |
| 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 410 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
| 389 EXPECT_TRUE(CheckSanitizeCSP( | 411 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 390 "script-src *; object-src *; plugin-types application/pdf;", | 412 "script-src *; object-src *; plugin-types application/pdf;", |
| 391 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 413 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
| 392 "script-src; object-src *; plugin-types application/pdf;", | 414 "script-src; object-src *; plugin-types application/pdf;", |
| 393 InsecureValueWarning("script-src", "*"))); | 415 InsecureValueWarning("script-src", "*"))); |
| 394 | 416 |
| 395 EXPECT_TRUE(CheckSanitizeCSP( | 417 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 396 "default-src; script-src" | 418 "default-src; script-src" |
| 397 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" | 419 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" |
| 398 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" | 420 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" |
| 399 "t'" | 421 "t'" |
| 400 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" | 422 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" |
| 401 "vCSapSz5CVoUGHQcxv43UQg==';", | 423 "vCSapSz5CVoUGHQcxv43UQg==';", |
| 402 OPTIONS_NONE)); | 424 OPTIONS_NONE))); |
| 403 | 425 |
| 404 // Reject non-standard algorithms, even if they are still supported by Blink. | 426 // Reject non-standard algorithms, even if they are still supported by Blink. |
| 405 EXPECT_TRUE(CheckSanitizeCSP( | 427 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 406 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", | 428 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", |
| 407 OPTIONS_NONE, "default-src; script-src;", | 429 OPTIONS_NONE), "default-src; script-src;", |
| 408 InsecureValueWarning("script-src", | 430 InsecureValueWarning("script-src", |
| 409 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); | 431 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); |
| 410 | 432 |
| 411 EXPECT_TRUE(CheckSanitizeCSP( | 433 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
| 412 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" | 434 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" |
| 413 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", | 435 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", |
| 414 OPTIONS_NONE, "default-src; script-src;", | 436 OPTIONS_NONE), "default-src; script-src;", |
| 415 InsecureValueWarning( | 437 InsecureValueWarning( |
| 416 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), | 438 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), |
| 417 InsecureValueWarning( | 439 InsecureValueWarning( |
| 418 "script-src", | 440 "script-src", |
| 419 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); | 441 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); |
| 420 } | 442 } |
| 421 | 443 |
| 422 TEST(ExtensionCSPValidator, IsSandboxed) { | 444 TEST(ExtensionCSPValidator, IsSandboxed) { |
| 423 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 445 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
| 424 Manifest::TYPE_EXTENSION)); | 446 Manifest::TYPE_EXTENSION)); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 445 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 467 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 446 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 468 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 447 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 469 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 448 | 470 |
| 449 // Popups are OK. | 471 // Popups are OK. |
| 450 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 472 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 451 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 473 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 474 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 453 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 475 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 454 } | 476 } |
| 477 |
| 478 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { |
| 479 EXPECT_TRUE(CheckCSP( |
| 480 SanitizeSandboxPageCSP(""), |
| 481 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); |
| 482 EXPECT_TRUE(CheckCSP( |
| 483 SanitizeSandboxPageCSP("child-src http://www.google.com"), |
| 484 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", |
| 485 InsecureValueWarning("child-src", "http://www.google.com"))); |
| 486 EXPECT_TRUE(CheckCSP( |
| 487 SanitizeSandboxPageCSP("child-src *"), |
| 488 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", |
| 489 InsecureValueWarning("child-src", "*"))); |
| 490 EXPECT_TRUE(CheckCSP( |
| 491 SanitizeSandboxPageCSP("child-src 'none'"), |
| 492 "child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); |
| 493 |
| 494 // Directive values of 'none' and 'self' are preserved. |
| 495 EXPECT_TRUE( |
| 496 CheckCSP(SanitizeSandboxPageCSP("script-src 'none'; frame-src 'self';"), |
| 497 "frame-src 'self'; script-src 'none';")); |
| 498 EXPECT_TRUE(CheckCSP( |
| 499 SanitizeSandboxPageCSP( |
| 500 "script-src 'none'; frame-src 'self' http://www.google.com;"), |
| 501 "frame-src 'self'; script-src 'none';", |
| 502 InsecureValueWarning("frame-src", "http://www.google.com"))); |
| 503 |
| 504 // script-src will add 'unsafe-inline' and 'unsafe-eval' only if script-src is |
| 505 // not specified. |
| 506 EXPECT_TRUE(CheckCSP(SanitizeSandboxPageCSP("script-src 'self'"), |
| 507 "script-src 'self'; child-src 'self'")); |
| 508 EXPECT_TRUE( |
| 509 CheckCSP(SanitizeSandboxPageCSP( |
| 510 "script-src 'self' 'unsafe-inline'; child-src 'self';"), |
| 511 "child-src 'self'; script-src 'self' 'unsafe-inline';")); |
| 512 EXPECT_TRUE( |
| 513 CheckCSP(SanitizeSandboxPageCSP( |
| 514 "script-src 'self' 'unsafe-eval'; child-src 'self';"), |
| 515 "child-src 'self'; script-src 'self' 'unsafe-eval';")); |
| 516 |
| 517 // child-src and frame-src are handled correctly. |
| 518 EXPECT_TRUE(CheckCSP( |
| 519 SanitizeSandboxPageCSP( |
| 520 "script-src 'none'; frame-src 'self' http://www.google.com;"), |
| 521 "frame-src 'self'; script-src 'none';", |
| 522 InsecureValueWarning("frame-src", "http://www.google.com"))); |
| 523 EXPECT_TRUE(CheckCSP( |
| 524 SanitizeSandboxPageCSP( |
| 525 "script-src 'none'; child-src 'self' http://www.google.com;"), |
| 526 "child-src 'self'; script-src 'none';", |
| 527 InsecureValueWarning("child-src", "http://www.google.com"))); |
| 528 |
| 529 // Multiple insecure values. |
| 530 EXPECT_TRUE(CheckCSP( |
| 531 SanitizeSandboxPageCSP( |
| 532 "script-src 'none'; child-src http://bar.com 'self' http://foo.com;"), |
| 533 "child-src 'self'; script-src 'none';", |
| 534 InsecureValueWarning("child-src", "http://bar.com"), |
| 535 InsecureValueWarning("child-src", "http://foo.com"))); |
| 536 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2563843002:
Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
