| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" | 6 #include "testing/gtest/include/gtest/gtest.h" |
| 7 | 7 |
| 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; | 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; |
| 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| 11 using extensions::csp_validator::OPTIONS_NONE; |
| 12 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; |
| 13 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; |
| 11 using extensions::Manifest; | 14 using extensions::Manifest; |
| 12 | 15 |
| 13 TEST(ExtensionCSPValidator, IsLegal) { | 16 TEST(ExtensionCSPValidator, IsLegal) { |
| 14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 17 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
| 15 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 18 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
| 16 "default-src 'self'; script-src http://www.google.com")); | 19 "default-src 'self'; script-src http://www.google.com")); |
| 17 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 20 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 18 "default-src 'self';\nscript-src http://www.google.com")); | 21 "default-src 'self';\nscript-src http://www.google.com")); |
| 19 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 22 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 20 "default-src 'self';\rscript-src http://www.google.com")); | 23 "default-src 'self';\rscript-src http://www.google.com")); |
| 21 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 24 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 22 "default-src 'self';,script-src http://www.google.com")); | 25 "default-src 'self';,script-src http://www.google.com")); |
| 23 } | 26 } |
| 24 | 27 |
| 25 TEST(ExtensionCSPValidator, IsSecure) { | 28 TEST(ExtensionCSPValidator, IsSecure) { |
| 26 EXPECT_FALSE( | 29 EXPECT_FALSE( |
| 27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); | 30 ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", | 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", |
| 29 Manifest::TYPE_EXTENSION)); | 32 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 30 | 33 |
| 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 34 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 32 "default-src *", Manifest::TYPE_EXTENSION)); | 35 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 33 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 36 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 34 "default-src 'self'", Manifest::TYPE_EXTENSION)); | 37 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 35 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 38 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 36 "default-src 'none'", Manifest::TYPE_EXTENSION)); | 39 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 37 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 40 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); | 41 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 39 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 42 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); | 43 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 41 | 44 |
| 42 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 45 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); | 46 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 44 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 47 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); | 48 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 46 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 49 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 47 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 50 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| 48 Manifest::TYPE_EXTENSION)); | 51 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 49 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 52 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 50 "default-src 'self'; default-src *; script-src 'self'; script-src *", | 53 "default-src 'self'; default-src *; script-src 'self'; script-src *", |
| 51 Manifest::TYPE_EXTENSION)); | 54 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 52 | 55 |
| 53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 56 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); | 57 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 55 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 58 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 56 "default-src *; script-src 'self'; img-src 'self'", | 59 "default-src *; script-src 'self'; img-src 'self'", |
| 57 Manifest::TYPE_EXTENSION)); | 60 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 58 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 59 "default-src *; script-src 'self'; object-src 'self'", | 62 "default-src *; script-src 'self'; object-src 'self'", |
| 60 Manifest::TYPE_EXTENSION)); | 63 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 64 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); | 65 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 63 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 66 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); | 67 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 65 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); | |
| 67 | 68 |
| 68 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 69 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); | 70 "default-src 'unsafe-eval'", OPTIONS_NONE)); |
| 70 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 71 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); | 72 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 72 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 73 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); | 74 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 75 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); | 76 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 76 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 77 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); | 78 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 78 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 79 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); | 80 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 80 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 81 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 81 "default-src 'self' chrome-extension://aabbcc", | 82 "default-src 'self' chrome-extension://aabbcc", |
| 82 Manifest::TYPE_EXTENSION)); | 83 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 83 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 84 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 84 "default-src 'self' chrome-extension-resource://aabbcc", | 85 "default-src 'self' chrome-extension-resource://aabbcc", |
| 85 Manifest::TYPE_EXTENSION)); | 86 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 86 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 87 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 87 "default-src 'self' https:", Manifest::TYPE_EXTENSION)); | 88 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 88 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 89 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 89 "default-src 'self' http:", Manifest::TYPE_EXTENSION)); | 90 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 90 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 91 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); | 92 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 92 | 93 |
| 93 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 94 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 94 "default-src 'self' *", Manifest::TYPE_EXTENSION)); | 95 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 96 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); | 97 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 97 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 98 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); | 99 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 99 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 100 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); | 101 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 101 // "https://" is an invalid CSP, so it will be ignored by Blink. | 102 // "https://" is an invalid CSP, so it will be ignored by Blink. |
| 102 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. | 103 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. |
| 103 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 104 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 104 "default-src 'self' https://", Manifest::TYPE_EXTENSION)); | 105 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 105 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 106 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 106 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); | 107 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 107 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 108 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 108 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); | 109 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 109 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 110 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 110 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); | 111 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 111 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 112 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 112 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION)); | 113 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 113 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 114 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 114 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION)); | 115 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 115 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 116 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 116 "default-src 'self' https://*.*.google.com:*/", | 117 "default-src 'self' https://*.*.google.com:*/", |
| 117 Manifest::TYPE_EXTENSION)); | 118 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 118 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 119 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 119 "default-src 'self' https://www.*.google.com/", | 120 "default-src 'self' https://www.*.google.com/", |
| 120 Manifest::TYPE_EXTENSION)); | 121 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 121 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 122 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 122 "default-src 'self' https://www.*.google.com:*/", | 123 "default-src 'self' https://www.*.google.com:*/", |
| 123 Manifest::TYPE_EXTENSION)); | 124 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 124 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 125 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 125 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION)); | 126 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 126 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 127 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 127 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION)); | 128 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 128 | 129 |
| 129 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 130 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 130 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); | 131 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 131 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 132 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 132 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); | 133 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 133 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 134 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 134 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); | 135 "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 135 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 136 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 136 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); | 137 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 137 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 138 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 138 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); | 139 "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 139 | 140 |
| 140 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 141 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 141 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); | 142 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 142 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 143 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 143 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); | 144 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 144 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 145 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 145 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); | 146 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 146 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 147 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 147 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); | 148 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 148 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 149 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 149 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); | 150 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 150 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 151 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 151 "default-src 'self' http://127.0.0.1.example.com", | 152 "default-src 'self' http://127.0.0.1.example.com", |
| 152 Manifest::TYPE_EXTENSION)); | 153 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 153 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 154 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 154 "default-src 'self' http://localhost.example.com", | 155 "default-src 'self' http://localhost.example.com", |
| 155 Manifest::TYPE_EXTENSION)); | 156 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 156 | 157 |
| 157 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 158 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 158 "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); | 159 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 159 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 160 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 160 "default-src 'self' blob:http://example.com/XXX", | 161 "default-src 'self' blob:http://example.com/XXX", |
| 161 Manifest::TYPE_EXTENSION)); | 162 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 162 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 163 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 163 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); | 164 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 164 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 165 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 165 "default-src 'self' filesystem:http://example.com/XXX", | 166 "default-src 'self' filesystem:http://example.com/XXX", |
| 166 Manifest::TYPE_EXTENSION)); | 167 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 167 | 168 |
| 168 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 169 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 169 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); | 170 "default-src 'self' https://*.googleapis.com", |
| 171 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 170 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 172 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 171 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); | 173 "default-src 'self' https://x.googleapis.com", |
| 174 OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 172 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension | 175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension |
| 173 // authors have been using this string anyway, so we cannot refuse this string | 176 // authors have been using this string anyway, so we cannot refuse this string |
| 174 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 | 177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 |
| 175 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 178 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 176 "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION)); | 179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL)); |
| 180 |
| 181 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 182 "script-src 'self'; object-src *", OPTIONS_NONE)); |
| 183 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); |
| 185 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 186 "script-src 'self'; object-src http://www.example.com", |
| 187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); |
| 188 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 189 "object-src http://www.example.com blob:; script-src 'self'", |
| 190 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); |
| 191 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 192 "script-src 'self'; object-src http://*.example.com", |
| 193 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); |
| 194 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 195 "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); |
| 177 } | 196 } |
| 178 | 197 |
| 179 TEST(ExtensionCSPValidator, IsSandboxed) { | 198 TEST(ExtensionCSPValidator, IsSandboxed) { |
| 180 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 199 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
| 181 Manifest::TYPE_EXTENSION)); | 200 Manifest::TYPE_EXTENSION)); |
| 182 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", | 201 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", |
| 183 Manifest::TYPE_EXTENSION)); | 202 Manifest::TYPE_EXTENSION)); |
| 184 | 203 |
| 185 // Sandbox directive is required. | 204 // Sandbox directive is required. |
| 186 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 205 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| (...skipping 15 matching lines...) Expand all Loading... |
| 202 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 221 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 203 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 222 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 204 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 223 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 205 | 224 |
| 206 // Popups are OK. | 225 // Popups are OK. |
| 207 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 226 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 208 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 227 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 209 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 228 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 210 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 229 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 211 } | 230 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 754713002:
Allow arbitrary object-src CSP directives for component extensions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master