Chromium Code Reviews Chromium Code Reviews
Issue 2563843002:
Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
| Index: extensions/common/csp_validator_unittest.cc |
| diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc |
| index d9887412a00181d06514b1f0a34c01d9ad5fef12..e466b7ca6e92dd9fe5c00e8c00860943a88a6629 100644 |
| --- a/extensions/common/csp_validator_unittest.cc |
| +++ b/extensions/common/csp_validator_unittest.cc |
| @@ -4,6 +4,7 @@ |
| #include <stddef.h> |
| +#include "base/strings/string_split.h" |
| #include "extensions/common/csp_validator.h" |
| #include "extensions/common/error_utils.h" |
| #include "extensions/common/install_warning.h" |
| @@ -11,6 +12,7 @@ |
| #include "testing/gtest/include/gtest/gtest.h" |
| using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| +using extensions::csp_validator::GetEffectiveSandoxedPageCSP; |
| using extensions::csp_validator::SanitizeContentSecurityPolicy; |
| using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| using extensions::csp_validator::OPTIONS_NONE; |
| @@ -109,6 +111,16 @@ testing::AssertionResult CheckSanitizeCSP(const std::string& policy, |
| return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings); |
| } |
| +bool CSPEquals(const std::string& csp1, const std::string& csp2) { |
| + std::vector<std::string> csp1_parts = base::SplitString( |
| + csp1, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| + std::sort(csp1_parts.begin(), csp1_parts.end()); |
| + std::vector<std::string> csp2_parts = base::SplitString( |
| + csp2, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| + std::sort(csp2_parts.begin(), csp2_parts.end()); |
| + return csp1_parts == csp2_parts; |
| +} |
| + |
| }; // namespace |
| TEST(ExtensionCSPValidator, IsLegal) { |
| @@ -454,3 +466,29 @@ TEST(ExtensionCSPValidator, IsSandboxed) { |
| EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| } |
| + |
| +// TODO(lazyboy): Add comprehensive test cases. |
|
Devlin
2016/12/09 15:46:01
Can we address this TODO before landing? ;)
lazyboy
2016/12/14 00:49:05
I've expanded the tests a bit and added an api_tes
|
| +TEST(ExtensionCSPValidator, EffectiveSandboxedPageCSP) { |
| + EXPECT_TRUE(CSPEquals("child-src 'self'; script-src 'self';", |
| + GetEffectiveSandoxedPageCSP(""))); |
| + EXPECT_TRUE(CSPEquals( |
| + "child-src 'self'; script-src 'self';", |
| + GetEffectiveSandoxedPageCSP("child-src http://www.google.com"))); |
| + EXPECT_TRUE(CSPEquals("child-src 'none'; script-src 'self';", |
| + GetEffectiveSandoxedPageCSP("child-src 'none'"))); |
| + |
| + // Directive values of 'none' and 'self' are preserved. |
| + EXPECT_TRUE(CSPEquals( |
| + "frame-src 'self'; script-src 'none';", |
| + GetEffectiveSandoxedPageCSP("script-src 'none'; frame-src 'self';"))); |
| + EXPECT_TRUE(CSPEquals( |
| + "frame-src 'self'; script-src 'none';", |
| + GetEffectiveSandoxedPageCSP( |
| + "script-src 'none'; frame-src 'self' http://www.google.com;"))); |
| + |
| + // child-src and frame-src are handled correctly. |
| + EXPECT_TRUE(CSPEquals( |
| + "frame-src 'self'; script-src 'none';", |
| + GetEffectiveSandoxedPageCSP( |
| + "script-src 'none'; frame-src 'self' http://www.google.com;"))); |
| +} |
