Index: extensions/common/csp_validator_unittest.cc |
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc |
index d9887412a00181d06514b1f0a34c01d9ad5fef12..e466b7ca6e92dd9fe5c00e8c00860943a88a6629 100644 |
--- a/extensions/common/csp_validator_unittest.cc |
+++ b/extensions/common/csp_validator_unittest.cc |
@@ -4,6 +4,7 @@ |
#include <stddef.h> |
+#include "base/strings/string_split.h" |
#include "extensions/common/csp_validator.h" |
#include "extensions/common/error_utils.h" |
#include "extensions/common/install_warning.h" |
@@ -11,6 +12,7 @@ |
#include "testing/gtest/include/gtest/gtest.h" |
using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
+using extensions::csp_validator::GetEffectiveSandoxedPageCSP; |
using extensions::csp_validator::SanitizeContentSecurityPolicy; |
using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
using extensions::csp_validator::OPTIONS_NONE; |
@@ -109,6 +111,16 @@ testing::AssertionResult CheckSanitizeCSP(const std::string& policy, |
return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); |
} |
+bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
+ std::vector<std::string> csp1_parts = base::SplitString( |
+ csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
+ std::sort(csp1_parts.begin(), csp1_parts.end()); |
+ std::vector<std::string> csp2_parts = base::SplitString( |
+ csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
+ std::sort(csp2_parts.begin(), csp2_parts.end()); |
+ return csp1_parts == csp2_parts; |
+} |
+ |
}; // namespace |
TEST(ExtensionCSPValidator, IsLegal) { |
@@ -454,3 +466,29 @@ TEST(ExtensionCSPValidator, IsSandboxed) { |
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
"sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
} |
+ |
+// TODO(lazyboy): Add comprehensive test cases. |
Devlin
2016/12/09 15:46:01
Can we address this TODO before landing? ;)
lazyboy
2016/12/14 00:49:05
I've expanded the tests a bit and added an api_tes
|
+TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { |
+ EXPECT_TRUE(CSPEquals("child-src 'self'; script-src 'self';", |
+ GetEffectiveSandoxedPageCSP(""))); |
+ EXPECT_TRUE(CSPEquals( |
+ "child-src 'self'; script-src 'self';", |
+ GetEffectiveSandoxedPageCSP("child-src http://www.google.com"))); |
+ EXPECT_TRUE(CSPEquals("child-src 'none'; script-src 'self';", |
+ GetEffectiveSandoxedPageCSP("child-src 'none'"))); |
+ |
+ // Directive values of 'none' and 'self' are preserved. |
+ EXPECT_TRUE(CSPEquals( |
+ "frame-src 'self'; script-src 'none';", |
+ GetEffectiveSandoxedPageCSP("script-src 'none'; frame-src 'self';"))); |
+ EXPECT_TRUE(CSPEquals( |
+ "frame-src 'self'; script-src 'none';", |
+ GetEffectiveSandoxedPageCSP( |
+ "script-src 'none'; frame-src 'self' http://www.google.com;"))); |
+ |
+ // child-src and frame-src are handled correctly. |
+ EXPECT_TRUE(CSPEquals( |
+ "frame-src 'self'; script-src 'none';", |
+ GetEffectiveSandoxedPageCSP( |
+ "script-src 'none'; frame-src 'self' http://www.google.com;"))); |
+} |