Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(53)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: extensions/common/csp_validator_unittest.cc

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_constants.h » ('j') | extensions/common/manifest_handlers/csp_info.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: extensions/common/csp_validator_unittest.cc
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
index 9e2d800f99ea5fb799f3b1e3f953787837ed5117..787ed1bd48c8739c05c7867e01960ca0c42b872e 100644
--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -3,6 +3,9 @@
// found in the LICENSE file.
#include "extensions/common/csp_validator.h"
+#include "extensions/common/error_utils.h"
+#include "extensions/common/install_warning.h"
+#include "extensions/common/manifest_constants.h"
#include "testing/gtest/include/gtest/gtest.h"
using extensions::csp_validator::ContentSecurityPolicyIsLegal;
@@ -11,8 +14,25 @@ using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
using extensions::csp_validator::OPTIONS_NONE;
using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
+using extensions::ErrorUtils;
+using extensions::InstallWarning;
using extensions::Manifest;
+namespace {
+
+std::string InsecureValueWarning(const std::string& directive,
+ const std::string& value) {
+ return ErrorUtils::FormatErrorMessage(
+ extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
+}
+
+std::string MissingSecureSrcWarning(const std::string& directive) {
+ return ErrorUtils::FormatErrorMessage(
+ extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
+}
+
+}; // namespace
+
TEST(ExtensionCSPValidator, IsLegal) {
EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
EXPECT_TRUE(ContentSecurityPolicyIsLegal(
@@ -26,173 +46,430 @@ TEST(ExtensionCSPValidator, IsLegal) {
}
TEST(ExtensionCSPValidator, IsSecure) {
- EXPECT_FALSE(
- ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL));
- EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ std::string csp;
+ std::vector<InstallWarning> warnings;
+
+ warnings.push_back(InstallWarning("should not be removed"));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ std::string(), OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("script-src 'self' chrome-extension-resource:; object-src 'self';",
+ csp);
+ EXPECT_EQ(3U, warnings.size());
+ // ContentSecurityPolicyIsSecure should append (not replace) warnings.
+ EXPECT_EQ("should not be removed", warnings[0].message);
+ EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[1].message);
+ EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
+ warnings.clear();
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("img-src https://google.com; script-src 'self'"
+ " chrome-extension-resource:; object-src 'self';", csp);
+ EXPECT_EQ(2U, warnings.size());
+ EXPECT_EQ(MissingSecureSrcWarning("script-src"), warnings[0].message);
+ EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[1].message);
+ warnings.clear();
+
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("script-src; object-src 'self';", csp);
+ EXPECT_EQ(3U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("script-src", "a"), warnings[0].message);
+ EXPECT_EQ(InsecureValueWarning("script-src", "b"), warnings[1].message);
+ EXPECT_EQ(MissingSecureSrcWarning("object-src"), warnings[2].message);
not at google - send to devlin 2014/12/01 19:19:31 Some helper functions would help all throughout th
+ warnings.clear();
+
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src;", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "ftp://google.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src; default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src *; script-src 'self'",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self'; default-src; script-src; script-src 'self';",
+ csp);
+ // No warning about "object-src *" because it comes after "object-src 'self'".
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src 'self'; script-src *",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src; script-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; img-src 'self'",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src; script-src 'self'; img-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; object-src 'self'",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-eval'", OPTIONS_NONE));
+ "default-src 'unsafe-eval'", OPTIONS_NONE, &csp, &warnings));
+ EXPECT_EQ("default-src;", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-eval'"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src;", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'none';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "'unsafe-inline'"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "http://google.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension://aabbcc",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension-resource://aabbcc",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https:"), warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "http:"), warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "google.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*"), warnings[0].message);
+ warnings.clear();
+
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*:*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*:*/"), warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "*:*/path"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
- // "https://" is an invalid CSP, so it will be ignored by Blink.
- // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
- EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*:*/path"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
+ &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com/"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.*.google.com:*/",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
+ &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://*.*.google.com:*/"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://www.*.google.com/",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
+ &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com/"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://www.*.google.com:*/",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "https://www.*.google.com:*/"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "chrome://*"),
+ warnings[0].message);
+ warnings.clear();
+
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL,
+ &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://*"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL, &csp,
+ &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "chrome-extension://"),
+ warnings[0].message);
+ warnings.clear();
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://127.0.0.1.example.com",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "http://127.0.0.1.example.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://localhost.example.com",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "http://localhost.example.com"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' blob:http://example.com/XXX",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src", "blob:http://example.com/xxx"),
+ warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL, NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' filesystem:http://example.com/XXX",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ OPTIONS_ALLOW_UNSAFE_EVAL, &csp, &warnings));
+ EXPECT_EQ("default-src 'self';", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("default-src",
+ "filesystem:http://example.com/xxx"),
+ warnings[0].message);
+ warnings.clear();
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.googleapis.com",
- OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://*.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://x.googleapis.com",
- OPTIONS_ALLOW_UNSAFE_EVAL));
- // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
- // authors have been using this string anyway, so we cannot refuse this string
- // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
- EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL));
+ "default-src 'self' https://x.googleapis.com", OPTIONS_ALLOW_UNSAFE_EVAL,
+ NULL, NULL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "script-src 'self'; object-src *", OPTIONS_NONE));
+ "script-src 'self'; object-src *", OPTIONS_NONE, &csp, &warnings));
+ EXPECT_EQ("script-src 'self'; object-src;", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("object-src", "*"), warnings[0].message);
+ warnings.clear();
+
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL,
+ NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"script-src 'self'; object-src http://www.example.com",
- OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"object-src http://www.example.com blob:; script-src 'self'",
- OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"script-src 'self'; object-src http://*.example.com",
- OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
- EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC, NULL, NULL));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC, &csp,
+ &warnings));
+ EXPECT_EQ("script-src; object-src *;", csp);
+ EXPECT_EQ(1U, warnings.size());
+ EXPECT_EQ(InsecureValueWarning("script-src", "*"), warnings[0].message);
+ warnings.clear();
}
TEST(ExtensionCSPValidator, IsSandboxed) {
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | extensions/common/manifest_constants.h » ('j') | extensions/common/manifest_handlers/csp_info.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698