Chromium Code Reviews Chromium Code Reviews
Issue 754713002:
Allow arbitrary object-src CSP directives for component extensions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 #include "testing/gtest/include/gtest/gtest.h" | 6 #include "testing/gtest/include/gtest/gtest.h" |
| 7 | 7 |
| 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; | 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; | 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; |
| 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; | 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| 11 using extensions::csp_validator::NO_OPTIONS; | |
| 12 using extensions::csp_validator::ALLOW_UNSAFE_EVAL; | |
| 13 using extensions::csp_validator::ALLOW_INSECURE_OBJECT_SRC; | |
| 11 using extensions::Manifest; | 14 using extensions::Manifest; |
| 12 | 15 |
| 13 TEST(ExtensionCSPValidator, IsLegal) { | 16 TEST(ExtensionCSPValidator, IsLegal) { |
| 14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); | 17 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); |
| 15 EXPECT_TRUE(ContentSecurityPolicyIsLegal( | 18 EXPECT_TRUE(ContentSecurityPolicyIsLegal( |
| 16 "default-src 'self'; script-src http://www.google.com")); | 19 "default-src 'self'; script-src http://www.google.com")); |
| 17 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 20 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 18 "default-src 'self';\nscript-src http://www.google.com")); | 21 "default-src 'self';\nscript-src http://www.google.com")); |
| 19 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 22 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 20 "default-src 'self';\rscript-src http://www.google.com")); | 23 "default-src 'self';\rscript-src http://www.google.com")); |
| 21 EXPECT_FALSE(ContentSecurityPolicyIsLegal( | 24 EXPECT_FALSE(ContentSecurityPolicyIsLegal( |
| 22 "default-src 'self';,script-src http://www.google.com")); | 25 "default-src 'self';,script-src http://www.google.com")); |
| 23 } | 26 } |
| 24 | 27 |
| 25 TEST(ExtensionCSPValidator, IsSecure) { | 28 TEST(ExtensionCSPValidator, IsSecure) { |
| 26 EXPECT_FALSE( | 29 EXPECT_FALSE( |
| 27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); | 30 ContentSecurityPolicyIsSecure(std::string(), ALLOW_UNSAFE_EVAL)); |
| 28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", | 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", |
| 29 Manifest::TYPE_EXTENSION)); | 32 ALLOW_UNSAFE_EVAL)); |
| 30 | 33 |
| 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 34 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 32 "default-src *", Manifest::TYPE_EXTENSION)); | 35 "default-src *", ALLOW_UNSAFE_EVAL)); |
| 33 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 36 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 34 "default-src 'self'", Manifest::TYPE_EXTENSION)); | 37 "default-src 'self'", ALLOW_UNSAFE_EVAL)); |
| 35 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 38 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 36 "default-src 'none'", Manifest::TYPE_EXTENSION)); | 39 "default-src 'none'", ALLOW_UNSAFE_EVAL)); |
| 37 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 40 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); | 41 "default-src 'self' ftp://google.com", ALLOW_UNSAFE_EVAL)); |
| 39 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 42 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); | 43 "default-src 'self' https://google.com", ALLOW_UNSAFE_EVAL)); |
| 41 | 44 |
| 42 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 45 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); | 46 "default-src *; default-src 'self'", ALLOW_UNSAFE_EVAL)); |
| 44 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 47 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); | 48 "default-src 'self'; default-src *", ALLOW_UNSAFE_EVAL)); |
| 46 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 49 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 47 "default-src 'self'; default-src *; script-src *; script-src 'self'", | 50 "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| 48 Manifest::TYPE_EXTENSION)); | 51 ALLOW_UNSAFE_EVAL)); |
| 49 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 52 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 50 "default-src 'self'; default-src *; script-src 'self'; script-src *", | 53 "default-src 'self'; default-src *; script-src 'self'; script-src *", |
| 51 Manifest::TYPE_EXTENSION)); | 54 ALLOW_UNSAFE_EVAL)); |
| 52 | 55 |
| 53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 56 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); | 57 "default-src *; script-src 'self'", ALLOW_UNSAFE_EVAL)); |
| 55 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 58 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 56 "default-src *; script-src 'self'; img-src 'self'", | 59 "default-src *; script-src 'self'; img-src 'self'", |
| 57 Manifest::TYPE_EXTENSION)); | 60 ALLOW_UNSAFE_EVAL)); |
| 58 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 59 "default-src *; script-src 'self'; object-src 'self'", | 62 "default-src *; script-src 'self'; object-src 'self'", |
| 60 Manifest::TYPE_EXTENSION)); | 63 ALLOW_UNSAFE_EVAL)); |
| 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 64 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); | 65 "script-src 'self'; object-src 'self'", ALLOW_UNSAFE_EVAL)); |
| 63 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 66 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); | 67 "default-src 'unsafe-eval'", ALLOW_UNSAFE_EVAL)); |
| 65 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); | |
| 67 | 68 |
| 68 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 69 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); | 70 "default-src 'unsafe-eval'", NO_OPTIONS)); |
| 70 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 71 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); | 72 "default-src 'unsafe-inline'", ALLOW_UNSAFE_EVAL)); |
| 72 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 73 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); | 74 "default-src 'unsafe-inline' 'none'", ALLOW_UNSAFE_EVAL)); |
| 74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 75 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); | 76 "default-src 'self' http://google.com", ALLOW_UNSAFE_EVAL)); |
| 76 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 77 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); | 78 "default-src 'self' https://google.com", ALLOW_UNSAFE_EVAL)); |
| 78 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 79 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); | 80 "default-src 'self' chrome://resources", ALLOW_UNSAFE_EVAL)); |
| 80 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 81 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 81 "default-src 'self' chrome-extension://aabbcc", | 82 "default-src 'self' chrome-extension://aabbcc", |
| 82 Manifest::TYPE_EXTENSION)); | 83 ALLOW_UNSAFE_EVAL)); |
| 83 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 84 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 84 "default-src 'self' chrome-extension-resource://aabbcc", | 85 "default-src 'self' chrome-extension-resource://aabbcc", |
| 85 Manifest::TYPE_EXTENSION)); | 86 ALLOW_UNSAFE_EVAL)); |
| 86 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 87 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 87 "default-src 'self' https:", Manifest::TYPE_EXTENSION)); | 88 "default-src 'self' https:", ALLOW_UNSAFE_EVAL)); |
| 88 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 89 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 89 "default-src 'self' http:", Manifest::TYPE_EXTENSION)); | 90 "default-src 'self' http:", ALLOW_UNSAFE_EVAL)); |
| 90 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 91 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); | 92 "default-src 'self' google.com", ALLOW_UNSAFE_EVAL)); |
| 92 | 93 |
| 93 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 94 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 94 "default-src 'self' *", Manifest::TYPE_EXTENSION)); | 95 "default-src 'self' *", ALLOW_UNSAFE_EVAL)); |
| 95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 96 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); | 97 "default-src 'self' *:*", ALLOW_UNSAFE_EVAL)); |
| 97 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 98 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); | 99 "default-src 'self' *:*/", ALLOW_UNSAFE_EVAL)); |
| 99 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 100 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); | 101 "default-src 'self' *:*/path", ALLOW_UNSAFE_EVAL)); |
| 101 // "https://" is an invalid CSP, so it will be ignored by Blink. | 102 // "https://" is an invalid CSP, so it will be ignored by Blink. |
| 102 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. | 103 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. |
| 103 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 104 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 104 "default-src 'self' https://", Manifest::TYPE_EXTENSION)); | 105 "default-src 'self' https://", ALLOW_UNSAFE_EVAL)); |
| 105 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 106 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 106 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); | 107 "default-src 'self' https://*:*", ALLOW_UNSAFE_EVAL)); |
| 107 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 108 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 108 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); | 109 "default-src 'self' https://*:*/", ALLOW_UNSAFE_EVAL)); |
| 109 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 110 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 110 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); | 111 "default-src 'self' https://*:*/path", ALLOW_UNSAFE_EVAL)); |
| 111 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 112 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 112 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION)); | 113 "default-src 'self' https://*.com", ALLOW_UNSAFE_EVAL)); |
| 113 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 114 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 114 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION)); | 115 "default-src 'self' https://*.*.google.com/", ALLOW_UNSAFE_EVAL)); |
| 115 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 116 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 116 "default-src 'self' https://*.*.google.com:*/", | 117 "default-src 'self' https://*.*.google.com:*/", |
| 117 Manifest::TYPE_EXTENSION)); | 118 ALLOW_UNSAFE_EVAL)); |
| 118 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 119 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 119 "default-src 'self' https://www.*.google.com/", | 120 "default-src 'self' https://www.*.google.com/", |
| 120 Manifest::TYPE_EXTENSION)); | 121 ALLOW_UNSAFE_EVAL)); |
| 121 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 122 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 122 "default-src 'self' https://www.*.google.com:*/", | 123 "default-src 'self' https://www.*.google.com:*/", |
| 123 Manifest::TYPE_EXTENSION)); | 124 ALLOW_UNSAFE_EVAL)); |
| 124 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 125 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 125 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION)); | 126 "default-src 'self' chrome://*", ALLOW_UNSAFE_EVAL)); |
| 126 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 127 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 127 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION)); | 128 "default-src 'self' chrome-extension://*", ALLOW_UNSAFE_EVAL)); |
| 128 | 129 |
| 129 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 130 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 130 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); | 131 "default-src 'self' https://*.google.com", ALLOW_UNSAFE_EVAL)); |
| 131 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 132 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 132 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); | 133 "default-src 'self' https://*.google.com:1", ALLOW_UNSAFE_EVAL)); |
| 133 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 134 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 134 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); | 135 "default-src 'self' https://*.google.com:*", ALLOW_UNSAFE_EVAL)); |
| 135 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 136 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 136 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); | 137 "default-src 'self' https://*.google.com:1/", ALLOW_UNSAFE_EVAL)); |
| 137 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 138 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 138 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); | 139 "default-src 'self' https://*.google.com:*/", ALLOW_UNSAFE_EVAL)); |
| 139 | 140 |
| 140 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 141 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 141 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); | 142 "default-src 'self' http://127.0.0.1", ALLOW_UNSAFE_EVAL)); |
| 142 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 143 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 143 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); | 144 "default-src 'self' http://localhost", ALLOW_UNSAFE_EVAL)); |
| 144 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 145 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 145 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); | 146 "default-src 'self' http://lOcAlHoSt", ALLOW_UNSAFE_EVAL)); |
| 146 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 147 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 147 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); | 148 "default-src 'self' http://127.0.0.1:9999", ALLOW_UNSAFE_EVAL)); |
| 148 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 149 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 149 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); | 150 "default-src 'self' http://localhost:8888", ALLOW_UNSAFE_EVAL)); |
| 150 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 151 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 151 "default-src 'self' http://127.0.0.1.example.com", | 152 "default-src 'self' http://127.0.0.1.example.com", |
| 152 Manifest::TYPE_EXTENSION)); | 153 ALLOW_UNSAFE_EVAL)); |
| 153 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 154 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 154 "default-src 'self' http://localhost.example.com", | 155 "default-src 'self' http://localhost.example.com", |
| 155 Manifest::TYPE_EXTENSION)); | 156 ALLOW_UNSAFE_EVAL)); |
| 156 | 157 |
| 157 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 158 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 158 "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); | 159 "default-src 'self' blob:", ALLOW_UNSAFE_EVAL)); |
| 159 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 160 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 160 "default-src 'self' blob:http://example.com/XXX", | 161 "default-src 'self' blob:http://example.com/XXX", |
| 161 Manifest::TYPE_EXTENSION)); | 162 ALLOW_UNSAFE_EVAL)); |
| 162 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 163 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 163 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); | 164 "default-src 'self' filesystem:", ALLOW_UNSAFE_EVAL)); |
| 164 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | 165 EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| 165 "default-src 'self' filesystem:http://example.com/XXX", | 166 "default-src 'self' filesystem:http://example.com/XXX", |
| 166 Manifest::TYPE_EXTENSION)); | 167 ALLOW_UNSAFE_EVAL)); |
| 167 | 168 |
| 168 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 169 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 169 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); | 170 "default-src 'self' https://*.googleapis.com", ALLOW_UNSAFE_EVAL)); |
| 170 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 171 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 171 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); | 172 "default-src 'self' https://x.googleapis.com", ALLOW_UNSAFE_EVAL)); |
| 172 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension | 173 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension |
| 173 // authors have been using this string anyway, so we cannot refuse this string | 174 // authors have been using this string anyway, so we cannot refuse this string |
| 174 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 | 175 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 |
| 175 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | 176 EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| 176 "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION)); | 177 "default-src 'self' chrome-extension://", ALLOW_UNSAFE_EVAL)); |
| 178 | |
| 179 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | |
| 180 "script-src 'self'; object-src *", 0)); | |
|
Sam McNally
2014/11/24 04:40:15
NO_OPTIONS.
raymes
2014/11/25 13:34:11
Done.
| |
| 181 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 182 "script-src 'self'; object-src *", ALLOW_INSECURE_OBJECT_SRC)); | |
| 183 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 184 "script-src 'self'; object-src http://www.example.com", | |
| 185 ALLOW_INSECURE_OBJECT_SRC)); | |
| 186 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 187 "object-src http://www.example.com blob:; script-src 'self'", | |
| 188 ALLOW_INSECURE_OBJECT_SRC)); | |
| 189 EXPECT_TRUE(ContentSecurityPolicyIsSecure( | |
| 190 "script-src 'self'; object-src http://*.example.com", | |
| 191 ALLOW_INSECURE_OBJECT_SRC)); | |
| 192 EXPECT_FALSE(ContentSecurityPolicyIsSecure( | |
| 193 "script-src *; object-src *;", ALLOW_INSECURE_OBJECT_SRC)); | |
|
not at google - send to devlin
2014/11/24 18:18:03
Could you test somewhere ALLOW_UNSAFE_EVAL|ALLOW_I
not at google - send to devlin
2014/11/24 18:19:33
I regret making this comment. Never mind.
| |
| 177 } | 194 } |
| 178 | 195 |
| 179 TEST(ExtensionCSPValidator, IsSandboxed) { | 196 TEST(ExtensionCSPValidator, IsSandboxed) { |
| 180 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), | 197 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), |
| 181 Manifest::TYPE_EXTENSION)); | 198 Manifest::TYPE_EXTENSION)); |
| 182 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", | 199 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", |
| 183 Manifest::TYPE_EXTENSION)); | 200 Manifest::TYPE_EXTENSION)); |
| 184 | 201 |
| 185 // Sandbox directive is required. | 202 // Sandbox directive is required. |
| 186 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 203 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 202 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); | 219 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); |
| 203 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( | 220 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( |
| 204 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); | 221 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); |
| 205 | 222 |
| 206 // Popups are OK. | 223 // Popups are OK. |
| 207 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 224 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 208 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); | 225 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); |
| 209 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( | 226 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( |
| 210 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); | 227 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); |
| 211 } | 228 } |
| OLD | NEW |
