| Index: extensions/common/csp_validator_unittest.cc
|
| diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
|
| index 436d4502715c41d3e127f4477e53293deebd3266..f38cdf7af0f8ff94d7f12a29f00bbebf876ed75a 100644
|
| --- a/extensions/common/csp_validator_unittest.cc
|
| +++ b/extensions/common/csp_validator_unittest.cc
|
| @@ -3,13 +3,33 @@
|
| // found in the LICENSE file.
|
|
|
| #include "extensions/common/csp_validator.h"
|
| +#include "extensions/common/error_utils.h"
|
| +#include "extensions/common/install_warning.h"
|
| +#include "extensions/common/manifest_constants.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| using extensions::csp_validator::ContentSecurityPolicyIsLegal;
|
| using extensions::csp_validator::ContentSecurityPolicyIsSecure;
|
| using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
|
| +using extensions::ErrorUtils;
|
| +using extensions::InstallWarning;
|
| using extensions::Manifest;
|
|
|
| +namespace {
|
| +
|
| +std::string InsecureValueWarning(const std::string& directive,
|
| + const std::string& value) {
|
| + return ErrorUtils::FormatErrorMessage(
|
| + extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
|
| +}
|
| +
|
| +std::string MissingSecureSrcWarning(const std::string& directive) {
|
| + return ErrorUtils::FormatErrorMessage(
|
| + extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
|
| +}
|
| +
|
| +}; // namespace
|
| +
|
| TEST(ExtensionCSPValidator, IsLegal) {
|
| EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
|
| EXPECT_TRUE(ContentSecurityPolicyIsLegal(
|
| @@ -23,157 +43,407 @@ TEST(ExtensionCSPValidator, IsLegal) {
|
| }
|
|
|
| TEST(ExtensionCSPValidator, IsSecure) {
|
| - EXPECT_FALSE(
|
| - ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION));
|
| - EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
|
| - Manifest::TYPE_EXTENSION));
|
| + std::string csp;
|
| + std::vector<InstallWarning> warnings;
|
|
|
| + warnings.push_back(InstallWarning("should not be removed"));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *", Manifest::TYPE_EXTENSION));
|
| + std::string(), Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("script-src 'self' chrome-extension-resource:; object-src 'self';",
|
| + csp);
|
| + EXPECT_EQ(3U, warnings.size());
|
| + // ContentSecurityPolicyIsSecure should append (not replace) warnings.
|
| + EXPECT_EQ("should not be removed", warnings[0].message);
|
| + EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[1].message);
|
| + EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
|
| + warnings.clear();
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + "img-src https://google.com", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("img-src https://google.com; script-src 'self'"
|
| + " chrome-extension-resource:; object-src 'self';", csp);
|
| + EXPECT_EQ(2U, warnings.size());
|
| + EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[0].message);
|
| + EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[1].message);
|
| + warnings.clear();
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + "script-src a b", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("script-src; object-src 'self';", csp);
|
| + EXPECT_EQ(3U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("script-src", "a"), warnings[0].message);
|
| + EXPECT_EQ(InsecureValueWarning("script-src", "b"), warnings[1].message);
|
| + EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
|
| + warnings.clear();
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + "default-src *", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src;", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self'", Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'none'", Manifest::TYPE_EXTENSION));
|
| + "default-src 'none'", Manifest::TYPE_EXTENSION, NULL, NULL));
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "ftp://google.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
|
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION));
|
| + "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src; default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self'; default-src *; script-src *; script-src 'self'",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self'; default-src; script-src; script-src 'self';",
|
| + csp);
|
| + // No warning about "object-src *" because it comes after "object-src 'self'".
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self'; default-src *; script-src 'self'; script-src *",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, NULL, NULL));
|
|
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION));
|
| + "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src; script-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src *; script-src 'self'; img-src 'self'",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src; script-src 'self'; img-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| "default-src *; script-src 'self'; object-src 'self'",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION));
|
| + "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION));
|
| + "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP));
|
| + "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP, NULL,
|
| + NULL));
|
|
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP));
|
| + "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src;", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-eval'"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION));
|
| + "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src;", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION));
|
| + "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'none';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "http://google.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' chrome-extension://aabbcc",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' chrome-extension-resource://aabbcc",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https:", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https:", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https:"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http:", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http:", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "http:"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' google.com", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "google.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
|
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' *", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' *:*", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*:*"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' *:*/", Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*:*/"), warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
|
| - // "https://" is an invalid CSP, so it will be ignored by Blink.
|
| - // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "*:*/path"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/path"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION,
|
| + &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com/"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.*.google.com:*/",
|
| - Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.*.google.com:*/", Manifest::TYPE_EXTENSION,
|
| + &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com:*/"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://www.*.google.com/",
|
| - Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://www.*.google.com/", Manifest::TYPE_EXTENSION,
|
| + &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com/"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' https://www.*.google.com:*/",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com:*/"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| + "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "chrome://*"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://*"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION, &csp,
|
| + &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
|
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
|
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION, NULL,
|
| + NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' http://127.0.0.1.example.com",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "http://127.0.0.1.example.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' http://localhost.example.com",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "http://localhost.example.com"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
|
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' blob:", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' blob:", Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' blob:http://example.com/XXX",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src", "blob:http://example.com/xxx"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION, NULL, NULL));
|
| EXPECT_FALSE(ContentSecurityPolicyIsSecure(
|
| "default-src 'self' filesystem:http://example.com/XXX",
|
| - Manifest::TYPE_EXTENSION));
|
| + Manifest::TYPE_EXTENSION, &csp, &warnings));
|
| + EXPECT_EQ("default-src 'self';", csp);
|
| + EXPECT_EQ(1U, warnings.size());
|
| + EXPECT_EQ(InsecureValueWarning("default-src",
|
| + "filesystem:http://example.com/xxx"),
|
| + warnings[0].message);
|
| + warnings.clear();
|
| +
|
|
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION));
|
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION));
|
| - // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
|
| - // authors have been using this string anyway, so we cannot refuse this string
|
| - // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
|
| + "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| EXPECT_TRUE(ContentSecurityPolicyIsSecure(
|
| - "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION));
|
| + "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION,
|
| + NULL, NULL));
|
| }
|
|
|
| TEST(ExtensionCSPValidator, IsSandboxed) {
|
|
|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master