OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stddef.h> | 5 #include <stddef.h> |
6 | 6 |
| 7 #include "base/strings/string_split.h" |
7 #include "extensions/common/csp_validator.h" | 8 #include "extensions/common/csp_validator.h" |
8 #include "extensions/common/error_utils.h" | 9 #include "extensions/common/error_utils.h" |
9 #include "extensions/common/install_warning.h" | 10 #include "extensions/common/install_warning.h" |
10 #include "extensions/common/manifest_constants.h" | 11 #include "extensions/common/manifest_constants.h" |
11 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
12 | 13 |
13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP; |
14 using extensions::csp_validator::SanitizeContentSecurityPolicy; | 16 using extensions::csp_validator::SanitizeContentSecurityPolicy; |
15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
16 using extensions::csp_validator::OPTIONS_NONE; | 18 using extensions::csp_validator::OPTIONS_NONE; |
17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
19 using extensions::ErrorUtils; | 21 using extensions::ErrorUtils; |
20 using extensions::InstallWarning; | 22 using extensions::InstallWarning; |
21 using extensions::Manifest; | 23 using extensions::Manifest; |
22 | 24 |
23 namespace { | 25 namespace { |
24 | 26 |
25 std::string InsecureValueWarning(const std::string& directive, | 27 std::string InsecureValueWarning(const std::string& directive, |
26 const std::string& value) { | 28 const std::string& value) { |
27 return ErrorUtils::FormatErrorMessage( | 29 return ErrorUtils::FormatErrorMessage( |
28 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); | 30 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); |
29 } | 31 } |
30 | 32 |
31 std::string MissingSecureSrcWarning(const std::string& directive) { | 33 std::string MissingSecureSrcWarning(const std::string& directive) { |
32 return ErrorUtils::FormatErrorMessage( | 34 return ErrorUtils::FormatErrorMessage( |
33 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); | 35 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); |
34 } | 36 } |
35 | 37 |
36 testing::AssertionResult CheckSanitizeCSP( | 38 bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
37 const std::string& policy, | 39 std::vector<std::string> csp1_parts = base::SplitString( |
38 int options, | 40 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 41 std::sort(csp1_parts.begin(), csp1_parts.end()); |
| 42 std::vector<std::string> csp2_parts = base::SplitString( |
| 43 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 44 std::sort(csp2_parts.begin(), csp2_parts.end()); |
| 45 return csp1_parts == csp2_parts; |
| 46 } |
| 47 |
| 48 struct SanitizedCSPResult { |
| 49 std::string csp; |
| 50 std::vector<InstallWarning> warnings; |
| 51 }; |
| 52 |
| 53 SanitizedCSPResult SanitizeCSP(const std::string& policy, int options) { |
| 54 SanitizedCSPResult result; |
| 55 result.csp = SanitizeContentSecurityPolicy(policy, options, &result.warnings); |
| 56 return result; |
| 57 } |
| 58 |
| 59 SanitizedCSPResult SanitizeSandboxPageCSP(const std::string& policy) { |
| 60 SanitizedCSPResult result; |
| 61 result.csp = GetEffectiveSandoxedPageCSP(policy, &result.warnings); |
| 62 return result; |
| 63 } |
| 64 |
| 65 testing::AssertionResult CheckCSP( |
| 66 const SanitizedCSPResult& actual, |
39 const std::string& expected_csp, | 67 const std::string& expected_csp, |
40 const std::vector<std::string>& expected_warnings) { | 68 const std::vector<std::string>& expected_warnings) { |
41 std::vector<InstallWarning> actual_warnings; | 69 if (!CSPEquals(expected_csp, actual.csp)) { |
42 std::string actual_csp = SanitizeContentSecurityPolicy(policy, | |
43 options, | |
44 &actual_warnings); | |
45 if (actual_csp != expected_csp) | |
46 return testing::AssertionFailure() | 70 return testing::AssertionFailure() |
47 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" | 71 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" |
48 << "Expected CSP: " << expected_csp << "\n" | 72 << "Expected CSP: " << expected_csp << "\n" |
49 << " Actual CSP: " << actual_csp; | 73 << " Actual CSP: " << actual.csp; |
| 74 } |
50 | 75 |
51 if (expected_warnings.size() != actual_warnings.size()) { | 76 if (expected_warnings.size() != actual.warnings.size()) { |
52 testing::Message msg; | 77 testing::Message msg; |
53 msg << "Expected " << expected_warnings.size() | 78 msg << "Expected " << expected_warnings.size() << " warnings, but got " |
54 << " warnings, but got " << actual_warnings.size(); | 79 << actual.warnings.size(); |
55 for (size_t i = 0; i < actual_warnings.size(); ++i) | 80 for (size_t i = 0; i < actual.warnings.size(); ++i) |
56 msg << "\nWarning " << i << " " << actual_warnings[i].message; | 81 msg << "\nWarning " << i << " " << actual.warnings[i].message; |
57 return testing::AssertionFailure() << msg; | 82 return testing::AssertionFailure() << msg; |
58 } | 83 } |
59 | 84 |
60 for (size_t i = 0; i < expected_warnings.size(); ++i) { | 85 for (size_t i = 0; i < expected_warnings.size(); ++i) { |
61 if (expected_warnings[i] != actual_warnings[i].message) | 86 if (expected_warnings[i] != actual.warnings[i].message) |
62 return testing::AssertionFailure() | 87 return testing::AssertionFailure() |
63 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" | 88 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" |
64 << "Expected warning[" << i << "]: " << expected_warnings[i] | 89 << "Expected warning[" << i << "]: " << expected_warnings[i] |
65 << " Actual warning[" << i << "]: " << actual_warnings[i].message; | 90 << " Actual warning[" << i << "]: " << actual.warnings[i].message; |
66 } | 91 } |
67 return testing::AssertionSuccess(); | 92 return testing::AssertionSuccess(); |
68 } | 93 } |
69 | 94 |
70 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 95 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual) { |
71 int options) { | 96 return CheckCSP(actual, actual.csp, std::vector<std::string>()); |
72 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>()); | |
73 } | 97 } |
74 | 98 |
75 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 99 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
76 int options, | 100 const std::string& expected_csp) { |
77 const std::string& expected_csp) { | |
78 std::vector<std::string> expected_warnings; | 101 std::vector<std::string> expected_warnings; |
79 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 102 return CheckCSP(actual, expected_csp, expected_warnings); |
80 } | 103 } |
81 | 104 |
82 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 105 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
83 int options, | 106 const std::string& expected_csp, |
84 const std::string& expected_csp, | 107 const std::string& warning1) { |
85 const std::string& warning1) { | |
86 std::vector<std::string> expected_warnings(1, warning1); | 108 std::vector<std::string> expected_warnings(1, warning1); |
87 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 109 return CheckCSP(actual, expected_csp, expected_warnings); |
88 } | 110 } |
89 | 111 |
90 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 112 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
91 int options, | 113 const std::string& expected_csp, |
92 const std::string& expected_csp, | 114 const std::string& warning1, |
93 const std::string& warning1, | 115 const std::string& warning2) { |
94 const std::string& warning2) { | |
95 std::vector<std::string> expected_warnings(1, warning1); | 116 std::vector<std::string> expected_warnings(1, warning1); |
96 expected_warnings.push_back(warning2); | 117 expected_warnings.push_back(warning2); |
97 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 118 return CheckCSP(actual, expected_csp, expected_warnings); |
98 } | 119 } |
99 | 120 |
100 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, | 121 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual, |
101 int options, | 122 const std::string& expected_csp, |
102 const std::string& expected_csp, | 123 const std::string& warning1, |
103 const std::string& warning1, | 124 const std::string& warning2, |
104 const std::string& warning2, | 125 const std::string& warning3) { |
105 const std::string& warning3) { | |
106 std::vector<std::string> expected_warnings(1, warning1); | 126 std::vector<std::string> expected_warnings(1, warning1); |
107 expected_warnings.push_back(warning2); | 127 expected_warnings.push_back(warning2); |
108 expected_warnings.push_back(warning3); | 128 expected_warnings.push_back(warning3); |
109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); | 129 return CheckCSP(actual, expected_csp, expected_warnings); |
110 } | 130 } |
111 | 131 |
112 }; // namespace | 132 }; // namespace |
113 | 133 |
114 TEST(ExtensionCSPValidator, IsLegal) { | 134 TEST(ExtensionCSPValidator, IsLegal) { |
115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 135 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 136 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
117 "default-src 'self'; script-src http://www.google.com")); | 137 "default-src 'self'; script-src http://www.google.com")); |
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 138 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
119 "default-src 'self';\nscript-src http://www.google.com")); | 139 "default-src 'self';\nscript-src http://www.google.com")); |
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 140 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
121 "default-src 'self';\rscript-src http://www.google.com")); | 141 "default-src 'self';\rscript-src http://www.google.com")); |
122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 142 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
123 "default-src 'self';,script-src http://www.google.com")); | 143 "default-src 'self';,script-src http://www.google.com")); |
124 } | 144 } |
125 | 145 |
126 TEST(ExtensionCSPValidator, IsSecure) { | 146 TEST(ExtensionCSPValidator, IsSecure) { |
127 EXPECT_TRUE(CheckSanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, | 147 EXPECT_TRUE(CheckCSP(SanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL), |
128 "script-src 'self'; object-src 'self';", | 148 "script-src 'self'; object-src 'self';", |
129 MissingSecureSrcWarning("script-src"), | 149 MissingSecureSrcWarning("script-src"), |
130 MissingSecureSrcWarning("object-src"))); | 150 MissingSecureSrcWarning("object-src"))); |
131 EXPECT_TRUE(CheckSanitizeCSP( | 151 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
132 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 152 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
133 "img-src https://google.com; script-src 'self'; object-src 'self';", | 153 "img-src https://google.com; script-src 'self'; object-src 'self';", |
134 MissingSecureSrcWarning("script-src"), | 154 MissingSecureSrcWarning("script-src"), |
135 MissingSecureSrcWarning("object-src"))); | 155 MissingSecureSrcWarning("object-src"))); |
136 EXPECT_TRUE(CheckSanitizeCSP( | 156 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, | 157 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL), |
138 "script-src; object-src 'self';", | 158 "script-src; object-src 'self';", |
139 InsecureValueWarning("script-src", "a"), | 159 InsecureValueWarning("script-src", "a"), |
140 InsecureValueWarning("script-src", "b"), | 160 InsecureValueWarning("script-src", "b"), |
141 MissingSecureSrcWarning("object-src"))); | 161 MissingSecureSrcWarning("object-src"))); |
142 | 162 |
143 EXPECT_TRUE(CheckSanitizeCSP( | 163 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, | 164 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL), |
145 "default-src;", | 165 "default-src;", |
146 InsecureValueWarning("default-src", "*"))); | 166 InsecureValueWarning("default-src", "*"))); |
147 EXPECT_TRUE(CheckSanitizeCSP( | 167 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
148 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 168 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
149 EXPECT_TRUE(CheckSanitizeCSP( | 169 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
150 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 170 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
151 EXPECT_TRUE(CheckSanitizeCSP( | 171 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
152 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 172 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
153 "default-src 'self';", | 173 "default-src 'self';", |
154 InsecureValueWarning("default-src", "ftp://google.com"))); | 174 InsecureValueWarning("default-src", "ftp://google.com"))); |
155 EXPECT_TRUE(CheckSanitizeCSP( | 175 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
156 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 176 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
157 | 177 |
158 EXPECT_TRUE(CheckSanitizeCSP( | 178 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
159 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 179 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL), |
160 "default-src; default-src 'self';", | 180 "default-src; default-src 'self';", |
161 InsecureValueWarning("default-src", "*"))); | 181 InsecureValueWarning("default-src", "*"))); |
162 EXPECT_TRUE(CheckSanitizeCSP( | 182 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
163 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL, | 183 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL), |
164 "default-src 'self'; default-src;")); | 184 "default-src 'self'; default-src;")); |
165 EXPECT_TRUE(CheckSanitizeCSP( | 185 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
166 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 186 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
167 OPTIONS_ALLOW_UNSAFE_EVAL, | 187 OPTIONS_ALLOW_UNSAFE_EVAL), |
168 "default-src 'self'; default-src; script-src; script-src 'self';", | 188 "default-src 'self'; default-src; script-src; script-src 'self';", |
169 InsecureValueWarning("script-src", "*"))); | 189 InsecureValueWarning("script-src", "*"))); |
170 EXPECT_TRUE(CheckSanitizeCSP( | 190 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
171 "default-src 'self'; default-src *; script-src 'self'; script-src *;", | 191 "default-src 'self'; default-src *; script-src 'self'; script-src *;", |
172 OPTIONS_ALLOW_UNSAFE_EVAL, | 192 OPTIONS_ALLOW_UNSAFE_EVAL), |
173 "default-src 'self'; default-src; script-src 'self'; script-src;")); | 193 "default-src 'self'; default-src; script-src 'self'; script-src;")); |
174 EXPECT_TRUE(CheckSanitizeCSP( | 194 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
175 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, | 195 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL), |
176 "default-src; script-src 'self';", | 196 "default-src; script-src 'self';", |
177 InsecureValueWarning("default-src", "*"))); | 197 InsecureValueWarning("default-src", "*"))); |
178 EXPECT_TRUE(CheckSanitizeCSP( | 198 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
179 "default-src *; script-src 'self'; img-src 'self'", | 199 "default-src *; script-src 'self'; img-src 'self'", |
180 OPTIONS_ALLOW_UNSAFE_EVAL, | 200 OPTIONS_ALLOW_UNSAFE_EVAL), |
181 "default-src; script-src 'self'; img-src 'self';", | 201 "default-src; script-src 'self'; img-src 'self';", |
182 InsecureValueWarning("default-src", "*"))); | 202 InsecureValueWarning("default-src", "*"))); |
183 EXPECT_TRUE(CheckSanitizeCSP( | 203 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
184 "default-src *; script-src 'self'; object-src 'self';", | 204 "default-src *; script-src 'self'; object-src 'self';", |
185 OPTIONS_ALLOW_UNSAFE_EVAL, | 205 OPTIONS_ALLOW_UNSAFE_EVAL), |
186 "default-src; script-src 'self'; object-src 'self';")); | 206 "default-src; script-src 'self'; object-src 'self';")); |
187 EXPECT_TRUE(CheckSanitizeCSP( | 207 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
188 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 208 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
189 EXPECT_TRUE(CheckSanitizeCSP( | 209 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
190 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)); | 210 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL))); |
191 | 211 |
192 EXPECT_TRUE(CheckSanitizeCSP( | 212 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
193 "default-src 'unsafe-eval'", OPTIONS_NONE, | 213 "default-src 'unsafe-eval'", OPTIONS_NONE), |
194 "default-src;", | 214 "default-src;", |
195 InsecureValueWarning("default-src", "'unsafe-eval'"))); | 215 InsecureValueWarning("default-src", "'unsafe-eval'"))); |
196 EXPECT_TRUE(CheckSanitizeCSP( | 216 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
197 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, | 217 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL), |
198 "default-src;", | 218 "default-src;", |
199 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 219 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
200 EXPECT_TRUE(CheckSanitizeCSP( | 220 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
201 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, | 221 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL), |
202 "default-src 'none';", | 222 "default-src 'none';", |
203 InsecureValueWarning("default-src", "'unsafe-inline'"))); | 223 InsecureValueWarning("default-src", "'unsafe-inline'"))); |
204 EXPECT_TRUE(CheckSanitizeCSP( | 224 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 225 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
206 "default-src 'self';", | 226 "default-src 'self';", |
207 InsecureValueWarning("default-src", "http://google.com"))); | 227 InsecureValueWarning("default-src", "http://google.com"))); |
208 EXPECT_TRUE(CheckSanitizeCSP( | 228 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 229 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
210 EXPECT_TRUE(CheckSanitizeCSP( | 230 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 231 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
212 EXPECT_TRUE(CheckSanitizeCSP( | 232 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
213 "default-src 'self' chrome-extension://aabbcc;", | 233 "default-src 'self' chrome-extension://aabbcc;", |
214 OPTIONS_ALLOW_UNSAFE_EVAL)); | 234 OPTIONS_ALLOW_UNSAFE_EVAL))); |
215 EXPECT_TRUE(CheckSanitizeCSP( | 235 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
216 "default-src 'self' chrome-extension-resource://aabbcc;", | 236 "default-src 'self' chrome-extension-resource://aabbcc;", |
217 OPTIONS_ALLOW_UNSAFE_EVAL)); | 237 OPTIONS_ALLOW_UNSAFE_EVAL))); |
218 EXPECT_TRUE(CheckSanitizeCSP( | 238 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
219 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, | 239 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL), |
220 "default-src 'self';", | 240 "default-src 'self';", |
221 InsecureValueWarning("default-src", "https:"))); | 241 InsecureValueWarning("default-src", "https:"))); |
222 EXPECT_TRUE(CheckSanitizeCSP( | 242 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
223 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, | 243 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL), |
224 "default-src 'self';", | 244 "default-src 'self';", |
225 InsecureValueWarning("default-src", "http:"))); | 245 InsecureValueWarning("default-src", "http:"))); |
226 EXPECT_TRUE(CheckSanitizeCSP( | 246 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
227 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 247 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
228 "default-src 'self';", | 248 "default-src 'self';", |
229 InsecureValueWarning("default-src", "google.com"))); | 249 InsecureValueWarning("default-src", "google.com"))); |
230 | 250 |
231 EXPECT_TRUE(CheckSanitizeCSP( | 251 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
232 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, | 252 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL), |
233 "default-src 'self';", | 253 "default-src 'self';", |
234 InsecureValueWarning("default-src", "*"))); | 254 InsecureValueWarning("default-src", "*"))); |
235 EXPECT_TRUE(CheckSanitizeCSP( | 255 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
236 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 256 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
237 "default-src 'self';", | 257 "default-src 'self';", |
238 InsecureValueWarning("default-src", "*:*"))); | 258 InsecureValueWarning("default-src", "*:*"))); |
239 EXPECT_TRUE(CheckSanitizeCSP( | 259 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
240 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 260 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
241 "default-src 'self';", | 261 "default-src 'self';", |
242 InsecureValueWarning("default-src", "*:*/"))); | 262 InsecureValueWarning("default-src", "*:*/"))); |
243 EXPECT_TRUE(CheckSanitizeCSP( | 263 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
244 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 264 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
245 "default-src 'self';", | 265 "default-src 'self';", |
246 InsecureValueWarning("default-src", "*:*/path"))); | 266 InsecureValueWarning("default-src", "*:*/path"))); |
247 EXPECT_TRUE(CheckSanitizeCSP( | 267 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
248 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, | 268 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL), |
249 "default-src 'self';", | 269 "default-src 'self';", |
250 InsecureValueWarning("default-src", "https://"))); | 270 InsecureValueWarning("default-src", "https://"))); |
251 EXPECT_TRUE(CheckSanitizeCSP( | 271 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
252 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, | 272 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL), |
253 "default-src 'self';", | 273 "default-src 'self';", |
254 InsecureValueWarning("default-src", "https://*:*"))); | 274 InsecureValueWarning("default-src", "https://*:*"))); |
255 EXPECT_TRUE(CheckSanitizeCSP( | 275 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
256 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 276 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL), |
257 "default-src 'self';", | 277 "default-src 'self';", |
258 InsecureValueWarning("default-src", "https://*:*/"))); | 278 InsecureValueWarning("default-src", "https://*:*/"))); |
259 EXPECT_TRUE(CheckSanitizeCSP( | 279 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
260 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, | 280 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL), |
261 "default-src 'self';", | 281 "default-src 'self';", |
262 InsecureValueWarning("default-src", "https://*:*/path"))); | 282 InsecureValueWarning("default-src", "https://*:*/path"))); |
263 EXPECT_TRUE(CheckSanitizeCSP( | 283 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
264 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 284 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL), |
265 "default-src 'self';", | 285 "default-src 'self';", |
266 InsecureValueWarning("default-src", "https://*.com"))); | 286 InsecureValueWarning("default-src", "https://*.com"))); |
267 EXPECT_TRUE(CheckSanitizeCSP( | 287 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
268 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 288 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL), |
269 "default-src 'self';", | 289 "default-src 'self';", |
270 InsecureValueWarning("default-src", "https://*.*.google.com/"))); | 290 InsecureValueWarning("default-src", "https://*.*.google.com/"))); |
271 EXPECT_TRUE(CheckSanitizeCSP( | 291 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
272 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, | 292 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL)
, |
273 "default-src 'self';", | 293 "default-src 'self';", |
274 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); | 294 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); |
275 EXPECT_TRUE(CheckSanitizeCSP( | 295 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
276 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, | 296 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL)
, |
277 "default-src 'self';", | 297 "default-src 'self';", |
278 InsecureValueWarning("default-src", "https://www.*.google.com/"))); | 298 InsecureValueWarning("default-src", "https://www.*.google.com/"))); |
279 EXPECT_TRUE(CheckSanitizeCSP( | 299 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
280 "default-src 'self' https://www.*.google.com:*/", | 300 "default-src 'self' https://www.*.google.com:*/", |
281 OPTIONS_ALLOW_UNSAFE_EVAL, | 301 OPTIONS_ALLOW_UNSAFE_EVAL), |
282 "default-src 'self';", | 302 "default-src 'self';", |
283 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); | 303 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); |
284 EXPECT_TRUE(CheckSanitizeCSP( | 304 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
285 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 305 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
286 "default-src 'self';", | 306 "default-src 'self';", |
287 InsecureValueWarning("default-src", "chrome://*"))); | 307 InsecureValueWarning("default-src", "chrome://*"))); |
288 EXPECT_TRUE(CheckSanitizeCSP( | 308 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
289 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, | 309 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL), |
290 "default-src 'self';", | 310 "default-src 'self';", |
291 InsecureValueWarning("default-src", "chrome-extension://*"))); | 311 InsecureValueWarning("default-src", "chrome-extension://*"))); |
292 EXPECT_TRUE(CheckSanitizeCSP( | 312 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
293 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, | 313 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL), |
294 "default-src 'self';", | 314 "default-src 'self';", |
295 InsecureValueWarning("default-src", "chrome-extension://"))); | 315 InsecureValueWarning("default-src", "chrome-extension://"))); |
296 | 316 |
297 EXPECT_TRUE(CheckSanitizeCSP( | 317 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
298 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 318 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
299 EXPECT_TRUE(CheckSanitizeCSP( | 319 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
300 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 320 "default-src 'self' https://*.google.com:1;", |
301 EXPECT_TRUE(CheckSanitizeCSP( | 321 OPTIONS_ALLOW_UNSAFE_EVAL))); |
302 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 322 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
303 EXPECT_TRUE(CheckSanitizeCSP( | 323 "default-src 'self' https://*.google.com:*;", |
| 324 OPTIONS_ALLOW_UNSAFE_EVAL))); |
| 325 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
304 "default-src 'self' https://*.google.com:1/;", | 326 "default-src 'self' https://*.google.com:1/;", |
305 OPTIONS_ALLOW_UNSAFE_EVAL)); | 327 OPTIONS_ALLOW_UNSAFE_EVAL))); |
306 EXPECT_TRUE(CheckSanitizeCSP( | 328 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
307 "default-src 'self' https://*.google.com:*/;", | 329 "default-src 'self' https://*.google.com:*/;", |
308 OPTIONS_ALLOW_UNSAFE_EVAL)); | 330 OPTIONS_ALLOW_UNSAFE_EVAL))); |
309 | 331 |
310 EXPECT_TRUE(CheckSanitizeCSP( | 332 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
311 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 333 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
312 EXPECT_TRUE(CheckSanitizeCSP( | 334 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
313 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 335 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
314 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", | 336 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://lOcAlHoSt;", |
315 OPTIONS_ALLOW_UNSAFE_EVAL, | 337 OPTIONS_ALLOW_UNSAFE_EVAL), |
316 "default-src 'self' http://lOcAlHoSt;")); | 338 "default-src 'self' http://lOcAlHoSt;")); |
317 EXPECT_TRUE(CheckSanitizeCSP( | 339 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
318 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 340 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
319 EXPECT_TRUE(CheckSanitizeCSP( | 341 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
320 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 342 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
321 EXPECT_TRUE(CheckSanitizeCSP( | 343 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
322 "default-src 'self' http://127.0.0.1.example.com", | 344 "default-src 'self' http://127.0.0.1.example.com", |
323 OPTIONS_ALLOW_UNSAFE_EVAL, | 345 OPTIONS_ALLOW_UNSAFE_EVAL), |
324 "default-src 'self';", | 346 "default-src 'self';", |
325 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); | 347 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); |
326 EXPECT_TRUE(CheckSanitizeCSP( | 348 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
327 "default-src 'self' http://localhost.example.com", | 349 "default-src 'self' http://localhost.example.com", |
328 OPTIONS_ALLOW_UNSAFE_EVAL, | 350 OPTIONS_ALLOW_UNSAFE_EVAL), |
329 "default-src 'self';", | 351 "default-src 'self';", |
330 InsecureValueWarning("default-src", "http://localhost.example.com"))); | 352 InsecureValueWarning("default-src", "http://localhost.example.com"))); |
331 | 353 |
332 EXPECT_TRUE(CheckSanitizeCSP( | 354 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
333 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 355 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
334 EXPECT_TRUE(CheckSanitizeCSP( | 356 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
335 "default-src 'self' blob:http://example.com/XXX", | 357 "default-src 'self' blob:http://example.com/XXX", |
336 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 358 OPTIONS_ALLOW_UNSAFE_EVAL), "default-src 'self';", |
337 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); | 359 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); |
338 EXPECT_TRUE(CheckSanitizeCSP( | 360 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
339 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 361 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL))); |
340 EXPECT_TRUE(CheckSanitizeCSP( | 362 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
341 "default-src 'self' filesystem:http://example.com/XX", | 363 "default-src 'self' filesystem:http://example.com/XX", |
342 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", | 364 OPTIONS_ALLOW_UNSAFE_EVAL), "default-src 'self';", |
343 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); | 365 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); |
344 | 366 |
345 EXPECT_TRUE(CheckSanitizeCSP( | 367 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
346 "default-src 'self' https://*.googleapis.com;", | 368 "default-src 'self' https://*.googleapis.com;", |
347 OPTIONS_ALLOW_UNSAFE_EVAL)); | 369 OPTIONS_ALLOW_UNSAFE_EVAL))); |
348 EXPECT_TRUE(CheckSanitizeCSP( | 370 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
349 "default-src 'self' https://x.googleapis.com;", | 371 "default-src 'self' https://x.googleapis.com;", |
350 OPTIONS_ALLOW_UNSAFE_EVAL)); | 372 OPTIONS_ALLOW_UNSAFE_EVAL))); |
351 | 373 |
352 EXPECT_TRUE(CheckSanitizeCSP( | 374 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
353 "script-src 'self'; object-src *", OPTIONS_NONE, | 375 "script-src 'self'; object-src *", OPTIONS_NONE), |
354 "script-src 'self'; object-src;", | 376 "script-src 'self'; object-src;", |
355 InsecureValueWarning("object-src", "*"))); | 377 InsecureValueWarning("object-src", "*"))); |
356 EXPECT_TRUE(CheckSanitizeCSP( | 378 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
357 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 379 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
358 "script-src 'self'; object-src;", | 380 "script-src 'self'; object-src;", |
359 InsecureValueWarning("object-src", "*"))); | 381 InsecureValueWarning("object-src", "*"))); |
360 EXPECT_TRUE(CheckSanitizeCSP( | 382 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
361 "script-src 'self'; object-src *; plugin-types application/pdf;", | 383 "script-src 'self'; object-src *; plugin-types application/pdf;", |
362 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
363 EXPECT_TRUE(CheckSanitizeCSP( | 385 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
364 "script-src 'self'; object-src *; " | 386 "script-src 'self'; object-src *; " |
365 "plugin-types application/x-shockwave-flash", | 387 "plugin-types application/x-shockwave-flash", |
366 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
367 "script-src 'self'; object-src; " | 389 "script-src 'self'; object-src; " |
368 "plugin-types application/x-shockwave-flash;", | 390 "plugin-types application/x-shockwave-flash;", |
369 InsecureValueWarning("object-src", "*"))); | 391 InsecureValueWarning("object-src", "*"))); |
370 EXPECT_TRUE(CheckSanitizeCSP( | 392 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
371 "script-src 'self'; object-src *; " | 393 "script-src 'self'; object-src *; " |
372 "plugin-types application/x-shockwave-flash application/pdf;", | 394 "plugin-types application/x-shockwave-flash application/pdf;", |
373 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 395 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
374 "script-src 'self'; object-src; " | 396 "script-src 'self'; object-src; " |
375 "plugin-types application/x-shockwave-flash application/pdf;", | 397 "plugin-types application/x-shockwave-flash application/pdf;", |
376 InsecureValueWarning("object-src", "*"))); | 398 InsecureValueWarning("object-src", "*"))); |
377 EXPECT_TRUE(CheckSanitizeCSP( | 399 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
378 "script-src 'self'; object-src http://www.example.com; " | 400 "script-src 'self'; object-src http://www.example.com; " |
379 "plugin-types application/pdf;", | 401 "plugin-types application/pdf;", |
380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 402 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
381 EXPECT_TRUE(CheckSanitizeCSP( | 403 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
382 "object-src http://www.example.com blob:; script-src 'self'; " | 404 "object-src http://www.example.com blob:; script-src 'self'; " |
383 "plugin-types application/pdf;", | 405 "plugin-types application/pdf;", |
384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 406 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
385 EXPECT_TRUE(CheckSanitizeCSP( | 407 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
386 "script-src 'self'; object-src http://*.example.com; " | 408 "script-src 'self'; object-src http://*.example.com; " |
387 "plugin-types application/pdf;", | 409 "plugin-types application/pdf;", |
388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 410 OPTIONS_ALLOW_INSECURE_OBJECT_SRC))); |
389 EXPECT_TRUE(CheckSanitizeCSP( | 411 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
390 "script-src *; object-src *; plugin-types application/pdf;", | 412 "script-src *; object-src *; plugin-types application/pdf;", |
391 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, | 413 OPTIONS_ALLOW_INSECURE_OBJECT_SRC), |
392 "script-src; object-src *; plugin-types application/pdf;", | 414 "script-src; object-src *; plugin-types application/pdf;", |
393 InsecureValueWarning("script-src", "*"))); | 415 InsecureValueWarning("script-src", "*"))); |
394 | 416 |
395 EXPECT_TRUE(CheckSanitizeCSP( | 417 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
396 "default-src; script-src" | 418 "default-src; script-src" |
397 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" | 419 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" |
398 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" | 420 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" |
399 "t'" | 421 "t'" |
400 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" | 422 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" |
401 "vCSapSz5CVoUGHQcxv43UQg==';", | 423 "vCSapSz5CVoUGHQcxv43UQg==';", |
402 OPTIONS_NONE)); | 424 OPTIONS_NONE))); |
403 | 425 |
404 // Reject non-standard algorithms, even if they are still supported by Blink. | 426 // Reject non-standard algorithms, even if they are still supported by Blink. |
405 EXPECT_TRUE(CheckSanitizeCSP( | 427 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
406 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", | 428 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", |
407 OPTIONS_NONE, "default-src; script-src;", | 429 OPTIONS_NONE), "default-src; script-src;", |
408 InsecureValueWarning("script-src", | 430 InsecureValueWarning("script-src", |
409 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); | 431 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); |
410 | 432 |
411 EXPECT_TRUE(CheckSanitizeCSP( | 433 EXPECT_TRUE(CheckCSP(SanitizeCSP( |
412 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" | 434 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" |
413 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", | 435 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", |
414 OPTIONS_NONE, "default-src; script-src;", | 436 OPTIONS_NONE), "default-src; script-src;", |
415 InsecureValueWarning( | 437 InsecureValueWarning( |
416 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), | 438 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), |
417 InsecureValueWarning( | 439 InsecureValueWarning( |
418 "script-src", | 440 "script-src", |
419 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); | 441 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); |
420 } | 442 } |
421 | 443 |
422 TEST(ExtensionCSPValidator, IsSandboxed) { | 444 TEST(ExtensionCSPValidator, IsSandboxed) { |
423 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 445 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
424 Manifest::TYPE_EXTENSION)); | 446 Manifest::TYPE_EXTENSION)); |
(...skipping 20 matching lines...) Expand all Loading... |
445 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 467 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
446 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 468 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
447 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 469 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
448 | 470 |
449 // Popups are OK. | 471 // Popups are OK. |
450 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 472 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
451 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 473 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 474 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
453 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 475 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
454 } | 476 } |
| 477 |
| 478 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { |
| 479 EXPECT_TRUE(CheckCSP( |
| 480 SanitizeSandboxPageCSP(""), |
| 481 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); |
| 482 EXPECT_TRUE(CheckCSP( |
| 483 SanitizeSandboxPageCSP("child-src http://www.google.com"), |
| 484 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", |
| 485 InsecureValueWarning("child-src", "http://www.google.com"))); |
| 486 EXPECT_TRUE(CheckCSP( |
| 487 SanitizeSandboxPageCSP("child-src *"), |
| 488 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';", |
| 489 InsecureValueWarning("child-src", "*"))); |
| 490 EXPECT_TRUE(CheckCSP( |
| 491 SanitizeSandboxPageCSP("child-src 'none'"), |
| 492 "child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")); |
| 493 |
| 494 // Directive values of 'none' and 'self' are preserved. |
| 495 EXPECT_TRUE( |
| 496 CheckCSP(SanitizeSandboxPageCSP("script-src 'none'; frame-src 'self';"), |
| 497 "frame-src 'self'; script-src 'none';")); |
| 498 EXPECT_TRUE(CheckCSP( |
| 499 SanitizeSandboxPageCSP( |
| 500 "script-src 'none'; frame-src 'self' http://www.google.com;"), |
| 501 "frame-src 'self'; script-src 'none';", |
| 502 InsecureValueWarning("frame-src", "http://www.google.com"))); |
| 503 |
| 504 // script-src will add 'unsafe-inline' and 'unsafe-eval' only if script-src is |
| 505 // not specified. |
| 506 EXPECT_TRUE(CheckCSP(SanitizeSandboxPageCSP("script-src 'self'"), |
| 507 "script-src 'self'; child-src 'self'")); |
| 508 EXPECT_TRUE( |
| 509 CheckCSP(SanitizeSandboxPageCSP( |
| 510 "script-src 'self' 'unsafe-inline'; child-src 'self';"), |
| 511 "child-src 'self'; script-src 'self' 'unsafe-inline';")); |
| 512 EXPECT_TRUE( |
| 513 CheckCSP(SanitizeSandboxPageCSP( |
| 514 "script-src 'self' 'unsafe-eval'; child-src 'self';"), |
| 515 "child-src 'self'; script-src 'self' 'unsafe-eval';")); |
| 516 |
| 517 // child-src and frame-src are handled correctly. |
| 518 EXPECT_TRUE(CheckCSP( |
| 519 SanitizeSandboxPageCSP( |
| 520 "script-src 'none'; frame-src 'self' http://www.google.com;"), |
| 521 "frame-src 'self'; script-src 'none';", |
| 522 InsecureValueWarning("frame-src", "http://www.google.com"))); |
| 523 EXPECT_TRUE(CheckCSP( |
| 524 SanitizeSandboxPageCSP( |
| 525 "script-src 'none'; child-src 'self' http://www.google.com;"), |
| 526 "child-src 'self'; script-src 'none';", |
| 527 InsecureValueWarning("child-src", "http://www.google.com"))); |
| 528 |
| 529 // Multiple insecure values. |
| 530 EXPECT_TRUE(CheckCSP( |
| 531 SanitizeSandboxPageCSP( |
| 532 "script-src 'none'; child-src http://bar.com 'self' http://foo.com;"), |
| 533 "child-src 'self'; script-src 'none';", |
| 534 InsecureValueWarning("child-src", "http://bar.com"), |
| 535 InsecureValueWarning("child-src", "http://foo.com"))); |
| 536 } |
OLD | NEW |