Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(318)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/csp_validator_unittest.cc

Issue 2563843002: Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
Patch Set: sync Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_handlers/sandboxed_page_info.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stddef.h> 5 #include <stddef.h>
6 6
7 #include "base/strings/string_split.h"
7 #include "extensions/common/csp_validator.h" 8 #include "extensions/common/csp_validator.h"
8 #include "extensions/common/error_utils.h" 9 #include "extensions/common/error_utils.h"
9 #include "extensions/common/install_warning.h" 10 #include "extensions/common/install_warning.h"
10 #include "extensions/common/manifest_constants.h" 11 #include "extensions/common/manifest_constants.h"
11 #include "testing/gtest/include/gtest/gtest.h" 12 #include "testing/gtest/include/gtest/gtest.h"
12 13
13 using extensions::csp_validator::ContentSecurityPolicyIsLegal; 14 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
15 using extensions::csp_validator::GetEffectiveSandoxedPageCSP;
14 using extensions::csp_validator::SanitizeContentSecurityPolicy; 16 using extensions::csp_validator::SanitizeContentSecurityPolicy;
15 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; 17 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
16 using extensions::csp_validator::OPTIONS_NONE; 18 using extensions::csp_validator::OPTIONS_NONE;
17 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; 19 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
18 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; 20 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
19 using extensions::ErrorUtils; 21 using extensions::ErrorUtils;
20 using extensions::InstallWarning; 22 using extensions::InstallWarning;
21 using extensions::Manifest; 23 using extensions::Manifest;
22 24
23 namespace { 25 namespace {
24 26
25 std::string InsecureValueWarning(const std::string& directive, 27 std::string InsecureValueWarning(const std::string& directive,
26 const std::string& value) { 28 const std::string& value) {
27 return ErrorUtils::FormatErrorMessage( 29 return ErrorUtils::FormatErrorMessage(
28 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); 30 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
29 } 31 }
30 32
31 std::string MissingSecureSrcWarning(const std::string& directive) { 33 std::string MissingSecureSrcWarning(const std::string& directive) {
32 return ErrorUtils::FormatErrorMessage( 34 return ErrorUtils::FormatErrorMessage(
33 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); 35 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
34 } 36 }
35 37
36 testing::AssertionResult CheckSanitizeCSP( 38 bool CSPEquals(const std::string& csp1, const std::string& csp2) {
37 const std::string& policy, 39 std::vector<std::string> csp1_parts = base::SplitString(
38 int options, 40 csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
41 std::sort(csp1_parts.begin(), csp1_parts.end());
42 std::vector<std::string> csp2_parts = base::SplitString(
43 csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
44 std::sort(csp2_parts.begin(), csp2_parts.end());
45 return csp1_parts == csp2_parts;
46 }
47
48 struct SanitizedCSPResult {
49 std::string csp;
50 std::vector<InstallWarning> warnings;
51 };
52
53 SanitizedCSPResult SanitizeCSP(const std::string& policy, int options) {
54 SanitizedCSPResult result;
55 result.csp = SanitizeContentSecurityPolicy(policy, options, &result.warnings);
56 return result;
57 }
58
59 SanitizedCSPResult SanitizeSandboxPageCSP(const std::string& policy) {
60 SanitizedCSPResult result;
61 result.csp = GetEffectiveSandoxedPageCSP(policy, &result.warnings);
62 return result;
63 }
64
65 testing::AssertionResult CheckCSP(
66 const SanitizedCSPResult& actual,
39 const std::string& expected_csp, 67 const std::string& expected_csp,
40 const std::vector<std::string>& expected_warnings) { 68 const std::vector<std::string>& expected_warnings) {
41 std::vector<InstallWarning> actual_warnings; 69 if (!CSPEquals(expected_csp, actual.csp)) {
42 std::string actual_csp = SanitizeContentSecurityPolicy(policy,
43 options,
44 &actual_warnings);
45 if (actual_csp != expected_csp)
46 return testing::AssertionFailure() 70 return testing::AssertionFailure()
47 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n" 71 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n"
48 << "Expected CSP: " << expected_csp << "\n" 72 << "Expected CSP: " << expected_csp << "\n"
49 << " Actual CSP: " << actual_csp; 73 << " Actual CSP: " << actual.csp;
74 }
50 75
51 if (expected_warnings.size() != actual_warnings.size()) { 76 if (expected_warnings.size() != actual.warnings.size()) {
52 testing::Message msg; 77 testing::Message msg;
53 msg << "Expected " << expected_warnings.size() 78 msg << "Expected " << expected_warnings.size() << " warnings, but got "
54 << " warnings, but got " << actual_warnings.size(); 79 << actual.warnings.size();
55 for (size_t i = 0; i < actual_warnings.size(); ++i) 80 for (size_t i = 0; i < actual.warnings.size(); ++i)
56 msg << "\nWarning " << i << " " << actual_warnings[i].message; 81 msg << "\nWarning " << i << " " << actual.warnings[i].message;
57 return testing::AssertionFailure() << msg; 82 return testing::AssertionFailure() << msg;
58 } 83 }
59 84
60 for (size_t i = 0; i < expected_warnings.size(); ++i) { 85 for (size_t i = 0; i < expected_warnings.size(); ++i) {
61 if (expected_warnings[i] != actual_warnings[i].message) 86 if (expected_warnings[i] != actual.warnings[i].message)
62 return testing::AssertionFailure() 87 return testing::AssertionFailure()
63 << "Unexpected warning from SanitizeContentSecurityPolicy.\n" 88 << "Unexpected warning from SanitizeContentSecurityPolicy.\n"
64 << "Expected warning[" << i << "]: " << expected_warnings[i] 89 << "Expected warning[" << i << "]: " << expected_warnings[i]
65 << " Actual warning[" << i << "]: " << actual_warnings[i].message; 90 << " Actual warning[" << i << "]: " << actual.warnings[i].message;
66 } 91 }
67 return testing::AssertionSuccess(); 92 return testing::AssertionSuccess();
68 } 93 }
69 94
70 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, 95 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual) {
71 int options) { 96 return CheckCSP(actual, actual.csp, std::vector<std::string>());
72 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>());
73 } 97 }
74 98
75 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, 99 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual,
76 int options, 100 const std::string& expected_csp) {
77 const std::string& expected_csp) {
78 std::vector<std::string> expected_warnings; 101 std::vector<std::string> expected_warnings;
79 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); 102 return CheckCSP(actual, expected_csp, expected_warnings);
80 } 103 }
81 104
82 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, 105 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual,
83 int options, 106 const std::string& expected_csp,
84 const std::string& expected_csp, 107 const std::string& warning1) {
85 const std::string& warning1) {
86 std::vector<std::string> expected_warnings(1, warning1); 108 std::vector<std::string> expected_warnings(1, warning1);
87 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); 109 return CheckCSP(actual, expected_csp, expected_warnings);
88 } 110 }
89 111
90 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, 112 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual,
91 int options, 113 const std::string& expected_csp,
92 const std::string& expected_csp, 114 const std::string& warning1,
93 const std::string& warning1, 115 const std::string& warning2) {
94 const std::string& warning2) {
95 std::vector<std::string> expected_warnings(1, warning1); 116 std::vector<std::string> expected_warnings(1, warning1);
96 expected_warnings.push_back(warning2); 117 expected_warnings.push_back(warning2);
97 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); 118 return CheckCSP(actual, expected_csp, expected_warnings);
98 } 119 }
99 120
100 testing::AssertionResult CheckSanitizeCSP(const std::string& policy, 121 testing::AssertionResult CheckCSP(const SanitizedCSPResult& actual,
101 int options, 122 const std::string& expected_csp,
102 const std::string& expected_csp, 123 const std::string& warning1,
103 const std::string& warning1, 124 const std::string& warning2,
104 const std::string& warning2, 125 const std::string& warning3) {
105 const std::string& warning3) {
106 std::vector<std::string> expected_warnings(1, warning1); 126 std::vector<std::string> expected_warnings(1, warning1);
107 expected_warnings.push_back(warning2); 127 expected_warnings.push_back(warning2);
108 expected_warnings.push_back(warning3); 128 expected_warnings.push_back(warning3);
109 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); 129 return CheckCSP(actual, expected_csp, expected_warnings);
110 } 130 }
111 131
112 }; // namespace 132 }; // namespace
113 133
114 TEST(ExtensionCSPValidator, IsLegal) { 134 TEST(ExtensionCSPValidator, IsLegal) {
115 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); 135 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
116 EXPECT_TRUE(ContentSecurityPolicyIsLegal( 136 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
117 "default-src 'self'; script-src http://www.google.com")); 137 "default-src 'self'; script-src http://www.google.com"));
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 138 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
119 "default-src 'self';\nscript-src http://www.google.com")); 139 "default-src 'self';\nscript-src http://www.google.com"));
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 140 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
121 "default-src 'self';\rscript-src http://www.google.com")); 141 "default-src 'self';\rscript-src http://www.google.com"));
122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 142 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
123 "default-src 'self';,script-src http://www.google.com")); 143 "default-src 'self';,script-src http://www.google.com"));
124 } 144 }
125 145
126 TEST(ExtensionCSPValidator, IsSecure) { 146 TEST(ExtensionCSPValidator, IsSecure) {
127 EXPECT_TRUE(CheckSanitizeCSP( 147 EXPECT_TRUE(CheckCSP(
128 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, 148 SanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL),
129 "script-src 'self' chrome-extension-resource:; object-src 'self';", 149 "script-src 'self' chrome-extension-resource:; object-src 'self';",
130 MissingSecureSrcWarning("script-src"), 150 MissingSecureSrcWarning("script-src"),
131 MissingSecureSrcWarning("object-src"))); 151 MissingSecureSrcWarning("object-src")));
132 EXPECT_TRUE(CheckSanitizeCSP( 152 EXPECT_TRUE(CheckCSP(
133 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, 153 SanitizeCSP("img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL),
134 "img-src https://google.com; script-src 'self'" 154 "img-src https://google.com; script-src 'self'"
135 " chrome-extension-resource:; object-src 'self';", 155 " chrome-extension-resource:; object-src 'self';",
136 MissingSecureSrcWarning("script-src"), 156 MissingSecureSrcWarning("script-src"),
137 MissingSecureSrcWarning("object-src"))); 157 MissingSecureSrcWarning("object-src")));
138 EXPECT_TRUE(CheckSanitizeCSP( 158 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL),
139 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, 159 "script-src; object-src 'self';",
140 "script-src; object-src 'self';", 160 InsecureValueWarning("script-src", "a"),
141 InsecureValueWarning("script-src", "a"), 161 InsecureValueWarning("script-src", "b"),
142 InsecureValueWarning("script-src", "b"), 162 MissingSecureSrcWarning("object-src")));
143 MissingSecureSrcWarning("object-src"))); 163
144 164 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *", OPTIONS_ALLOW_UNSAFE_EVAL),
145 EXPECT_TRUE(CheckSanitizeCSP( 165 "default-src;",
146 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, 166 InsecureValueWarning("default-src", "*")));
147 "default-src;", 167 EXPECT_TRUE(
148 InsecureValueWarning("default-src", "*"))); 168 CheckCSP(SanitizeCSP("default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)));
149 EXPECT_TRUE(CheckSanitizeCSP( 169 EXPECT_TRUE(
150 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); 170 CheckCSP(SanitizeCSP("default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)));
151 EXPECT_TRUE(CheckSanitizeCSP( 171 EXPECT_TRUE(
152 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL)); 172 CheckCSP(SanitizeCSP("default-src 'self' ftp://google.com",
153 EXPECT_TRUE(CheckSanitizeCSP( 173 OPTIONS_ALLOW_UNSAFE_EVAL),
154 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, 174 "default-src 'self';",
155 "default-src 'self';", 175 InsecureValueWarning("default-src", "ftp://google.com")));
156 InsecureValueWarning("default-src", "ftp://google.com"))); 176 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;",
157 EXPECT_TRUE(CheckSanitizeCSP( 177 OPTIONS_ALLOW_UNSAFE_EVAL)));
158 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); 178
159 179 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; default-src 'self'",
160 EXPECT_TRUE(CheckSanitizeCSP( 180 OPTIONS_ALLOW_UNSAFE_EVAL),
161 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, 181 "default-src; default-src 'self';",
162 "default-src; default-src 'self';", 182 InsecureValueWarning("default-src", "*")));
163 InsecureValueWarning("default-src", "*"))); 183 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self'; default-src *;",
164 EXPECT_TRUE(CheckSanitizeCSP( 184 OPTIONS_ALLOW_UNSAFE_EVAL),
165 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL, 185 "default-src 'self'; default-src;"));
166 "default-src 'self'; default-src;")); 186 EXPECT_TRUE(CheckCSP(
167 EXPECT_TRUE(CheckSanitizeCSP( 187 SanitizeCSP(
168 "default-src 'self'; default-src *; script-src *; script-src 'self'", 188 "default-src 'self'; default-src *; script-src *; script-src 'self'",
169 OPTIONS_ALLOW_UNSAFE_EVAL, 189 OPTIONS_ALLOW_UNSAFE_EVAL),
170 "default-src 'self'; default-src; script-src; script-src 'self';", 190 "default-src 'self'; default-src; script-src; script-src 'self';",
171 InsecureValueWarning("script-src", "*"))); 191 InsecureValueWarning("script-src", "*")));
172 EXPECT_TRUE(CheckSanitizeCSP( 192 EXPECT_TRUE(CheckCSP(
173 "default-src 'self'; default-src *; script-src 'self'; script-src *;", 193 SanitizeCSP(
174 OPTIONS_ALLOW_UNSAFE_EVAL, 194 "default-src 'self'; default-src *; script-src 'self'; script-src *;",
195 OPTIONS_ALLOW_UNSAFE_EVAL),
175 "default-src 'self'; default-src; script-src 'self'; script-src;")); 196 "default-src 'self'; default-src; script-src 'self'; script-src;"));
176 EXPECT_TRUE(CheckSanitizeCSP( 197 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src *; script-src 'self'",
177 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, 198 OPTIONS_ALLOW_UNSAFE_EVAL),
178 "default-src; script-src 'self';", 199 "default-src; script-src 'self';",
179 InsecureValueWarning("default-src", "*"))); 200 InsecureValueWarning("default-src", "*")));
180 EXPECT_TRUE(CheckSanitizeCSP( 201 EXPECT_TRUE(
181 "default-src *; script-src 'self'; img-src 'self'", 202 CheckCSP(SanitizeCSP("default-src *; script-src 'self'; img-src 'self'",
182 OPTIONS_ALLOW_UNSAFE_EVAL, 203 OPTIONS_ALLOW_UNSAFE_EVAL),
183 "default-src; script-src 'self'; img-src 'self';", 204 "default-src; script-src 'self'; img-src 'self';",
184 InsecureValueWarning("default-src", "*"))); 205 InsecureValueWarning("default-src", "*")));
185 EXPECT_TRUE(CheckSanitizeCSP( 206 EXPECT_TRUE(CheckCSP(
186 "default-src *; script-src 'self'; object-src 'self';", 207 SanitizeCSP("default-src *; script-src 'self'; object-src 'self';",
187 OPTIONS_ALLOW_UNSAFE_EVAL, 208 OPTIONS_ALLOW_UNSAFE_EVAL),
188 "default-src; script-src 'self'; object-src 'self';")); 209 "default-src; script-src 'self'; object-src 'self';"));
189 EXPECT_TRUE(CheckSanitizeCSP( 210 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src 'self';",
190 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)); 211 OPTIONS_ALLOW_UNSAFE_EVAL)));
191 EXPECT_TRUE(CheckSanitizeCSP( 212 EXPECT_TRUE(CheckCSP(
192 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)); 213 SanitizeCSP("default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL)));
193 214
194 EXPECT_TRUE(CheckSanitizeCSP( 215 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-eval'", OPTIONS_NONE),
195 "default-src 'unsafe-eval'", OPTIONS_NONE, 216 "default-src;",
196 "default-src;", 217 InsecureValueWarning("default-src", "'unsafe-eval'")));
197 InsecureValueWarning("default-src", "'unsafe-eval'"))); 218 EXPECT_TRUE(CheckCSP(
198 EXPECT_TRUE(CheckSanitizeCSP( 219 SanitizeCSP("default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL),
199 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, 220 "default-src;", InsecureValueWarning("default-src", "'unsafe-inline'")));
200 "default-src;", 221 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'unsafe-inline' 'none'",
201 InsecureValueWarning("default-src", "'unsafe-inline'"))); 222 OPTIONS_ALLOW_UNSAFE_EVAL),
202 EXPECT_TRUE(CheckSanitizeCSP( 223 "default-src 'none';",
203 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, 224 InsecureValueWarning("default-src", "'unsafe-inline'")));
204 "default-src 'none';", 225 EXPECT_TRUE(
205 InsecureValueWarning("default-src", "'unsafe-inline'"))); 226 CheckCSP(SanitizeCSP("default-src 'self' http://google.com",
206 EXPECT_TRUE(CheckSanitizeCSP( 227 OPTIONS_ALLOW_UNSAFE_EVAL),
207 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, 228 "default-src 'self';",
208 "default-src 'self';", 229 InsecureValueWarning("default-src", "http://google.com")));
209 InsecureValueWarning("default-src", "http://google.com"))); 230 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://google.com;",
210 EXPECT_TRUE(CheckSanitizeCSP( 231 OPTIONS_ALLOW_UNSAFE_EVAL)));
211 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); 232 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' chrome://resources;",
212 EXPECT_TRUE(CheckSanitizeCSP( 233 OPTIONS_ALLOW_UNSAFE_EVAL)));
213 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); 234 EXPECT_TRUE(
214 EXPECT_TRUE(CheckSanitizeCSP( 235 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://aabbcc;",
215 "default-src 'self' chrome-extension://aabbcc;", 236 OPTIONS_ALLOW_UNSAFE_EVAL)));
216 OPTIONS_ALLOW_UNSAFE_EVAL)); 237 EXPECT_TRUE(CheckCSP(
217 EXPECT_TRUE(CheckSanitizeCSP( 238 SanitizeCSP("default-src 'self' chrome-extension-resource://aabbcc;",
218 "default-src 'self' chrome-extension-resource://aabbcc;", 239 OPTIONS_ALLOW_UNSAFE_EVAL)));
219 OPTIONS_ALLOW_UNSAFE_EVAL)); 240 EXPECT_TRUE(CheckCSP(
220 EXPECT_TRUE(CheckSanitizeCSP( 241 SanitizeCSP("default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL),
221 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, 242 "default-src 'self';", InsecureValueWarning("default-src", "https:")));
222 "default-src 'self';", 243 EXPECT_TRUE(CheckCSP(
223 InsecureValueWarning("default-src", "https:"))); 244 SanitizeCSP("default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL),
224 EXPECT_TRUE(CheckSanitizeCSP( 245 "default-src 'self';", InsecureValueWarning("default-src", "http:")));
225 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, 246 EXPECT_TRUE(CheckCSP(
226 "default-src 'self';", 247 SanitizeCSP("default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL),
227 InsecureValueWarning("default-src", "http:")));
228 EXPECT_TRUE(CheckSanitizeCSP(
229 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
230 "default-src 'self';", 248 "default-src 'self';",
231 InsecureValueWarning("default-src", "google.com"))); 249 InsecureValueWarning("default-src", "google.com")));
232 250
233 EXPECT_TRUE(CheckSanitizeCSP( 251 EXPECT_TRUE(CheckCSP(
234 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, 252 SanitizeCSP("default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL),
235 "default-src 'self';", 253 "default-src 'self';", InsecureValueWarning("default-src", "*")));
236 InsecureValueWarning("default-src", "*"))); 254 EXPECT_TRUE(CheckCSP(
237 EXPECT_TRUE(CheckSanitizeCSP( 255 SanitizeCSP("default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL),
238 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, 256 "default-src 'self';", InsecureValueWarning("default-src", "*:*")));
239 "default-src 'self';", 257 EXPECT_TRUE(CheckCSP(
240 InsecureValueWarning("default-src", "*:*"))); 258 SanitizeCSP("default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL),
241 EXPECT_TRUE(CheckSanitizeCSP( 259 "default-src 'self';", InsecureValueWarning("default-src", "*:*/")));
242 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, 260 EXPECT_TRUE(CheckCSP(
243 "default-src 'self';", 261 SanitizeCSP("default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL),
244 InsecureValueWarning("default-src", "*:*/"))); 262 "default-src 'self';", InsecureValueWarning("default-src", "*:*/path")));
245 EXPECT_TRUE(CheckSanitizeCSP( 263 EXPECT_TRUE(CheckCSP(
246 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, 264 SanitizeCSP("default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL),
247 "default-src 'self';", 265 "default-src 'self';", InsecureValueWarning("default-src", "https://")));
248 InsecureValueWarning("default-src", "*:*/path"))); 266 EXPECT_TRUE(CheckCSP(
249 EXPECT_TRUE(CheckSanitizeCSP( 267 SanitizeCSP("default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL),
250 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL,
251 "default-src 'self';",
252 InsecureValueWarning("default-src", "https://")));
253 EXPECT_TRUE(CheckSanitizeCSP(
254 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL,
255 "default-src 'self';", 268 "default-src 'self';",
256 InsecureValueWarning("default-src", "https://*:*"))); 269 InsecureValueWarning("default-src", "https://*:*")));
257 EXPECT_TRUE(CheckSanitizeCSP( 270 EXPECT_TRUE(CheckCSP(
258 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, 271 SanitizeCSP("default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL),
259 "default-src 'self';", 272 "default-src 'self';",
260 InsecureValueWarning("default-src", "https://*:*/"))); 273 InsecureValueWarning("default-src", "https://*:*/")));
261 EXPECT_TRUE(CheckSanitizeCSP( 274 EXPECT_TRUE(
262 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, 275 CheckCSP(SanitizeCSP("default-src 'self' https://*:*/path",
263 "default-src 'self';", 276 OPTIONS_ALLOW_UNSAFE_EVAL),
264 InsecureValueWarning("default-src", "https://*:*/path"))); 277 "default-src 'self';",
265 EXPECT_TRUE(CheckSanitizeCSP( 278 InsecureValueWarning("default-src", "https://*:*/path")));
266 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, 279 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.com",
267 "default-src 'self';", 280 OPTIONS_ALLOW_UNSAFE_EVAL),
268 InsecureValueWarning("default-src", "https://*.com"))); 281 "default-src 'self';",
269 EXPECT_TRUE(CheckSanitizeCSP( 282 InsecureValueWarning("default-src", "https://*.com")));
270 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, 283 EXPECT_TRUE(
271 "default-src 'self';", 284 CheckCSP(SanitizeCSP("default-src 'self' https://*.*.google.com/",
272 InsecureValueWarning("default-src", "https://*.*.google.com/"))); 285 OPTIONS_ALLOW_UNSAFE_EVAL),
273 EXPECT_TRUE(CheckSanitizeCSP( 286 "default-src 'self';",
274 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, 287 InsecureValueWarning("default-src", "https://*.*.google.com/")));
288 EXPECT_TRUE(CheckCSP(
289 SanitizeCSP("default-src 'self' https://*.*.google.com:*/",
290 OPTIONS_ALLOW_UNSAFE_EVAL),
275 "default-src 'self';", 291 "default-src 'self';",
276 InsecureValueWarning("default-src", "https://*.*.google.com:*/"))); 292 InsecureValueWarning("default-src", "https://*.*.google.com:*/")));
277 EXPECT_TRUE(CheckSanitizeCSP( 293 EXPECT_TRUE(CheckCSP(
278 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, 294 SanitizeCSP("default-src 'self' https://www.*.google.com/",
295 OPTIONS_ALLOW_UNSAFE_EVAL),
279 "default-src 'self';", 296 "default-src 'self';",
280 InsecureValueWarning("default-src", "https://www.*.google.com/"))); 297 InsecureValueWarning("default-src", "https://www.*.google.com/")));
281 EXPECT_TRUE(CheckSanitizeCSP( 298 EXPECT_TRUE(CheckCSP(
282 "default-src 'self' https://www.*.google.com:*/", 299 SanitizeCSP("default-src 'self' https://www.*.google.com:*/",
283 OPTIONS_ALLOW_UNSAFE_EVAL, 300 OPTIONS_ALLOW_UNSAFE_EVAL),
284 "default-src 'self';", 301 "default-src 'self';",
285 InsecureValueWarning("default-src", "https://www.*.google.com:*/"))); 302 InsecureValueWarning("default-src", "https://www.*.google.com:*/")));
286 EXPECT_TRUE(CheckSanitizeCSP( 303 EXPECT_TRUE(CheckCSP(
287 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, 304 SanitizeCSP("default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL),
288 "default-src 'self';", 305 "default-src 'self';",
289 InsecureValueWarning("default-src", "chrome://*"))); 306 InsecureValueWarning("default-src", "chrome://*")));
290 EXPECT_TRUE(CheckSanitizeCSP( 307 EXPECT_TRUE(
291 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, 308 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://*",
292 "default-src 'self';", 309 OPTIONS_ALLOW_UNSAFE_EVAL),
293 InsecureValueWarning("default-src", "chrome-extension://*"))); 310 "default-src 'self';",
294 EXPECT_TRUE(CheckSanitizeCSP( 311 InsecureValueWarning("default-src", "chrome-extension://*")));
295 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, 312 EXPECT_TRUE(
296 "default-src 'self';", 313 CheckCSP(SanitizeCSP("default-src 'self' chrome-extension://",
297 InsecureValueWarning("default-src", "chrome-extension://"))); 314 OPTIONS_ALLOW_UNSAFE_EVAL),
298 315 "default-src 'self';",
299 EXPECT_TRUE(CheckSanitizeCSP( 316 InsecureValueWarning("default-src", "chrome-extension://")));
300 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); 317
301 EXPECT_TRUE(CheckSanitizeCSP( 318 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com;",
302 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL)); 319 OPTIONS_ALLOW_UNSAFE_EVAL)));
303 EXPECT_TRUE(CheckSanitizeCSP( 320 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1;",
304 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL)); 321 OPTIONS_ALLOW_UNSAFE_EVAL)));
305 EXPECT_TRUE(CheckSanitizeCSP( 322 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*;",
306 "default-src 'self' https://*.google.com:1/;", 323 OPTIONS_ALLOW_UNSAFE_EVAL)));
307 OPTIONS_ALLOW_UNSAFE_EVAL)); 324 EXPECT_TRUE(
308 EXPECT_TRUE(CheckSanitizeCSP( 325 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:1/;",
309 "default-src 'self' https://*.google.com:*/;", 326 OPTIONS_ALLOW_UNSAFE_EVAL)));
310 OPTIONS_ALLOW_UNSAFE_EVAL)); 327 EXPECT_TRUE(
311 328 CheckCSP(SanitizeCSP("default-src 'self' https://*.google.com:*/;",
312 EXPECT_TRUE(CheckSanitizeCSP( 329 OPTIONS_ALLOW_UNSAFE_EVAL)));
313 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); 330
314 EXPECT_TRUE(CheckSanitizeCSP( 331 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1;",
315 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); 332 OPTIONS_ALLOW_UNSAFE_EVAL)));
316 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", 333 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost;",
317 OPTIONS_ALLOW_UNSAFE_EVAL, 334 OPTIONS_ALLOW_UNSAFE_EVAL)));
318 "default-src 'self' http://lOcAlHoSt;")); 335 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://lOcAlHoSt;",
319 EXPECT_TRUE(CheckSanitizeCSP( 336 OPTIONS_ALLOW_UNSAFE_EVAL),
320 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); 337 "default-src 'self' http://lOcAlHoSt;"));
321 EXPECT_TRUE(CheckSanitizeCSP( 338 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://127.0.0.1:9999;",
322 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL)); 339 OPTIONS_ALLOW_UNSAFE_EVAL)));
323 EXPECT_TRUE(CheckSanitizeCSP( 340 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' http://localhost:8888;",
324 "default-src 'self' http://127.0.0.1.example.com", 341 OPTIONS_ALLOW_UNSAFE_EVAL)));
325 OPTIONS_ALLOW_UNSAFE_EVAL, 342 EXPECT_TRUE(CheckCSP(
343 SanitizeCSP("default-src 'self' http://127.0.0.1.example.com",
344 OPTIONS_ALLOW_UNSAFE_EVAL),
326 "default-src 'self';", 345 "default-src 'self';",
327 InsecureValueWarning("default-src", "http://127.0.0.1.example.com"))); 346 InsecureValueWarning("default-src", "http://127.0.0.1.example.com")));
328 EXPECT_TRUE(CheckSanitizeCSP( 347 EXPECT_TRUE(CheckCSP(
329 "default-src 'self' http://localhost.example.com", 348 SanitizeCSP("default-src 'self' http://localhost.example.com",
330 OPTIONS_ALLOW_UNSAFE_EVAL, 349 OPTIONS_ALLOW_UNSAFE_EVAL),
331 "default-src 'self';", 350 "default-src 'self';",
332 InsecureValueWarning("default-src", "http://localhost.example.com"))); 351 InsecureValueWarning("default-src", "http://localhost.example.com")));
333 352
334 EXPECT_TRUE(CheckSanitizeCSP( 353 EXPECT_TRUE(CheckCSP(
335 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); 354 SanitizeCSP("default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)));
336 EXPECT_TRUE(CheckSanitizeCSP( 355 EXPECT_TRUE(CheckCSP(
337 "default-src 'self' blob:http://example.com/XXX", 356 SanitizeCSP("default-src 'self' blob:http://example.com/XXX",
338 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", 357 OPTIONS_ALLOW_UNSAFE_EVAL),
358 "default-src 'self';",
339 InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); 359 InsecureValueWarning("default-src", "blob:http://example.com/XXX")));
340 EXPECT_TRUE(CheckSanitizeCSP( 360 EXPECT_TRUE(CheckCSP(SanitizeCSP("default-src 'self' filesystem:;",
341 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); 361 OPTIONS_ALLOW_UNSAFE_EVAL)));
342 EXPECT_TRUE(CheckSanitizeCSP( 362 EXPECT_TRUE(CheckCSP(
343 "default-src 'self' filesystem:http://example.com/XX", 363 SanitizeCSP("default-src 'self' filesystem:http://example.com/XX",
344 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", 364 OPTIONS_ALLOW_UNSAFE_EVAL),
365 "default-src 'self';",
345 InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); 366 InsecureValueWarning("default-src", "filesystem:http://example.com/XX")));
346 367
347 EXPECT_TRUE(CheckSanitizeCSP( 368 EXPECT_TRUE(
348 "default-src 'self' https://*.googleapis.com;", 369 CheckCSP(SanitizeCSP("default-src 'self' https://*.googleapis.com;",
349 OPTIONS_ALLOW_UNSAFE_EVAL)); 370 OPTIONS_ALLOW_UNSAFE_EVAL)));
350 EXPECT_TRUE(CheckSanitizeCSP( 371 EXPECT_TRUE(
351 "default-src 'self' https://x.googleapis.com;", 372 CheckCSP(SanitizeCSP("default-src 'self' https://x.googleapis.com;",
352 OPTIONS_ALLOW_UNSAFE_EVAL)); 373 OPTIONS_ALLOW_UNSAFE_EVAL)));
353 374
354 EXPECT_TRUE(CheckSanitizeCSP( 375 EXPECT_TRUE(
355 "script-src 'self'; object-src *", OPTIONS_NONE, 376 CheckCSP(SanitizeCSP("script-src 'self'; object-src *", OPTIONS_NONE),
356 "script-src 'self'; object-src;", 377 "script-src 'self'; object-src;",
357 InsecureValueWarning("object-src", "*"))); 378 InsecureValueWarning("object-src", "*")));
358 EXPECT_TRUE(CheckSanitizeCSP( 379 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *",
359 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, 380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC),
360 "script-src 'self'; object-src;", 381 "script-src 'self'; object-src;",
361 InsecureValueWarning("object-src", "*"))); 382 InsecureValueWarning("object-src", "*")));
362 EXPECT_TRUE(CheckSanitizeCSP( 383 EXPECT_TRUE(CheckCSP(SanitizeCSP(
363 "script-src 'self'; object-src *; plugin-types application/pdf;", 384 "script-src 'self'; object-src *; plugin-types application/pdf;",
364 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 385 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)));
365 EXPECT_TRUE(CheckSanitizeCSP( 386 EXPECT_TRUE(CheckCSP(SanitizeCSP("script-src 'self'; object-src *; "
366 "script-src 'self'; object-src *; " 387 "plugin-types application/x-shockwave-flash",
367 "plugin-types application/x-shockwave-flash", 388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC),
368 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, 389 "script-src 'self'; object-src; "
369 "script-src 'self'; object-src; " 390 "plugin-types application/x-shockwave-flash;",
370 "plugin-types application/x-shockwave-flash;", 391 InsecureValueWarning("object-src", "*")));
371 InsecureValueWarning("object-src", "*"))); 392 EXPECT_TRUE(CheckCSP(
372 EXPECT_TRUE(CheckSanitizeCSP( 393 SanitizeCSP("script-src 'self'; object-src *; "
373 "script-src 'self'; object-src *; " 394 "plugin-types application/x-shockwave-flash application/pdf;",
374 "plugin-types application/x-shockwave-flash application/pdf;", 395 OPTIONS_ALLOW_INSECURE_OBJECT_SRC),
375 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
376 "script-src 'self'; object-src; " 396 "script-src 'self'; object-src; "
377 "plugin-types application/x-shockwave-flash application/pdf;", 397 "plugin-types application/x-shockwave-flash application/pdf;",
378 InsecureValueWarning("object-src", "*"))); 398 InsecureValueWarning("object-src", "*")));
379 EXPECT_TRUE(CheckSanitizeCSP( 399 EXPECT_TRUE(CheckCSP(
380 "script-src 'self'; object-src http://www.example.com; " 400 SanitizeCSP("script-src 'self'; object-src http://www.example.com; "
381 "plugin-types application/pdf;", 401 "plugin-types application/pdf;",
382 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 402 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)));
383 EXPECT_TRUE(CheckSanitizeCSP( 403 EXPECT_TRUE(CheckCSP(
384 "object-src http://www.example.com blob:; script-src 'self'; " 404 SanitizeCSP("object-src http://www.example.com blob:; script-src 'self'; "
385 "plugin-types application/pdf;", 405 "plugin-types application/pdf;",
386 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 406 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)));
387 EXPECT_TRUE(CheckSanitizeCSP( 407 EXPECT_TRUE(CheckCSP(
388 "script-src 'self'; object-src http://*.example.com; " 408 SanitizeCSP("script-src 'self'; object-src http://*.example.com; "
389 "plugin-types application/pdf;", 409 "plugin-types application/pdf;",
390 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 410 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)));
391 EXPECT_TRUE(CheckSanitizeCSP( 411 EXPECT_TRUE(CheckCSP(
392 "script-src *; object-src *; plugin-types application/pdf;", 412 SanitizeCSP("script-src *; object-src *; plugin-types application/pdf;",
393 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, 413 OPTIONS_ALLOW_INSECURE_OBJECT_SRC),
394 "script-src; object-src *; plugin-types application/pdf;", 414 "script-src; object-src *; plugin-types application/pdf;",
395 InsecureValueWarning("script-src", "*"))); 415 InsecureValueWarning("script-src", "*")));
396 416
397 EXPECT_TRUE(CheckSanitizeCSP( 417 EXPECT_TRUE(CheckCSP(SanitizeCSP(
398 "default-src; script-src" 418 "default-src; script-src"
399 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" 419 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='"
400 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" 420 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS"
401 "t'" 421 "t'"
402 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" 422 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw"
403 "vCSapSz5CVoUGHQcxv43UQg==';", 423 "vCSapSz5CVoUGHQcxv43UQg==';",
404 OPTIONS_NONE)); 424 OPTIONS_NONE)));
405 425
406 // Reject non-standard algorithms, even if they are still supported by Blink. 426 // Reject non-standard algorithms, even if they are still supported by Blink.
407 EXPECT_TRUE(CheckSanitizeCSP( 427 EXPECT_TRUE(CheckCSP(
408 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", 428 SanitizeCSP(
409 OPTIONS_NONE, "default-src; script-src;", 429 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';",
430 OPTIONS_NONE),
431 "default-src; script-src;",
410 InsecureValueWarning("script-src", 432 InsecureValueWarning("script-src",
411 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); 433 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='")));
412 434
413 EXPECT_TRUE(CheckSanitizeCSP( 435 EXPECT_TRUE(CheckCSP(
414 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" 436 SanitizeCSP("default-src; script-src "
415 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", 437 "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ"
416 OPTIONS_NONE, "default-src; script-src;", 438 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';",
439 OPTIONS_NONE),
440 "default-src; script-src;",
417 InsecureValueWarning( 441 InsecureValueWarning(
418 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), 442 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="),
419 InsecureValueWarning( 443 InsecureValueWarning(
420 "script-src", 444 "script-src",
421 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); 445 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='")));
422 } 446 }
423 447
424 TEST(ExtensionCSPValidator, IsSandboxed) { 448 TEST(ExtensionCSPValidator, IsSandboxed) {
425 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), 449 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
426 Manifest::TYPE_EXTENSION)); 450 Manifest::TYPE_EXTENSION));
(...skipping 20 matching lines...) Expand all
447 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); 471 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
448 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 472 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
449 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); 473 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
450 474
451 // Popups are OK. 475 // Popups are OK.
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 476 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
453 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); 477 "sandbox allow-popups", Manifest::TYPE_EXTENSION));
454 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 478 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
455 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); 479 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
456 } 480 }
481
482 TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) {
483 EXPECT_TRUE(CheckCSP(
484 SanitizeSandboxPageCSP(""),
485 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"));
486 EXPECT_TRUE(CheckCSP(
487 SanitizeSandboxPageCSP("child-src http://www.google.com"),
488 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';",
489 InsecureValueWarning("child-src", "http://www.google.com")));
490 EXPECT_TRUE(CheckCSP(
491 SanitizeSandboxPageCSP("child-src *"),
492 "child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';",
493 InsecureValueWarning("child-src", "*")));
494 EXPECT_TRUE(CheckCSP(
495 SanitizeSandboxPageCSP("child-src 'none'"),
496 "child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"));
497
498 // Directive values of 'none' and 'self' are preserved.
499 EXPECT_TRUE(
500 CheckCSP(SanitizeSandboxPageCSP("script-src 'none'; frame-src 'self';"),
501 "frame-src 'self'; script-src 'none';"));
502 EXPECT_TRUE(CheckCSP(
503 SanitizeSandboxPageCSP(
504 "script-src 'none'; frame-src 'self' http://www.google.com;"),
505 "frame-src 'self'; script-src 'none';",
506 InsecureValueWarning("frame-src", "http://www.google.com")));
507
508 // script-src will add 'unsafe-inline' and 'unsafe-eval' only if script-src is
509 // not specified.
510 EXPECT_TRUE(CheckCSP(SanitizeSandboxPageCSP("script-src 'self'"),
511 "script-src 'self'; child-src 'self'"));
512 EXPECT_TRUE(
513 CheckCSP(SanitizeSandboxPageCSP(
514 "script-src 'self' 'unsafe-inline'; child-src 'self';"),
515 "child-src 'self'; script-src 'self' 'unsafe-inline';"));
516 EXPECT_TRUE(
517 CheckCSP(SanitizeSandboxPageCSP(
518 "script-src 'self' 'unsafe-eval'; child-src 'self';"),
519 "child-src 'self'; script-src 'self' 'unsafe-eval';"));
520
521 // child-src and frame-src are handled correctly.
522 EXPECT_TRUE(CheckCSP(
523 SanitizeSandboxPageCSP(
524 "script-src 'none'; frame-src 'self' http://www.google.com;"),
525 "frame-src 'self'; script-src 'none';",
526 InsecureValueWarning("frame-src", "http://www.google.com")));
527 EXPECT_TRUE(CheckCSP(
528 SanitizeSandboxPageCSP(
529 "script-src 'none'; child-src 'self' http://www.google.com;"),
530 "child-src 'self'; script-src 'none';",
531 InsecureValueWarning("child-src", "http://www.google.com")));
532
533 // Multiple insecure values.
534 EXPECT_TRUE(CheckCSP(
535 SanitizeSandboxPageCSP(
536 "script-src 'none'; child-src http://bar.com 'self' http://foo.com;"),
537 "child-src 'self'; script-src 'none';",
538 InsecureValueWarning("child-src", "http://bar.com"),
539 InsecureValueWarning("child-src", "http://foo.com")));
540 }
OLDNEW
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_handlers/sandboxed_page_info.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698