| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stddef.h> | 5 #include <stddef.h> |
| 6 | 6 |
| 7 #include "extensions/common/csp_validator.h" | 7 #include "extensions/common/csp_validator.h" |
| 8 #include "extensions/common/error_utils.h" | 8 #include "extensions/common/error_utils.h" |
| 9 #include "extensions/common/install_warning.h" | 9 #include "extensions/common/install_warning.h" |
| 10 #include "extensions/common/manifest_constants.h" | 10 #include "extensions/common/manifest_constants.h" |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 "default-src 'self'; script-src http://www.google.com")); | 117 "default-src 'self'; script-src http://www.google.com")); |
| 118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 118 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 119 "default-src 'self';\nscript-src http://www.google.com")); | 119 "default-src 'self';\nscript-src http://www.google.com")); |
| 120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 120 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 121 "default-src 'self';\rscript-src http://www.google.com")); | 121 "default-src 'self';\rscript-src http://www.google.com")); |
| 122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 122 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 123 "default-src 'self';,script-src http://www.google.com")); | 123 "default-src 'self';,script-src http://www.google.com")); |
| 124 } | 124 } |
| 125 | 125 |
| 126 TEST(ExtensionCSPValidator, IsSecure) { | 126 TEST(ExtensionCSPValidator, IsSecure) { |
| 127 EXPECT_TRUE(CheckSanitizeCSP(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, |
| 128 "script-src 'self'; object-src 'self';", |
| 129 MissingSecureSrcWarning("script-src"), |
| 130 MissingSecureSrcWarning("object-src"))); |
| 127 EXPECT_TRUE(CheckSanitizeCSP( | 131 EXPECT_TRUE(CheckSanitizeCSP( |
| 128 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, | 132 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 129 "script-src 'self' chrome-extension-resource:; object-src 'self';", | 133 "img-src https://google.com; script-src 'self'; object-src 'self';", |
| 130 MissingSecureSrcWarning("script-src"), | 134 MissingSecureSrcWarning("script-src"), |
| 131 MissingSecureSrcWarning("object-src"))); | 135 MissingSecureSrcWarning("object-src"))); |
| 132 EXPECT_TRUE(CheckSanitizeCSP( | 136 EXPECT_TRUE(CheckSanitizeCSP( |
| 133 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | |
| 134 "img-src https://google.com; script-src 'self'" | |
| 135 " chrome-extension-resource:; object-src 'self';", | |
| 136 MissingSecureSrcWarning("script-src"), | |
| 137 MissingSecureSrcWarning("object-src"))); | |
| 138 EXPECT_TRUE(CheckSanitizeCSP( | |
| 139 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, | 137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 140 "script-src; object-src 'self';", | 138 "script-src; object-src 'self';", |
| 141 InsecureValueWarning("script-src", "a"), | 139 InsecureValueWarning("script-src", "a"), |
| 142 InsecureValueWarning("script-src", "b"), | 140 InsecureValueWarning("script-src", "b"), |
| 143 MissingSecureSrcWarning("object-src"))); | 141 MissingSecureSrcWarning("object-src"))); |
| 144 | 142 |
| 145 EXPECT_TRUE(CheckSanitizeCSP( | 143 EXPECT_TRUE(CheckSanitizeCSP( |
| 146 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, | 144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 147 "default-src;", | 145 "default-src;", |
| 148 InsecureValueWarning("default-src", "*"))); | 146 InsecureValueWarning("default-src", "*"))); |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 207 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 208 "default-src 'self';", | 206 "default-src 'self';", |
| 209 InsecureValueWarning("default-src", "http://google.com"))); | 207 InsecureValueWarning("default-src", "http://google.com"))); |
| 210 EXPECT_TRUE(CheckSanitizeCSP( | 208 EXPECT_TRUE(CheckSanitizeCSP( |
| 211 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 212 EXPECT_TRUE(CheckSanitizeCSP( | 210 EXPECT_TRUE(CheckSanitizeCSP( |
| 213 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); | 211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 214 EXPECT_TRUE(CheckSanitizeCSP( | 212 EXPECT_TRUE(CheckSanitizeCSP( |
| 215 "default-src 'self' chrome-extension://aabbcc;", | 213 "default-src 'self' chrome-extension://aabbcc;", |
| 216 OPTIONS_ALLOW_UNSAFE_EVAL)); | 214 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 217 EXPECT_TRUE(CheckSanitizeCSP( | 215 // chrome-extension-resource (which doesn't exist anymore) is quietly ignored. |
| 218 "default-src 'self' chrome-extension-resource://aabbcc;", | 216 EXPECT_TRUE( |
| 219 OPTIONS_ALLOW_UNSAFE_EVAL)); | 217 CheckSanitizeCSP("default-src 'self' chrome-extension-resource://aabbcc;", |
| 220 EXPECT_TRUE(CheckSanitizeCSP( | 218 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';")); |
| 221 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, | 219 EXPECT_TRUE( |
| 222 "default-src 'self';", | 220 CheckSanitizeCSP("default-src 'self' chrome-extension-resource://aabbcc " |
| 223 InsecureValueWarning("default-src", "https:"))); | 221 "chrome-extension://aabbcc;", |
| 222 OPTIONS_ALLOW_UNSAFE_EVAL, |
| 223 "default-src 'self' chrome-extension://aabbcc;")); |
| 224 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' https:", |
| 225 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", |
| 226 InsecureValueWarning("default-src", "https:"))); |
| 224 EXPECT_TRUE(CheckSanitizeCSP( | 227 EXPECT_TRUE(CheckSanitizeCSP( |
| 225 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, | 228 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 226 "default-src 'self';", | 229 "default-src 'self';", |
| 227 InsecureValueWarning("default-src", "http:"))); | 230 InsecureValueWarning("default-src", "http:"))); |
| 228 EXPECT_TRUE(CheckSanitizeCSP( | 231 EXPECT_TRUE(CheckSanitizeCSP( |
| 229 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, | 232 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 230 "default-src 'self';", | 233 "default-src 'self';", |
| 231 InsecureValueWarning("default-src", "google.com"))); | 234 InsecureValueWarning("default-src", "google.com"))); |
| 232 | 235 |
| 233 EXPECT_TRUE(CheckSanitizeCSP( | 236 EXPECT_TRUE(CheckSanitizeCSP( |
| (...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 447 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 450 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 448 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 451 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 449 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 452 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 450 | 453 |
| 451 // Popups are OK. | 454 // Popups are OK. |
| 452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 455 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 453 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 456 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 454 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 457 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 455 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 458 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 456 } | 459 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2574763003:
Remove chrome-extension-resource:// scheme (Closed)
