Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(391)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/csp_validator_unittest.cc

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_constants.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/csp_validator.h" 5 #include "extensions/common/csp_validator.h"
6 #include "extensions/common/error_utils.h"
7 #include "extensions/common/install_warning.h"
8 #include "extensions/common/manifest_constants.h"
6 #include "testing/gtest/include/gtest/gtest.h" 9 #include "testing/gtest/include/gtest/gtest.h"
7 10
8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; 11 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; 12 using extensions::csp_validator::ContentSecurityPolicyIsSecure;
10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; 13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
14 using extensions::ErrorUtils;
15 using extensions::InstallWarning;
11 using extensions::Manifest; 16 using extensions::Manifest;
12 17
18 namespace {
19
20 std::string InsecureValueWarning(const std::string& directive,
21 const std::string& value) {
22 return ErrorUtils::FormatErrorMessage(
23 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
24 }
25
26 std::string MissingSecureSrcWarning(const std::string& directive) {
27 return ErrorUtils::FormatErrorMessage(
28 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
29 }
30
31 }; // namespace
32
13 TEST(ExtensionCSPValidator, IsLegal) { 33 TEST(ExtensionCSPValidator, IsLegal) {
14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); 34 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
15 EXPECT_TRUE(ContentSecurityPolicyIsLegal( 35 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
16 "default-src 'self'; script-src http://www.google.com")); 36 "default-src 'self'; script-src http://www.google.com"));
17 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 37 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
18 "default-src 'self';\nscript-src http://www.google.com")); 38 "default-src 'self';\nscript-src http://www.google.com"));
19 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 39 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
20 "default-src 'self';\rscript-src http://www.google.com")); 40 "default-src 'self';\rscript-src http://www.google.com"));
21 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 41 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
22 "default-src 'self';,script-src http://www.google.com")); 42 "default-src 'self';,script-src http://www.google.com"));
23 } 43 }
24 44
25 TEST(ExtensionCSPValidator, IsSecure) { 45 TEST(ExtensionCSPValidator, IsSecure) {
26 EXPECT_FALSE( 46 std::string csp;
27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); 47 std::vector<InstallWarning> warnings;
28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", 48
29 Manifest::TYPE_EXTENSION)); 49 warnings.push_back(InstallWarning("should not be removed"));
30 50 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
31 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 51 std::string(), Manifest::TYPE_EXTENSION, &csp, &warnings));
32 "default-src *", Manifest::TYPE_EXTENSION)); 52 EXPECT_EQ("script-src 'self' chrome-extension-resource:; object-src 'self';",
33 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 53 csp);
34 "default-src 'self'", Manifest::TYPE_EXTENSION)); 54 EXPECT_EQ(3U, warnings.size());
35 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 55 // ContentSecurityPolicyIsSecure should append (not replace) warnings.
36 "default-src 'none'", Manifest::TYPE_EXTENSION)); 56 EXPECT_EQ("should not be removed", warnings[0].message);
37 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 57 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[1].message);
38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); 58 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
39 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 59 warnings.clear();
40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 60
41 61 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
42 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 62 "img-src https://google.com", Manifest::TYPE_EXTENSION, &csp, &warnings));
43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); 63 EXPECT_EQ("img-src https://google.com; script-src 'self'"
44 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 64 " chrome-extension-resource:; object-src 'self';", csp);
45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); 65 EXPECT_EQ(2U, warnings.size());
66 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[0].message);
67 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[1].message);
68 warnings.clear();
69
70 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
71 "script-src a b", Manifest::TYPE_EXTENSION, &csp, &warnings));
72 EXPECT_EQ("script-src; object-src 'self';", csp);
73 EXPECT_EQ(3U, warnings.size());
74 EXPECT_EQ(InsecureValueWarning("script-src", "a"), warnings[0].message);
75 EXPECT_EQ(InsecureValueWarning("script-src", "b"), warnings[1].message);
76 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
77 warnings.clear();
78
79 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
80 "default-src *", Manifest::TYPE_EXTENSION, &csp, &warnings));
81 EXPECT_EQ("default-src;", csp);
82 EXPECT_EQ(1U, warnings.size());
83 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
84 warnings.clear();
85
86 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
87 "default-src 'self'", Manifest::TYPE_EXTENSION, NULL, NULL));
88 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
89 "default-src 'none'", Manifest::TYPE_EXTENSION, NULL, NULL));
90
91 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
92 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION, &csp,
93 &warnings));
94 EXPECT_EQ("default-src 'self';", csp);
95 EXPECT_EQ(1U, warnings.size());
96 EXPECT_EQ(InsecureValueWarning("default-src", "ftp://google.com"),
97 warnings[0].message);
98 warnings.clear();
99
100 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
101 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION, NULL,
102 NULL));
103
104 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
105 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION, &csp,
106 &warnings));
107 EXPECT_EQ("default-src; default-src 'self';", csp);
108 EXPECT_EQ(1U, warnings.size());
109 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
110 warnings.clear();
111
112 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
113 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION, NULL,
114 NULL));
46 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 115 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
47 "default-src 'self'; default-src *; script-src *; script-src 'self'", 116 "default-src 'self'; default-src *; script-src *; script-src 'self'",
48 Manifest::TYPE_EXTENSION)); 117 Manifest::TYPE_EXTENSION, &csp, &warnings));
118 EXPECT_EQ("default-src 'self'; default-src; script-src; script-src 'self';",
119 csp);
120 // No warning about "object-src *" because it comes after "object-src 'self'".
121 EXPECT_EQ(1U, warnings.size());
122 EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);
123 warnings.clear();
124
49 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 125 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
50 "default-src 'self'; default-src *; script-src 'self'; script-src *", 126 "default-src 'self'; default-src *; script-src 'self'; script-src *",
51 Manifest::TYPE_EXTENSION)); 127 Manifest::TYPE_EXTENSION, NULL, NULL));
52 128
53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 129 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); 130 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION, &csp,
131 &warnings));
132 EXPECT_EQ("default-src; script-src 'self';", csp);
133 EXPECT_EQ(1U, warnings.size());
134 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
135 warnings.clear();
136
55 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 137 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
56 "default-src *; script-src 'self'; img-src 'self'", 138 "default-src *; script-src 'self'; img-src 'self'",
57 Manifest::TYPE_EXTENSION)); 139 Manifest::TYPE_EXTENSION, &csp, &warnings));
140 EXPECT_EQ("default-src; script-src 'self'; img-src 'self';", csp);
141 EXPECT_EQ(1U, warnings.size());
142 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
143 warnings.clear();
144
58 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 145 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
59 "default-src *; script-src 'self'; object-src 'self'", 146 "default-src *; script-src 'self'; object-src 'self'",
60 Manifest::TYPE_EXTENSION)); 147 Manifest::TYPE_EXTENSION, NULL, NULL));
61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 148 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); 149 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION, NULL,
63 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 150 NULL));
64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); 151 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
65 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 152 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION, NULL, NULL));
66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); 153 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
67 154 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP, NULL,
68 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 155 NULL));
69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); 156
70 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 157 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); 158 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP, &csp,
72 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 159 &warnings));
73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); 160 EXPECT_EQ("default-src;", csp);
74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 161 EXPECT_EQ(1U, warnings.size());
75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); 162 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-eval'"),
76 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 163 warnings[0].message);
77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 164 warnings.clear();
78 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 165
79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); 166 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
167 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION, &csp,
168 &warnings));
169 EXPECT_EQ("default-src;", csp);
170 EXPECT_EQ(1U, warnings.size());
171 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
172 warnings[0].message);
173 warnings.clear();
174
175 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
176 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION, &csp,
177 &warnings));
178 EXPECT_EQ("default-src 'none';", csp);
179 EXPECT_EQ(1U, warnings.size());
180 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
181 warnings[0].message);
182 warnings.clear();
183
184 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
185 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION, &csp,
186 &warnings));
187 EXPECT_EQ("default-src 'self';", csp);
188 EXPECT_EQ(1U, warnings.size());
189 EXPECT_EQ(InsecureValueWarning("default-src", "http://google.com"),
190 warnings[0].message);
191 warnings.clear();
192
193 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
194 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION, NULL,
195 NULL));
196 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
197 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION, NULL,
198 NULL));
80 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 199 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
81 "default-src 'self' chrome-extension://aabbcc", 200 "default-src 'self' chrome-extension://aabbcc",
82 Manifest::TYPE_EXTENSION)); 201 Manifest::TYPE_EXTENSION, NULL, NULL));
83 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 202 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
84 "default-src 'self' chrome-extension-resource://aabbcc", 203 "default-src 'self' chrome-extension-resource://aabbcc",
85 Manifest::TYPE_EXTENSION)); 204 Manifest::TYPE_EXTENSION, NULL, NULL));
86 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 205 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
87 "default-src 'self' https:", Manifest::TYPE_EXTENSION)); 206 "default-src 'self' https:", Manifest::TYPE_EXTENSION, &csp, &warnings));
88 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 207 EXPECT_EQ("default-src 'self';", csp);
89 "default-src 'self' http:", Manifest::TYPE_EXTENSION)); 208 EXPECT_EQ(1U, warnings.size());
90 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 209 EXPECT_EQ(InsecureValueWarning("default-src", "https:"), warnings[0].message);
91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); 210 warnings.clear();
92 211
93 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 212 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
94 "default-src 'self' *", Manifest::TYPE_EXTENSION)); 213 "default-src 'self' http:", Manifest::TYPE_EXTENSION, &csp, &warnings));
95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 214 EXPECT_EQ("default-src 'self';", csp);
96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); 215 EXPECT_EQ(1U, warnings.size());
97 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 216 EXPECT_EQ(InsecureValueWarning("default-src", "http:"), warnings[0].message);
98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); 217 warnings.clear();
99 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 218
100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); 219 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
101 // "https://" is an invalid CSP, so it will be ignored by Blink. 220 "default-src 'self' google.com", Manifest::TYPE_EXTENSION, &csp,
102 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. 221 &warnings));
103 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 222 EXPECT_EQ("default-src 'self';", csp);
104 "default-src 'self' https://", Manifest::TYPE_EXTENSION)); 223 EXPECT_EQ(1U, warnings.size());
105 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 224 EXPECT_EQ(InsecureValueWarning("default-src", "google.com"),
106 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); 225 warnings[0].message);
107 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 226 warnings.clear();
108 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); 227
109 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 228
110 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); 229 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
111 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 230 "default-src 'self' *", Manifest::TYPE_EXTENSION, &csp, &warnings));
112 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION)); 231 EXPECT_EQ("default-src 'self';", csp);
113 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 232 EXPECT_EQ(1U, warnings.size());
114 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION)); 233 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
115 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 234 warnings.clear();
116 "default-src 'self' https://*.*.google.com:*/", 235
117 Manifest::TYPE_EXTENSION)); 236 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
118 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 237 "default-src 'self' *:*", Manifest::TYPE_EXTENSION, &csp, &warnings));
119 "default-src 'self' https://www.*.google.com/", 238 EXPECT_EQ("default-src 'self';", csp);
120 Manifest::TYPE_EXTENSION)); 239 EXPECT_EQ(1U, warnings.size());
240 EXPECT_EQ(InsecureValueWarning("default-src", "*:*"), warnings[0].message);
241 warnings.clear();
242
243 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
244 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION, &csp, &warnings));
245 EXPECT_EQ("default-src 'self';", csp);
246 EXPECT_EQ(1U, warnings.size());
247 EXPECT_EQ(InsecureValueWarning("default-src", "*:*/"), warnings[0].message);
248 warnings.clear();
249
250 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
251 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION, &csp,
252 &warnings));
253 EXPECT_EQ("default-src 'self';", csp);
254 EXPECT_EQ(1U, warnings.size());
255 EXPECT_EQ(InsecureValueWarning("default-src", "*:*/path"),
256 warnings[0].message);
257 warnings.clear();
258
259 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
260 "default-src 'self' https://", Manifest::TYPE_EXTENSION, &csp,
261 &warnings));
262 EXPECT_EQ("default-src 'self';", csp);
263 EXPECT_EQ(1U, warnings.size());
264 EXPECT_EQ(InsecureValueWarning("default-src", "https://"),
265 warnings[0].message);
266 warnings.clear();
267
268 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
269 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION, &csp,
270 &warnings));
271 EXPECT_EQ("default-src 'self';", csp);
272 EXPECT_EQ(1U, warnings.size());
273 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*"),
274 warnings[0].message);
275 warnings.clear();
276
277 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
278 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION, &csp,
279 &warnings));
280 EXPECT_EQ("default-src 'self';", csp);
281 EXPECT_EQ(1U, warnings.size());
282 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/"),
283 warnings[0].message);
284 warnings.clear();
285
286 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
287 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION, &csp,
288 &warnings));
289 EXPECT_EQ("default-src 'self';", csp);
290 EXPECT_EQ(1U, warnings.size());
291 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/path"),
292 warnings[0].message);
293 warnings.clear();
294
295 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
296 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION, &csp,
297 &warnings));
298 EXPECT_EQ("default-src 'self';", csp);
299 EXPECT_EQ(1U, warnings.size());
300 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.com"),
301 warnings[0].message);
302 warnings.clear();
303
304 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
305 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION,
306 &csp, &warnings));
307 EXPECT_EQ("default-src 'self';", csp);
308 EXPECT_EQ(1U, warnings.size());
309 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com/"),
310 warnings[0].message);
311 warnings.clear();
312
313 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
314 "default-src 'self' https://*.*.google.com:*/", Manifest::TYPE_EXTENSION,
315 &csp, &warnings));
316 EXPECT_EQ("default-src 'self';", csp);
317 EXPECT_EQ(1U, warnings.size());
318 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com:*/"),
319 warnings[0].message);
320 warnings.clear();
321
322 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
323 "default-src 'self' https://www.*.google.com/", Manifest::TYPE_EXTENSION,
324 &csp, &warnings));
325 EXPECT_EQ("default-src 'self';", csp);
326 EXPECT_EQ(1U, warnings.size());
327 EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com/"),
328 warnings[0].message);
329 warnings.clear();
330
121 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 331 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
122 "default-src 'self' https://www.*.google.com:*/", 332 "default-src 'self' https://www.*.google.com:*/",
123 Manifest::TYPE_EXTENSION)); 333 Manifest::TYPE_EXTENSION, &csp, &warnings));
124 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 334 EXPECT_EQ("default-src 'self';", csp);
125 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION)); 335 EXPECT_EQ(1U, warnings.size());
126 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 336 EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com:*/"),
127 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION)); 337 warnings[0].message);
128 338 warnings.clear();
129 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 339
130 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); 340 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
131 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 341 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION, &csp,
132 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); 342 &warnings));
133 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 343 EXPECT_EQ("default-src 'self';", csp);
134 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); 344 EXPECT_EQ(1U, warnings.size());
135 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 345 EXPECT_EQ(InsecureValueWarning("default-src", "chrome://*"),
136 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); 346 warnings[0].message);
137 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 347 warnings.clear();
138 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); 348
139 349 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
140 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 350 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION, &csp,
141 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); 351 &warnings));
142 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 352 EXPECT_EQ("default-src 'self';", csp);
143 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); 353 EXPECT_EQ(1U, warnings.size());
144 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 354 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://*"),
145 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); 355 warnings[0].message);
146 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 356 warnings.clear();
147 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); 357
148 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 358 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
149 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); 359 "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION, &csp,
360 &warnings));
361 EXPECT_EQ("default-src 'self';", csp);
362 EXPECT_EQ(1U, warnings.size());
363 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://"),
364 warnings[0].message);
365 warnings.clear();
366
367 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
368 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION,
369 NULL, NULL));
370 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
371 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION,
372 NULL, NULL));
373 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
374 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION,
375 NULL, NULL));
376 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
377 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION,
378 NULL, NULL));
379 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
380 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION,
381 NULL, NULL));
382
383 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
384 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION, NULL,
385 NULL));
386 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
387 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION, NULL,
388 NULL));
389 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
390 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION, NULL,
391 NULL));
392 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
393 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION,
394 NULL, NULL));
395 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
396 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION,
397 NULL, NULL));
150 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 398 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
151 "default-src 'self' http://127.0.0.1.example.com", 399 "default-src 'self' http://127.0.0.1.example.com",
152 Manifest::TYPE_EXTENSION)); 400 Manifest::TYPE_EXTENSION, &csp, &warnings));
401 EXPECT_EQ("default-src 'self';", csp);
402 EXPECT_EQ(1U, warnings.size());
403 EXPECT_EQ(InsecureValueWarning("default-src", "http://127.0.0.1.example.com"),
404 warnings[0].message);
405 warnings.clear();
406
153 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 407 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
154 "default-src 'self' http://localhost.example.com", 408 "default-src 'self' http://localhost.example.com",
155 Manifest::TYPE_EXTENSION)); 409 Manifest::TYPE_EXTENSION, &csp, &warnings));
156 410 EXPECT_EQ("default-src 'self';", csp);
157 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 411 EXPECT_EQ(1U, warnings.size());
158 "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); 412 EXPECT_EQ(InsecureValueWarning("default-src", "http://localhost.example.com"),
413 warnings[0].message);
414 warnings.clear();
415
416
417 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
418 "default-src 'self' blob:", Manifest::TYPE_EXTENSION, NULL, NULL));
159 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 419 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
160 "default-src 'self' blob:http://example.com/XXX", 420 "default-src 'self' blob:http://example.com/XXX",
161 Manifest::TYPE_EXTENSION)); 421 Manifest::TYPE_EXTENSION, &csp, &warnings));
162 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 422 EXPECT_EQ("default-src 'self';", csp);
163 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); 423 EXPECT_EQ(1U, warnings.size());
424 EXPECT_EQ(InsecureValueWarning("default-src", "blob:http://example.com/xxx"),
425 warnings[0].message);
426 warnings.clear();
427
428 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
429 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION, NULL, NULL));
164 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 430 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
165 "default-src 'self' filesystem:http://example.com/XXX", 431 "default-src 'self' filesystem:http://example.com/XXX",
166 Manifest::TYPE_EXTENSION)); 432 Manifest::TYPE_EXTENSION, &csp, &warnings));
167 433 EXPECT_EQ("default-src 'self';", csp);
168 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 434 EXPECT_EQ(1U, warnings.size());
169 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); 435 EXPECT_EQ(InsecureValueWarning("default-src",
170 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 436 "filesystem:http://example.com/xxx"),
171 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); 437 warnings[0].message);
172 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension 438 warnings.clear();
173 // authors have been using this string anyway, so we cannot refuse this string 439
174 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 440
175 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 441 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
176 "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION)); 442 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION,
443 NULL, NULL));
444 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
445 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION,
446 NULL, NULL));
177 } 447 }
178 448
179 TEST(ExtensionCSPValidator, IsSandboxed) { 449 TEST(ExtensionCSPValidator, IsSandboxed) {
180 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), 450 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
181 Manifest::TYPE_EXTENSION)); 451 Manifest::TYPE_EXTENSION));
182 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", 452 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
183 Manifest::TYPE_EXTENSION)); 453 Manifest::TYPE_EXTENSION));
184 454
185 // Sandbox directive is required. 455 // Sandbox directive is required.
186 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 456 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
(...skipping 15 matching lines...) Expand all
202 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); 472 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
203 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 473 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
204 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); 474 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
205 475
206 // Popups are OK. 476 // Popups are OK.
207 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 477 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
208 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); 478 "sandbox allow-popups", Manifest::TYPE_EXTENSION));
209 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 479 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
210 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); 480 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
211 } 481 }
OLDNEW
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_constants.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698