| Index: extensions/common/csp_validator_unittest.cc
|
| diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
|
| index 1afa0b1a3f387f40d138e3df09215a6d7a2b9138..a9728f9d1be293ccf38895502fd296f5577d8c4b 100644
|
| --- a/extensions/common/csp_validator_unittest.cc
|
| +++ b/extensions/common/csp_validator_unittest.cc
|
| @@ -3,16 +3,112 @@
|
| // found in the LICENSE file.
|
|
|
| #include "extensions/common/csp_validator.h"
|
| +#include "extensions/common/error_utils.h"
|
| +#include "extensions/common/install_warning.h"
|
| +#include "extensions/common/manifest_constants.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| using extensions::csp_validator::ContentSecurityPolicyIsLegal;
|
| -using extensions::csp_validator::ContentSecurityPolicyIsSecure;
|
| +using extensions::csp_validator::SanitizeContentSecurityPolicy;
|
| using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
|
| using extensions::csp_validator::OPTIONS_NONE;
|
| using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
|
| using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
|
| +using extensions::ErrorUtils;
|
| +using extensions::InstallWarning;
|
| using extensions::Manifest;
|
|
|
| +namespace {
|
| +
|
| +std::string InsecureValueWarning(const std::string& directive,
|
| + const std::string& value) {
|
| + return ErrorUtils::FormatErrorMessage(
|
| + extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
|
| +}
|
| +
|
| +std::string MissingSecureSrcWarning(const std::string& directive) {
|
| + return ErrorUtils::FormatErrorMessage(
|
| + extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(
|
| + const std::string& policy,
|
| + int options,
|
| + const std::string& expected_csp,
|
| + const std::vector<std::string>& expected_warnings) {
|
| + std::vector<InstallWarning> actual_warnings;
|
| + std::string actual_csp = SanitizeContentSecurityPolicy(policy,
|
| + options,
|
| + &actual_warnings);
|
| + if (actual_csp != expected_csp)
|
| + return testing::AssertionFailure()
|
| + << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n"
|
| + << "Expected CSP: " << expected_csp << "\n"
|
| + << " Actual CSP: " << actual_csp;
|
| +
|
| + if (expected_warnings.size() != actual_warnings.size()) {
|
| + testing::Message msg;
|
| + msg << "Expected " << expected_warnings.size()
|
| + << " warnings, but got " << actual_warnings.size();
|
| + for (size_t i = 0; i < actual_warnings.size(); ++i)
|
| + msg << "\nWarning " << i << " " << actual_warnings[i].message;
|
| + return testing::AssertionFailure() << msg;
|
| + }
|
| +
|
| + for (size_t i = 0; i < expected_warnings.size(); ++i) {
|
| + if (expected_warnings[i] != actual_warnings[i].message)
|
| + return testing::AssertionFailure()
|
| + << "Unexpected warning from SanitizeContentSecurityPolicy.\n"
|
| + << "Expected warning[" << i << "]: " << expected_warnings[i]
|
| + << " Actual warning[" << i << "]: " << actual_warnings[i].message;
|
| + }
|
| + return testing::AssertionSuccess();
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
|
| + int options) {
|
| + return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>());
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
|
| + int options,
|
| + const std::string& expected_csp) {
|
| + std::vector<std::string> expected_warnings;
|
| + return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
|
| + int options,
|
| + const std::string& expected_csp,
|
| + const std::string& warning1) {
|
| + std::vector<std::string> expected_warnings(1, warning1);
|
| + return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
|
| + int options,
|
| + const std::string& expected_csp,
|
| + const std::string& warning1,
|
| + const std::string& warning2) {
|
| + std::vector<std::string> expected_warnings(1, warning1);
|
| + expected_warnings.push_back(warning2);
|
| + return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
|
| +}
|
| +
|
| +testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
|
| + int options,
|
| + const std::string& expected_csp,
|
| + const std::string& warning1,
|
| + const std::string& warning2,
|
| + const std::string& warning3) {
|
| + std::vector<std::string> expected_warnings(1, warning1);
|
| + expected_warnings.push_back(warning2);
|
| + expected_warnings.push_back(warning3);
|
| + return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
|
| +}
|
| +
|
| +}; // namespace
|
| +
|
| TEST(ExtensionCSPValidator, IsLegal) {
|
| EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
|
| EXPECT_TRUE(ContentSecurityPolicyIsLegal(
|
| @@ -26,188 +122,277 @@ TEST(ExtensionCSPValidator, IsLegal) {
|
| }
|
|
|
| TEST(ExtensionCSPValidator, IsSecure) {
|
| - EXPECT_FALSE(
|
| - ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'; default-src *; script-src *; script-src 'self'",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'; default-src *; script-src 'self'; script-src *",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + std::string(), OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "script-src 'self' chrome-extension-resource:; object-src 'self';",
|
| + MissingSecureSrcWarning("script-src"),
|
| + MissingSecureSrcWarning("object-src")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "img-src https://google.com; script-src 'self'"
|
| + " chrome-extension-resource:; object-src 'self';",
|
| + MissingSecureSrcWarning("script-src"),
|
| + MissingSecureSrcWarning("object-src")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "script-src; object-src 'self';",
|
| + InsecureValueWarning("script-src", "a"),
|
| + InsecureValueWarning("script-src", "b"),
|
| + MissingSecureSrcWarning("object-src")));
|
|
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src;",
|
| + InsecureValueWarning("default-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "ftp://google.com")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src; default-src 'self';",
|
| + InsecureValueWarning("default-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self'; default-src;"));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self'; default-src *; script-src *; script-src 'self'",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self'; default-src; script-src; script-src 'self';",
|
| + InsecureValueWarning("script-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self'; default-src *; script-src 'self'; script-src *;",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self'; default-src; script-src 'self'; script-src;"));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src; script-src 'self';",
|
| + InsecureValueWarning("default-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| "default-src *; script-src 'self'; img-src 'self'",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src; script-src 'self'; img-src 'self';",
|
| + InsecureValueWarning("default-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src *; script-src 'self'; object-src 'self';",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src; script-src 'self'; object-src 'self';"));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'unsafe-eval'", OPTIONS_NONE,
|
| + "default-src;",
|
| + InsecureValueWarning("default-src", "'unsafe-eval'")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src;",
|
| + InsecureValueWarning("default-src", "'unsafe-inline'")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'none';",
|
| + InsecureValueWarning("default-src", "'unsafe-inline'")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "http://google.com")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome-extension://aabbcc;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src *; script-src 'self'; object-src 'self'",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-eval'", OPTIONS_NONE));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension://aabbcc",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension-resource://aabbcc",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - // "https://" is an invalid CSP, so it will be ignored by Blink.
|
| - // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.*.google.com:*/",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://www.*.google.com/",
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome-extension-resource://aabbcc;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https:")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "http:")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "google.com")));
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "*:*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "*:*/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "*:*/path")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*:*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*:*/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*:*/path")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*.com")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*.*.google.com/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://*.*.google.com:*/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://www.*.google.com/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| "default-src 'self' https://www.*.google.com:*/",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "https://www.*.google.com:*/")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "chrome://*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "chrome-extension://*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "chrome-extension://")));
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.google.com:1/;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://127.0.0.1.example.com",
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.google.com:*/;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://lOcAlHoSt;", OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self' http://localhost;"));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' http://127.0.0.1.example.com",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "http://127.0.0.1.example.com")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| "default-src 'self' http://localhost.example.com",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "http://localhost.example.com")));
|
|
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| "default-src 'self' blob:http://example.com/XXX",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' filesystem:http://example.com/XXX",
|
| - OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "blob:http://example.com/xxx")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' filesystem:http://example.com/XX",
|
| + OPTIONS_ALLOW_UNSAFE_EVAL,
|
| + "default-src 'self';",
|
| + InsecureValueWarning("default-src", "filesystem:http://example.com/xx")));
|
|
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.googleapis.com",
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://*.googleapis.com;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://x.googleapis.com",
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "default-src 'self' https://x.googleapis.com;",
|
| OPTIONS_ALLOW_UNSAFE_EVAL));
|
| - // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
|
| - // authors have been using this string anyway, so we cannot refuse this string
|
| - // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL));
|
| -
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src *", OPTIONS_NONE));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src *; plugin-types application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src *; "
|
| - "plugin-types application/x-shockwave-flash",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src *; "
|
| - "plugin-types application/x-shockwave-flash application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src http://www.example.com; "
|
| - "plugin-types application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "object-src http://www.example.com blob:; script-src 'self'; "
|
| - "plugin-types application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src http://*.example.com; "
|
| - "plugin-types application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "script-src *; object-src *; plugin-types application/pdf",
|
| - OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| +
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src *", OPTIONS_NONE,
|
| + "script-src 'self'; object-src;",
|
| + InsecureValueWarning("object-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
|
| + "script-src 'self'; object-src;",
|
| + InsecureValueWarning("object-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src *; plugin-types application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src *; "
|
| + "plugin-types application/x-shockwave-flash",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
|
| + "script-src 'self'; object-src; "
|
| + "plugin-types application/x-shockwave-flash;",
|
| + InsecureValueWarning("object-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src *; "
|
| + "plugin-types application/x-shockwave-flash application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
|
| + "script-src 'self'; object-src; "
|
| + "plugin-types application/x-shockwave-flash application/pdf;",
|
| + InsecureValueWarning("object-src", "*")));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src http://www.example.com; "
|
| + "plugin-types application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "object-src http://www.example.com blob:; script-src 'self'; "
|
| + "plugin-types application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src 'self'; object-src http://*.example.com; "
|
| + "plugin-types application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
|
| + EXPECT_TRUE(CheckSanitizeCSP(
|
| + "script-src *; object-src *; plugin-types application/pdf;",
|
| + OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
|
| + "script-src; object-src *; plugin-types application/pdf;",
|
| + InsecureValueWarning("script-src", "*")));
|
| }
|
|
|
| TEST(ExtensionCSPValidator, IsSandboxed) {
|
|
|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master