extensions/common/csp_validator_unittest.cc - Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load

Side by Side Diff: extensions/common/csp_validator_unittest.cc

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rebase Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "extensions/common/csp_validator.h"	5 #include "extensions/common/csp_validator.h"

	6 #include "extensions/common/error_utils.h"

	7 #include "extensions/common/install_warning.h"

	8 #include "extensions/common/manifest_constants.h"

6 #include "testing/gtest/include/gtest/gtest.h"	9 #include "testing/gtest/include/gtest/gtest.h"

7	10

8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;	11 using extensions::csp_validator::ContentSecurityPolicyIsLegal;

9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;	12 using extensions::csp_validator::ContentSecurityPolicyIsSecure;

10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;	13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;

11 using extensions::csp_validator::OPTIONS_NONE;	14 using extensions::csp_validator::OPTIONS_NONE;

12 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;	15 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;

13 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;	16 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;

	17 using extensions::ErrorUtils;

	18 using extensions::InstallWarning;

14 using extensions::Manifest;	19 using extensions::Manifest;

15	20

	21 namespace {

	22

	23 std::string InsecureValueWarning(const std::string& directive,

	24 const std::string& value) {

	25 return ErrorUtils::FormatErrorMessage(

	26 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);

	27 }

	28

	29 std::string MissingSecureSrcWarning(const std::string& directive) {

	30 return ErrorUtils::FormatErrorMessage(

	31 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);

	32 }

	33

	34 }; // namespace

	35

16 TEST(ExtensionCSPValidator, IsLegal) {	36 TEST(ExtensionCSPValidator, IsLegal) {

17 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));	37 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));

18 EXPECT_TRUE(ContentSecurityPolicyIsLegal(	38 EXPECT_TRUE(ContentSecurityPolicyIsLegal(

19 "default-src 'self'; script-src http://www.google.com"));	39 "default-src 'self'; script-src http://www.google.com"));

20 EXPECT_FALSE(ContentSecurityPolicyIsLegal(	40 EXPECT_FALSE(ContentSecurityPolicyIsLegal(

21 "default-src 'self';\nscript-src http://www.google.com"));	41 "default-src 'self';\nscript-src http://www.google.com"));

22 EXPECT_FALSE(ContentSecurityPolicyIsLegal(	42 EXPECT_FALSE(ContentSecurityPolicyIsLegal(

23 "default-src 'self';\rscript-src http://www.google.com"));	43 "default-src 'self';\rscript-src http://www.google.com"));

24 EXPECT_FALSE(ContentSecurityPolicyIsLegal(	44 EXPECT_FALSE(ContentSecurityPolicyIsLegal(

25 "default-src 'self';,script-src http://www.google.com"));	45 "default-src 'self';,script-src http://www.google.com"));

26 }	46 }

27	47

28 TEST(ExtensionCSPValidator, IsSecure) {	48 TEST(ExtensionCSPValidator, IsSecure) {

29 EXPECT_FALSE(	49 std::string csp;

30 ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL));	50 std::vector<InstallWarning> warnings;

31 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",	51

32 OPTIONS_ALLOW_UNSAFE_EVAL));	52 warnings.push_back(InstallWarning("should not be removed"));

33	53 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

34 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	54 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

35 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));	55 EXPECT_EQ("script-src 'self' chrome-extension-resource:; object-src 'self';",

36 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	56 csp);

37 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));	57 EXPECT_EQ(3U, warnings.size());

38 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	58 // ContentSecurityPolicyIsSecure should append (not replace) warnings.

39 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));	59 EXPECT_EQ("should not be removed", warnings[0].message);

40 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	60 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[1].message);

41 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	61 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);

42 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	62 warnings.clear();

43 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	63

44	64 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

45 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	65 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

46 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));	66 &warnings));

47 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	67 EXPECT_EQ("img-src https://google.com; script-src 'self'"

48 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));	68 " chrome-extension-resource:; object-src 'self';", csp);

	69 EXPECT_EQ(2U, warnings.size());

	70 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[0].message);

	71 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[1].message);

	72 warnings.clear();

	73

	74 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	75 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	76 EXPECT_EQ("script-src; object-src 'self';", csp);

	77 EXPECT_EQ(3U, warnings.size());

	78 EXPECT_EQ(InsecureValueWarning("script-src", "a"), warnings[0].message);

	79 EXPECT_EQ(InsecureValueWarning("script-src", "b"), warnings[1].message);

	80 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
	not at google - send to devlin 2014/12/01 19:19:31 Some helper functions would help all throughout th Some helper functions would help all throughout this file. For example, if you had: testing::AssertionResult CheckWarnings(std::vector<> expected, std::vector<> actual) { if (expected.size() != actual.size()) return testing::AssertionFailure() << ...; for (size_t i = 0; i < expected.size(); ++i) { if (expected[i] != actual[i]) return testing::AssertionFailure() << ...; } return testing::AssertionSuccess(); } then, provide some helper overrides to make that syntactically palatable: testing::AssertionResult CheckWarnings(std::vector<>, actual1) { return CheckWarnings(std::vector<>(1, actual1)); } testing::AssertionResult CheckWarnings(std::vector<>, actual1, actual2) { std::vector actual<>(1, actual1); actual.push_back(actual2); return CheckWarnings(actual); } some variation on that.
	81 warnings.clear();

	82

	83 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	84 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	85 EXPECT_EQ("default-src;", csp);

	86 EXPECT_EQ(1U, warnings.size());

	87 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);

	88 warnings.clear();

	89

	90 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	91 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

	92 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	93 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

	94

	95 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	96 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	97 &warnings));

	98 EXPECT_EQ("default-src 'self';", csp);

	99 EXPECT_EQ(1U, warnings.size());

	100 EXPECT_EQ(InsecureValueWarning("default-src", "ftp://google.com"),

	101 warnings[0].message);

	102 warnings.clear();

	103

	104 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	105 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	106 NULL));

	107

	108 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	109 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	110 &warnings));

	111 EXPECT_EQ("default-src; default-src 'self';", csp);

	112 EXPECT_EQ(1U, warnings.size());

	113 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);

	114 warnings.clear();

	115

	116 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	117 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	118 NULL));

49 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	119 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

50 "default-src 'self'; default-src ; script-src ; script-src 'self'",	120 "default-src 'self'; default-src ; script-src ; script-src 'self'",

51 OPTIONS_ALLOW_UNSAFE_EVAL));	121 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	122 EXPECT_EQ("default-src 'self'; default-src; script-src; script-src 'self';",

	123 csp);

	124 // No warning about "object-src *" because it comes after "object-src 'self'".

	125 EXPECT_EQ(1U, warnings.size());

	126 EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);

	127 warnings.clear();

	128

52 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	129 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

53 "default-src 'self'; default-src ; script-src 'self'; script-src ",	130 "default-src 'self'; default-src ; script-src 'self'; script-src ",

54 OPTIONS_ALLOW_UNSAFE_EVAL));	131 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

55	132

56 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	133 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

57 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));	134 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	135 &warnings));

	136 EXPECT_EQ("default-src; script-src 'self';", csp);

	137 EXPECT_EQ(1U, warnings.size());

	138 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);

	139 warnings.clear();

	140

58 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	141 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

59 "default-src *; script-src 'self'; img-src 'self'",	142 "default-src *; script-src 'self'; img-src 'self'",

60 OPTIONS_ALLOW_UNSAFE_EVAL));	143 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	144 EXPECT_EQ("default-src; script-src 'self'; img-src 'self';", csp);

	145 EXPECT_EQ(1U, warnings.size());

	146 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);

	147 warnings.clear();

	148

61 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	149 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

62 "default-src *; script-src 'self'; object-src 'self'",	150 "default-src *; script-src 'self'; object-src 'self'",

63 OPTIONS_ALLOW_UNSAFE_EVAL));	151 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

64 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	152 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

65 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));	153 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

66 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	154 NULL));

67 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL));	155 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

68	156 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

69 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	157

70 "default-src 'unsafe-eval'", OPTIONS_NONE));	158 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

71 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	159 "default-src 'unsafe-eval'", OPTIONS_NONE, &csp, &warnings));

72 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL));	160 EXPECT_EQ("default-src;", csp);

73 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	161 EXPECT_EQ(1U, warnings.size());

74 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));	162 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-eval'"),

75 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	163 warnings[0].message);

76 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	164 warnings.clear();

77 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	165

78 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	166 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

79 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	167 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

80 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL));	168 &warnings));

	169 EXPECT_EQ("default-src;", csp);

	170 EXPECT_EQ(1U, warnings.size());

	171 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),

	172 warnings[0].message);

	173 warnings.clear();

	174

	175 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	176 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	177 &warnings));

	178 EXPECT_EQ("default-src 'none';", csp);

	179 EXPECT_EQ(1U, warnings.size());

	180 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),

	181 warnings[0].message);

	182 warnings.clear();

	183

	184 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	185 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	186 &warnings));

	187 EXPECT_EQ("default-src 'self';", csp);

	188 EXPECT_EQ(1U, warnings.size());

	189 EXPECT_EQ(InsecureValueWarning("default-src", "http://google.com"),

	190 warnings[0].message);

	191 warnings.clear();

	192

	193 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	194 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	195 NULL));

	196 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	197 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	198 NULL));

81 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	199 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

82 "default-src 'self' chrome-extension://aabbcc",	200 "default-src 'self' chrome-extension://aabbcc",

83 OPTIONS_ALLOW_UNSAFE_EVAL));	201 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

84 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	202 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

85 "default-src 'self' chrome-extension-resource://aabbcc",	203 "default-src 'self' chrome-extension-resource://aabbcc",

86 OPTIONS_ALLOW_UNSAFE_EVAL));	204 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

87 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	205 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

88 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL));	206 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

89 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	207 EXPECT_EQ("default-src 'self';", csp);

90 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL));	208 EXPECT_EQ(1U, warnings.size());

91 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	209 EXPECT_EQ(InsecureValueWarning("default-src", "https:"), warnings[0].message);

92 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	210 warnings.clear();

93	211

94 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	212 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

95 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL));	213 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

96 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	214 EXPECT_EQ("default-src 'self';", csp);

97 "default-src 'self' :", OPTIONS_ALLOW_UNSAFE_EVAL));	215 EXPECT_EQ(1U, warnings.size());

98 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	216 EXPECT_EQ(InsecureValueWarning("default-src", "http:"), warnings[0].message);

99 "default-src 'self' :/", OPTIONS_ALLOW_UNSAFE_EVAL));	217 warnings.clear();

100 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	218

101 "default-src 'self' :/path", OPTIONS_ALLOW_UNSAFE_EVAL));	219 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

102 // "https://" is an invalid CSP, so it will be ignored by Blink.	220 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

103 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.	221 &warnings));

104 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	222 EXPECT_EQ("default-src 'self';", csp);

105 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL));	223 EXPECT_EQ(1U, warnings.size());

106 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	224 EXPECT_EQ(InsecureValueWarning("default-src", "google.com"),

107 "default-src 'self' https://:", OPTIONS_ALLOW_UNSAFE_EVAL));	225 warnings[0].message);

108 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	226 warnings.clear();

109 "default-src 'self' https://:/", OPTIONS_ALLOW_UNSAFE_EVAL));	227

110 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	228

111 "default-src 'self' https://:/path", OPTIONS_ALLOW_UNSAFE_EVAL));	229 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

112 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	230 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

113 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL));	231 EXPECT_EQ("default-src 'self';", csp);

114 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	232 EXPECT_EQ(1U, warnings.size());

115 "default-src 'self' https://..google.com/", OPTIONS_ALLOW_UNSAFE_EVAL));	233 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);

116 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	234 warnings.clear();

117 "default-src 'self' https://..google.com:*/",	235

118 OPTIONS_ALLOW_UNSAFE_EVAL));	236 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

119 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	237 "default-src 'self' :", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

120 "default-src 'self' https://www.*.google.com/",	238 EXPECT_EQ("default-src 'self';", csp);

121 OPTIONS_ALLOW_UNSAFE_EVAL));	239 EXPECT_EQ(1U, warnings.size());

	240 EXPECT_EQ(InsecureValueWarning("default-src", ":"), warnings[0].message);

	241 warnings.clear();

	242

	243 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	244 "default-src 'self' :/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	245 EXPECT_EQ("default-src 'self';", csp);

	246 EXPECT_EQ(1U, warnings.size());

	247 EXPECT_EQ(InsecureValueWarning("default-src", ":/"), warnings[0].message);

	248 warnings.clear();

	249

	250 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	251 "default-src 'self' :/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	252 &warnings));

	253 EXPECT_EQ("default-src 'self';", csp);

	254 EXPECT_EQ(1U, warnings.size());

	255 EXPECT_EQ(InsecureValueWarning("default-src", ":/path"),

	256 warnings[0].message);

	257 warnings.clear();

	258

	259 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	260 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	261 &warnings));

	262 EXPECT_EQ("default-src 'self';", csp);

	263 EXPECT_EQ(1U, warnings.size());

	264 EXPECT_EQ(InsecureValueWarning("default-src", "https://"),

	265 warnings[0].message);

	266 warnings.clear();

	267

	268 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	269 "default-src 'self' https://:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	270 &warnings));

	271 EXPECT_EQ("default-src 'self';", csp);

	272 EXPECT_EQ(1U, warnings.size());

	273 EXPECT_EQ(InsecureValueWarning("default-src", "https://:"),

	274 warnings[0].message);

	275 warnings.clear();

	276

	277 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	278 "default-src 'self' https://:/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	279 &warnings));

	280 EXPECT_EQ("default-src 'self';", csp);

	281 EXPECT_EQ(1U, warnings.size());

	282 EXPECT_EQ(InsecureValueWarning("default-src", "https://:/"),

	283 warnings[0].message);

	284 warnings.clear();

	285

	286 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	287 "default-src 'self' https://:/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	288 &warnings));

	289 EXPECT_EQ("default-src 'self';", csp);

	290 EXPECT_EQ(1U, warnings.size());

	291 EXPECT_EQ(InsecureValueWarning("default-src", "https://:/path"),

	292 warnings[0].message);

	293 warnings.clear();

	294

	295 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	296 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	297 &warnings));

	298 EXPECT_EQ("default-src 'self';", csp);

	299 EXPECT_EQ(1U, warnings.size());

	300 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.com"),

	301 warnings[0].message);

	302 warnings.clear();

	303

	304 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	305 "default-src 'self' https://..google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,

	306 &csp, &warnings));

	307 EXPECT_EQ("default-src 'self';", csp);

	308 EXPECT_EQ(1U, warnings.size());

	309 EXPECT_EQ(InsecureValueWarning("default-src", "https://..google.com/"),

	310 warnings[0].message);

	311 warnings.clear();

	312

	313 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	314 "default-src 'self' https://..google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,

	315 &csp, &warnings));

	316 EXPECT_EQ("default-src 'self';", csp);

	317 EXPECT_EQ(1U, warnings.size());

	318 EXPECT_EQ(InsecureValueWarning("default-src", "https://..google.com:*/"),

	319 warnings[0].message);

	320 warnings.clear();

	321

	322 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

	323 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,

	324 &csp, &warnings));

	325 EXPECT_EQ("default-src 'self';", csp);

	326 EXPECT_EQ(1U, warnings.size());

	327 EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com/"),

	328 warnings[0].message);

	329 warnings.clear();

	330

122 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	331 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

123 "default-src 'self' https://www..google.com:/",	332 "default-src 'self' https://www..google.com:/",

124 OPTIONS_ALLOW_UNSAFE_EVAL));	333 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

125 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	334 EXPECT_EQ("default-src 'self';", csp);

126 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL));	335 EXPECT_EQ(1U, warnings.size());

127 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	336 EXPECT_EQ(InsecureValueWarning("default-src", "https://www..google.com:/"),

128 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL));	337 warnings[0].message);

129	338 warnings.clear();

130 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	339

131 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL));	340 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

132 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	341 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

133 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL));	342 &warnings));

134 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	343 EXPECT_EQ("default-src 'self';", csp);

135 "default-src 'self' https://.google.com:", OPTIONS_ALLOW_UNSAFE_EVAL));	344 EXPECT_EQ(1U, warnings.size());

136 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	345 EXPECT_EQ(InsecureValueWarning("default-src", "chrome://*"),

137 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL));	346 warnings[0].message);

138 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	347 warnings.clear();

139 "default-src 'self' https://.google.com:/", OPTIONS_ALLOW_UNSAFE_EVAL));	348

140	349 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

141 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	350 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL,

142 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL));	351 &csp, &warnings));

143 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	352 EXPECT_EQ("default-src 'self';", csp);

144 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL));	353 EXPECT_EQ(1U, warnings.size());

145 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	354 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://*"),

146 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL));	355 warnings[0].message);

147 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	356 warnings.clear();

148 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL));	357

149 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	358 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

150 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL));	359 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,

	360 &warnings));

	361 EXPECT_EQ("default-src 'self';", csp);

	362 EXPECT_EQ(1U, warnings.size());

	363 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://"),

	364 warnings[0].message);

	365 warnings.clear();

	366

	367 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	368 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL,

	369 NULL, NULL));

	370 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	371 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL,

	372 NULL, NULL));

	373 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	374 "default-src 'self' https://.google.com:", OPTIONS_ALLOW_UNSAFE_EVAL,

	375 NULL, NULL));

	376 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	377 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL,

	378 NULL, NULL));

	379 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	380 "default-src 'self' https://.google.com:/", OPTIONS_ALLOW_UNSAFE_EVAL,

	381 NULL, NULL));

	382

	383 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	384 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	385 NULL));

	386 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	387 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	388 NULL));

	389 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	390 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,

	391 NULL));

	392 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	393 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL,

	394 NULL, NULL));

	395 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	396 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL,

	397 NULL, NULL));

151 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	398 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

152 "default-src 'self' http://127.0.0.1.example.com",	399 "default-src 'self' http://127.0.0.1.example.com",

153 OPTIONS_ALLOW_UNSAFE_EVAL));	400 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

	401 EXPECT_EQ("default-src 'self';", csp);

	402 EXPECT_EQ(1U, warnings.size());

	403 EXPECT_EQ(InsecureValueWarning("default-src", "http://127.0.0.1.example.com"),

	404 warnings[0].message);

	405 warnings.clear();

	406

154 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	407 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

155 "default-src 'self' http://localhost.example.com",	408 "default-src 'self' http://localhost.example.com",

156 OPTIONS_ALLOW_UNSAFE_EVAL));	409 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

157	410 EXPECT_EQ("default-src 'self';", csp);

158 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	411 EXPECT_EQ(1U, warnings.size());

159 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL));	412 EXPECT_EQ(InsecureValueWarning("default-src", "http://localhost.example.com"),

	413 warnings[0].message);

	414 warnings.clear();

	415

	416

	417 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	418 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

160 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	419 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

161 "default-src 'self' blob:http://example.com/XXX",	420 "default-src 'self' blob:http://example.com/XXX",

162 OPTIONS_ALLOW_UNSAFE_EVAL));	421 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

163 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	422 EXPECT_EQ("default-src 'self';", csp);

164 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL));	423 EXPECT_EQ(1U, warnings.size());

	424 EXPECT_EQ(InsecureValueWarning("default-src", "blob:http://example.com/xxx"),

	425 warnings[0].message);

	426 warnings.clear();

	427

	428 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	429 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));

165 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	430 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

166 "default-src 'self' filesystem:http://example.com/XXX",	431 "default-src 'self' filesystem:http://example.com/XXX",

167 OPTIONS_ALLOW_UNSAFE_EVAL));	432 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));

168	433 EXPECT_EQ("default-src 'self';", csp);

169 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	434 EXPECT_EQ(1U, warnings.size());

170 "default-src 'self' https://*.googleapis.com",	435 EXPECT_EQ(InsecureValueWarning("default-src",

171 OPTIONS_ALLOW_UNSAFE_EVAL));	436 "filesystem:http://example.com/xxx"),

172 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	437 warnings[0].message);

173 "default-src 'self' https://x.googleapis.com",	438 warnings.clear();

174 OPTIONS_ALLOW_UNSAFE_EVAL));	439

175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension	440 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

176 // authors have been using this string anyway, so we cannot refuse this string	441 "default-src 'self' https://*.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL,

177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773	442 NULL, NULL));

178 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	443 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL));	444 "default-src 'self' https://x.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL,

180	445 NULL, NULL));

181 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	446

182 "script-src 'self'; object-src *", OPTIONS_NONE));	447 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

183 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	448 "script-src 'self'; object-src *", OPTIONS_NONE, &csp, &warnings));

184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));	449 EXPECT_EQ("script-src 'self'; object-src;", csp);

	450 EXPECT_EQ(1U, warnings.size());

	451 EXPECT_EQ(InsecureValueWarning("object-src", "*"), warnings[0].message);

	452 warnings.clear();

	453

	454 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

	455 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL,

	456 NULL));

185 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	457 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

186 "script-src 'self'; object-src http://www.example.com",	458 "script-src 'self'; object-src http://www.example.com",

187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));	459 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));

188 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	460 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

189 "object-src http://www.example.com blob:; script-src 'self'",	461 "object-src http://www.example.com blob:; script-src 'self'",

190 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));	462 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));

191 EXPECT_TRUE(ContentSecurityPolicyIsSecure(	463 EXPECT_TRUE(ContentSecurityPolicyIsSecure(

192 "script-src 'self'; object-src http://*.example.com",	464 "script-src 'self'; object-src http://*.example.com",

193 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));	465 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));

194 EXPECT_FALSE(ContentSecurityPolicyIsSecure(	466 EXPECT_FALSE(ContentSecurityPolicyIsSecure(

195 "script-src ; object-src ;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));	467 "script-src ; object-src ;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, &csp,

	468 &warnings));

	469 EXPECT_EQ("script-src; object-src *;", csp);

	470 EXPECT_EQ(1U, warnings.size());

	471 EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);

	472 warnings.clear();

196 }	473 }

197	474

198 TEST(ExtensionCSPValidator, IsSandboxed) {	475 TEST(ExtensionCSPValidator, IsSandboxed) {

199 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),	476 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),

200 Manifest::TYPE_EXTENSION));	477 Manifest::TYPE_EXTENSION));

201 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",	478 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",

202 Manifest::TYPE_EXTENSION));	479 Manifest::TYPE_EXTENSION));

203	480

204 // Sandbox directive is required.	481 // Sandbox directive is required.

205 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	482 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

(...skipping 15 matching lines...) Expand all Loading...
221 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));	498 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));

222 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(	499 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(

223 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));	500 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));

224	501

225 // Popups are OK.	502 // Popups are OK.

226 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	503 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

227 "sandbox allow-popups", Manifest::TYPE_EXTENSION));	504 "sandbox allow-popups", Manifest::TYPE_EXTENSION));

228 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(	505 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(

229 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));	506 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));

230 }	507 }

OLD	NEW

« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_constants.h » ('j') | extensions/common/manifest_handlers/csp_info.cc » ('J')