| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 #include "extensions/common/error_utils.h" |
| 7 #include "extensions/common/install_warning.h" |
| 8 #include "extensions/common/manifest_constants.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
| 7 | 10 |
| 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 11 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; | 12 using extensions::csp_validator::ContentSecurityPolicyIsSecure; |
| 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| 11 using extensions::csp_validator::OPTIONS_NONE; | 14 using extensions::csp_validator::OPTIONS_NONE; |
| 12 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | 15 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
| 13 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | 16 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
| 17 using extensions::ErrorUtils; |
| 18 using extensions::InstallWarning; |
| 14 using extensions::Manifest; | 19 using extensions::Manifest; |
| 15 | 20 |
| 21 namespace { |
| 22 |
| 23 std::string InsecureValueWarning(const std::string& directive, |
| 24 const std::string& value) { |
| 25 return ErrorUtils::FormatErrorMessage( |
| 26 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive); |
| 27 } |
| 28 |
| 29 std::string MissingSecureSrcWarning(const std::string& directive) { |
| 30 return ErrorUtils::FormatErrorMessage( |
| 31 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive); |
| 32 } |
| 33 |
| 34 }; // namespace |
| 35 |
| 16 TEST(ExtensionCSPValidator, IsLegal) { | 36 TEST(ExtensionCSPValidator, IsLegal) { |
| 17 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 37 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
| 18 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 38 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
| 19 "default-src 'self'; script-src http://www.google.com")); | 39 "default-src 'self'; script-src http://www.google.com")); |
| 20 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 40 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 21 "default-src 'self';\nscript-src http://www.google.com")); | 41 "default-src 'self';\nscript-src http://www.google.com")); |
| 22 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 42 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 23 "default-src 'self';\rscript-src http://www.google.com")); | 43 "default-src 'self';\rscript-src http://www.google.com")); |
| 24 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 44 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 25 "default-src 'self';,script-src http://www.google.com")); | 45 "default-src 'self';,script-src http://www.google.com")); |
| 26 } | 46 } |
| 27 | 47 |
| 28 TEST(ExtensionCSPValidator, IsSecure) { | 48 TEST(ExtensionCSPValidator, IsSecure) { |
| 29 EXPECT_FALSE( | 49 std::string csp; |
| 30 ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL)); | 50 std::vector<InstallWarning> warnings; |
| 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", | 51 |
| 32 OPTIONS_ALLOW_UNSAFE_EVAL)); | 52 warnings.push_back(InstallWarning("should not be removed")); |
| 33 | 53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 34 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 54 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 35 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL)); | 55 EXPECT_EQ("script-src 'self' chrome-extension-resource:; object-src 'self';", |
| 36 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 56 csp); |
| 37 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 57 EXPECT_EQ(3U, warnings.size()); |
| 38 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 58 // ContentSecurityPolicyIsSecure should append (not replace) warnings. |
| 39 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 59 EXPECT_EQ("should not be removed", warnings[0].message); |
| 40 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 60 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[1].message); |
| 41 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 61 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message); |
| 42 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 62 warnings.clear(); |
| 43 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 63 |
| 44 | 64 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 45 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 65 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 46 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 66 &warnings)); |
| 47 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 67 EXPECT_EQ("img-src https://google.com; script-src 'self'" |
| 48 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL)); | 68 " chrome-extension-resource:; object-src 'self';", csp); |
| 69 EXPECT_EQ(2U, warnings.size()); |
| 70 EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[0].message); |
| 71 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[1].message); |
| 72 warnings.clear(); |
| 73 |
| 74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 75 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 76 EXPECT_EQ("script-src; object-src 'self';", csp); |
| 77 EXPECT_EQ(3U, warnings.size()); |
| 78 EXPECT_EQ(InsecureValueWarning("script-src", "a"), warnings[0].message); |
| 79 EXPECT_EQ(InsecureValueWarning("script-src", "b"), warnings[1].message); |
| 80 EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message); |
| 81 warnings.clear(); |
| 82 |
| 83 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 84 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 85 EXPECT_EQ("default-src;", csp); |
| 86 EXPECT_EQ(1U, warnings.size()); |
| 87 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message); |
| 88 warnings.clear(); |
| 89 |
| 90 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 91 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 92 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 93 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 94 |
| 95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 96 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 97 &warnings)); |
| 98 EXPECT_EQ("default-src 'self';", csp); |
| 99 EXPECT_EQ(1U, warnings.size()); |
| 100 EXPECT_EQ(InsecureValueWarning("default-src", "ftp://google.com"), |
| 101 warnings[0].message); |
| 102 warnings.clear(); |
| 103 |
| 104 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 105 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 106 NULL)); |
| 107 |
| 108 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 109 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 110 &warnings)); |
| 111 EXPECT_EQ("default-src; default-src 'self';", csp); |
| 112 EXPECT_EQ(1U, warnings.size()); |
| 113 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message); |
| 114 warnings.clear(); |
| 115 |
| 116 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 117 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 118 NULL)); |
| 49 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 119 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 50 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 120 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| 51 OPTIONS_ALLOW_UNSAFE_EVAL)); | 121 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 122 EXPECT_EQ("default-src 'self'; default-src; script-src; script-src 'self';", |
| 123 csp); |
| 124 // No warning about "object-src *" because it comes after "object-src 'self'". |
| 125 EXPECT_EQ(1U, warnings.size()); |
| 126 EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message); |
| 127 warnings.clear(); |
| 128 |
| 52 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 129 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 53 "default-src 'self'; default-src *; script-src 'self'; script-src *", | 130 "default-src 'self'; default-src *; script-src 'self'; script-src *", |
| 54 OPTIONS_ALLOW_UNSAFE_EVAL)); | 131 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 55 | 132 |
| 56 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 133 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 57 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 134 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 135 &warnings)); |
| 136 EXPECT_EQ("default-src; script-src 'self';", csp); |
| 137 EXPECT_EQ(1U, warnings.size()); |
| 138 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message); |
| 139 warnings.clear(); |
| 140 |
| 58 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 141 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 59 "default-src *; script-src 'self'; img-src 'self'", | 142 "default-src *; script-src 'self'; img-src 'self'", |
| 60 OPTIONS_ALLOW_UNSAFE_EVAL)); | 143 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 144 EXPECT_EQ("default-src; script-src 'self'; img-src 'self';", csp); |
| 145 EXPECT_EQ(1U, warnings.size()); |
| 146 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message); |
| 147 warnings.clear(); |
| 148 |
| 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 149 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 62 "default-src *; script-src 'self'; object-src 'self'", | 150 "default-src *; script-src 'self'; object-src 'self'", |
| 63 OPTIONS_ALLOW_UNSAFE_EVAL)); | 151 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 64 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 152 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 65 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 153 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 66 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 154 NULL)); |
| 67 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 155 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 68 | 156 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 69 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 157 |
| 70 "default-src 'unsafe-eval'", OPTIONS_NONE)); | 158 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 71 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 159 "default-src 'unsafe-eval'", OPTIONS_NONE, &csp, &warnings)); |
| 72 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 160 EXPECT_EQ("default-src;", csp); |
| 73 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 161 EXPECT_EQ(1U, warnings.size()); |
| 74 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL)); | 162 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-eval'"), |
| 75 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 163 warnings[0].message); |
| 76 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 164 warnings.clear(); |
| 77 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 165 |
| 78 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 166 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 79 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 167 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 80 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL)); | 168 &warnings)); |
| 169 EXPECT_EQ("default-src;", csp); |
| 170 EXPECT_EQ(1U, warnings.size()); |
| 171 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"), |
| 172 warnings[0].message); |
| 173 warnings.clear(); |
| 174 |
| 175 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 176 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 177 &warnings)); |
| 178 EXPECT_EQ("default-src 'none';", csp); |
| 179 EXPECT_EQ(1U, warnings.size()); |
| 180 EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"), |
| 181 warnings[0].message); |
| 182 warnings.clear(); |
| 183 |
| 184 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 185 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 186 &warnings)); |
| 187 EXPECT_EQ("default-src 'self';", csp); |
| 188 EXPECT_EQ(1U, warnings.size()); |
| 189 EXPECT_EQ(InsecureValueWarning("default-src", "http://google.com"), |
| 190 warnings[0].message); |
| 191 warnings.clear(); |
| 192 |
| 193 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 194 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 195 NULL)); |
| 196 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 197 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 198 NULL)); |
| 81 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 199 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 82 "default-src 'self' chrome-extension://aabbcc", | 200 "default-src 'self' chrome-extension://aabbcc", |
| 83 OPTIONS_ALLOW_UNSAFE_EVAL)); | 201 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 84 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 202 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 85 "default-src 'self' chrome-extension-resource://aabbcc", | 203 "default-src 'self' chrome-extension-resource://aabbcc", |
| 86 OPTIONS_ALLOW_UNSAFE_EVAL)); | 204 OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 87 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 205 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 88 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL)); | 206 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 89 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 207 EXPECT_EQ("default-src 'self';", csp); |
| 90 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL)); | 208 EXPECT_EQ(1U, warnings.size()); |
| 91 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 209 EXPECT_EQ(InsecureValueWarning("default-src", "https:"), warnings[0].message); |
| 92 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 210 warnings.clear(); |
| 93 | 211 |
| 94 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 212 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 95 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL)); | 213 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 96 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 214 EXPECT_EQ("default-src 'self';", csp); |
| 97 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL)); | 215 EXPECT_EQ(1U, warnings.size()); |
| 98 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 216 EXPECT_EQ(InsecureValueWarning("default-src", "http:"), warnings[0].message); |
| 99 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); | 217 warnings.clear(); |
| 100 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 218 |
| 101 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL)); | 219 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 102 // "https://" is an invalid CSP, so it will be ignored by Blink. | 220 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 103 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. | 221 &warnings)); |
| 104 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 222 EXPECT_EQ("default-src 'self';", csp); |
| 105 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL)); | 223 EXPECT_EQ(1U, warnings.size()); |
| 106 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 224 EXPECT_EQ(InsecureValueWarning("default-src", "google.com"), |
| 107 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL)); | 225 warnings[0].message); |
| 108 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 226 warnings.clear(); |
| 109 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); | 227 |
| 110 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 228 |
| 111 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL)); | 229 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 112 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 230 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 113 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 231 EXPECT_EQ("default-src 'self';", csp); |
| 114 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 232 EXPECT_EQ(1U, warnings.size()); |
| 115 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL)); | 233 EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message); |
| 116 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 234 warnings.clear(); |
| 117 "default-src 'self' https://*.*.google.com:*/", | 235 |
| 118 OPTIONS_ALLOW_UNSAFE_EVAL)); | 236 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 119 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 237 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 120 "default-src 'self' https://www.*.google.com/", | 238 EXPECT_EQ("default-src 'self';", csp); |
| 121 OPTIONS_ALLOW_UNSAFE_EVAL)); | 239 EXPECT_EQ(1U, warnings.size()); |
| 240 EXPECT_EQ(InsecureValueWarning("default-src", "*:*"), warnings[0].message); |
| 241 warnings.clear(); |
| 242 |
| 243 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 244 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 245 EXPECT_EQ("default-src 'self';", csp); |
| 246 EXPECT_EQ(1U, warnings.size()); |
| 247 EXPECT_EQ(InsecureValueWarning("default-src", "*:*/"), warnings[0].message); |
| 248 warnings.clear(); |
| 249 |
| 250 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 251 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 252 &warnings)); |
| 253 EXPECT_EQ("default-src 'self';", csp); |
| 254 EXPECT_EQ(1U, warnings.size()); |
| 255 EXPECT_EQ(InsecureValueWarning("default-src", "*:*/path"), |
| 256 warnings[0].message); |
| 257 warnings.clear(); |
| 258 |
| 259 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 260 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 261 &warnings)); |
| 262 EXPECT_EQ("default-src 'self';", csp); |
| 263 EXPECT_EQ(1U, warnings.size()); |
| 264 EXPECT_EQ(InsecureValueWarning("default-src", "https://"), |
| 265 warnings[0].message); |
| 266 warnings.clear(); |
| 267 |
| 268 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 269 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 270 &warnings)); |
| 271 EXPECT_EQ("default-src 'self';", csp); |
| 272 EXPECT_EQ(1U, warnings.size()); |
| 273 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*"), |
| 274 warnings[0].message); |
| 275 warnings.clear(); |
| 276 |
| 277 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 278 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 279 &warnings)); |
| 280 EXPECT_EQ("default-src 'self';", csp); |
| 281 EXPECT_EQ(1U, warnings.size()); |
| 282 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/"), |
| 283 warnings[0].message); |
| 284 warnings.clear(); |
| 285 |
| 286 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 287 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 288 &warnings)); |
| 289 EXPECT_EQ("default-src 'self';", csp); |
| 290 EXPECT_EQ(1U, warnings.size()); |
| 291 EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/path"), |
| 292 warnings[0].message); |
| 293 warnings.clear(); |
| 294 |
| 295 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 296 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 297 &warnings)); |
| 298 EXPECT_EQ("default-src 'self';", csp); |
| 299 EXPECT_EQ(1U, warnings.size()); |
| 300 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.com"), |
| 301 warnings[0].message); |
| 302 warnings.clear(); |
| 303 |
| 304 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 305 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 306 &csp, &warnings)); |
| 307 EXPECT_EQ("default-src 'self';", csp); |
| 308 EXPECT_EQ(1U, warnings.size()); |
| 309 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com/"), |
| 310 warnings[0].message); |
| 311 warnings.clear(); |
| 312 |
| 313 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 314 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 315 &csp, &warnings)); |
| 316 EXPECT_EQ("default-src 'self';", csp); |
| 317 EXPECT_EQ(1U, warnings.size()); |
| 318 EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com:*/"), |
| 319 warnings[0].message); |
| 320 warnings.clear(); |
| 321 |
| 322 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 323 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 324 &csp, &warnings)); |
| 325 EXPECT_EQ("default-src 'self';", csp); |
| 326 EXPECT_EQ(1U, warnings.size()); |
| 327 EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com/"), |
| 328 warnings[0].message); |
| 329 warnings.clear(); |
| 330 |
| 122 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 331 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 123 "default-src 'self' https://www.*.google.com:*/", | 332 "default-src 'self' https://www.*.google.com:*/", |
| 124 OPTIONS_ALLOW_UNSAFE_EVAL)); | 333 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 125 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 334 EXPECT_EQ("default-src 'self';", csp); |
| 126 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL)); | 335 EXPECT_EQ(1U, warnings.size()); |
| 127 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 336 EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com:*/"), |
| 128 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL)); | 337 warnings[0].message); |
| 129 | 338 warnings.clear(); |
| 130 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 339 |
| 131 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); | 340 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 132 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 341 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 133 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL)); | 342 &warnings)); |
| 134 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 343 EXPECT_EQ("default-src 'self';", csp); |
| 135 "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL)); | 344 EXPECT_EQ(1U, warnings.size()); |
| 136 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 345 EXPECT_EQ(InsecureValueWarning("default-src", "chrome://*"), |
| 137 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL)); | 346 warnings[0].message); |
| 138 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 347 warnings.clear(); |
| 139 "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); | 348 |
| 140 | 349 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 141 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 350 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 142 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL)); | 351 &csp, &warnings)); |
| 143 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 352 EXPECT_EQ("default-src 'self';", csp); |
| 144 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL)); | 353 EXPECT_EQ(1U, warnings.size()); |
| 145 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 354 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://*"), |
| 146 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL)); | 355 warnings[0].message); |
| 147 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 356 warnings.clear(); |
| 148 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL)); | 357 |
| 149 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 358 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 150 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL)); | 359 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, |
| 360 &warnings)); |
| 361 EXPECT_EQ("default-src 'self';", csp); |
| 362 EXPECT_EQ(1U, warnings.size()); |
| 363 EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://"), |
| 364 warnings[0].message); |
| 365 warnings.clear(); |
| 366 |
| 367 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 368 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 369 NULL, NULL)); |
| 370 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 371 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 372 NULL, NULL)); |
| 373 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 374 "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 375 NULL, NULL)); |
| 376 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 377 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 378 NULL, NULL)); |
| 379 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 380 "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 381 NULL, NULL)); |
| 382 |
| 383 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 384 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 385 NULL)); |
| 386 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 387 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 388 NULL)); |
| 389 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 390 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, |
| 391 NULL)); |
| 392 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 393 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 394 NULL, NULL)); |
| 395 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 396 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 397 NULL, NULL)); |
| 151 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 398 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 152 "default-src 'self' http://127.0.0.1.example.com", | 399 "default-src 'self' http://127.0.0.1.example.com", |
| 153 OPTIONS_ALLOW_UNSAFE_EVAL)); | 400 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 401 EXPECT_EQ("default-src 'self';", csp); |
| 402 EXPECT_EQ(1U, warnings.size()); |
| 403 EXPECT_EQ(InsecureValueWarning("default-src", "http://127.0.0.1.example.com"), |
| 404 warnings[0].message); |
| 405 warnings.clear(); |
| 406 |
| 154 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 407 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 155 "default-src 'self' http://localhost.example.com", | 408 "default-src 'self' http://localhost.example.com", |
| 156 OPTIONS_ALLOW_UNSAFE_EVAL)); | 409 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 157 | 410 EXPECT_EQ("default-src 'self';", csp); |
| 158 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 411 EXPECT_EQ(1U, warnings.size()); |
| 159 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL)); | 412 EXPECT_EQ(InsecureValueWarning("default-src", "http://localhost.example.com"), |
| 413 warnings[0].message); |
| 414 warnings.clear(); |
| 415 |
| 416 |
| 417 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 418 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 160 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 419 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 161 "default-src 'self' blob:http://example.com/XXX", | 420 "default-src 'self' blob:http://example.com/XXX", |
| 162 OPTIONS_ALLOW_UNSAFE_EVAL)); | 421 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 163 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 422 EXPECT_EQ("default-src 'self';", csp); |
| 164 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL)); | 423 EXPECT_EQ(1U, warnings.size()); |
| 424 EXPECT_EQ(InsecureValueWarning("default-src", "blob:http://example.com/xxx"), |
| 425 warnings[0].message); |
| 426 warnings.clear(); |
| 427 |
| 428 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 429 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL)); |
| 165 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 430 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 166 "default-src 'self' filesystem:http://example.com/XXX", | 431 "default-src 'self' filesystem:http://example.com/XXX", |
| 167 OPTIONS_ALLOW_UNSAFE_EVAL)); | 432 OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings)); |
| 168 | 433 EXPECT_EQ("default-src 'self';", csp); |
| 169 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 434 EXPECT_EQ(1U, warnings.size()); |
| 170 "default-src 'self' https://*.googleapis.com", | 435 EXPECT_EQ(InsecureValueWarning("default-src", |
| 171 OPTIONS_ALLOW_UNSAFE_EVAL)); | 436 "filesystem:http://example.com/xxx"), |
| 172 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 437 warnings[0].message); |
| 173 "default-src 'self' https://x.googleapis.com", | 438 warnings.clear(); |
| 174 OPTIONS_ALLOW_UNSAFE_EVAL)); | 439 |
| 175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension | 440 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 176 // authors have been using this string anyway, so we cannot refuse this string | 441 "default-src 'self' https://*.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 | 442 NULL, NULL)); |
| 178 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 443 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL)); | 444 "default-src 'self' https://x.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL, |
| 180 | 445 NULL, NULL)); |
| 181 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 446 |
| 182 "script-src 'self'; object-src *", OPTIONS_NONE)); | 447 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 183 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 448 "script-src 'self'; object-src *", OPTIONS_NONE, &csp, &warnings)); |
| 184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 449 EXPECT_EQ("script-src 'self'; object-src;", csp); |
| 450 EXPECT_EQ(1U, warnings.size()); |
| 451 EXPECT_EQ(InsecureValueWarning("object-src", "*"), warnings[0].message); |
| 452 warnings.clear(); |
| 453 |
| 454 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 455 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, |
| 456 NULL)); |
| 185 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 457 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 186 "script-src 'self'; object-src http://www.example.com", | 458 "script-src 'self'; object-src http://www.example.com", |
| 187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 459 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL)); |
| 188 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 460 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 189 "object-src http://www.example.com blob:; script-src 'self'", | 461 "object-src http://www.example.com blob:; script-src 'self'", |
| 190 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 462 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL)); |
| 191 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 463 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 192 "script-src 'self'; object-src http://*.example.com", | 464 "script-src 'self'; object-src http://*.example.com", |
| 193 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 465 OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL)); |
| 194 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 466 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 195 "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); | 467 "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, &csp, |
| 468 &warnings)); |
| 469 EXPECT_EQ("script-src; object-src *;", csp); |
| 470 EXPECT_EQ(1U, warnings.size()); |
| 471 EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message); |
| 472 warnings.clear(); |
| 196 } | 473 } |
| 197 | 474 |
| 198 TEST(ExtensionCSPValidator, IsSandboxed) { | 475 TEST(ExtensionCSPValidator, IsSandboxed) { |
| 199 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 476 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
| 200 Manifest::TYPE_EXTENSION)); | 477 Manifest::TYPE_EXTENSION)); |
| 201 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", | 478 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", |
| 202 Manifest::TYPE_EXTENSION)); | 479 Manifest::TYPE_EXTENSION)); |
| 203 | 480 |
| 204 // Sandbox directive is required. | 481 // Sandbox directive is required. |
| 205 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 482 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| (...skipping 15 matching lines...) Expand all Loading... |
| 221 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 498 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 222 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 499 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 223 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 500 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 224 | 501 |
| 225 // Popups are OK. | 502 // Popups are OK. |
| 226 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 503 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 227 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 504 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 228 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 505 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 229 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 506 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 230 } | 507 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master