Chromium Code Reviews Chromium Code Reviews
Issue 754713002:
Allow arbitrary object-src CSP directives for component extensions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: extensions/common/csp_validator_unittest.cc |
| diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc |
| index 436d4502715c41d3e127f4477e53293deebd3266..1bc6e50153dbdada869472a62ada888573d50dc0 100644 |
| --- a/extensions/common/csp_validator_unittest.cc |
| +++ b/extensions/common/csp_validator_unittest.cc |
| @@ -8,6 +8,9 @@ |
| using extensions::csp_validator::ContentSecurityPolicyIsLegal; |
| using extensions::csp_validator::ContentSecurityPolicyIsSecure; |
| using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; |
| +using extensions::csp_validator::NO_OPTIONS; |
| +using extensions::csp_validator::ALLOW_UNSAFE_EVAL; |
| +using extensions::csp_validator::ALLOW_INSECURE_OBJECT_SRC; |
| using extensions::Manifest; |
| TEST(ExtensionCSPValidator, IsLegal) { |
| @@ -24,156 +27,170 @@ TEST(ExtensionCSPValidator, IsLegal) { |
| TEST(ExtensionCSPValidator, IsSecure) { |
| EXPECT_FALSE( |
| - ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); |
| + ContentSecurityPolicyIsSecure(std::string(), ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src *", Manifest::TYPE_EXTENSION)); |
| + "default-src *", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self'", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'none'", Manifest::TYPE_EXTENSION)); |
| + "default-src 'none'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' ftp://google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); |
| + "default-src *; default-src 'self'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self'; default-src *", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self'; default-src *; script-src *; script-src 'self'", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| "default-src 'self'; default-src *; script-src 'self'; script-src *", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); |
| + "default-src *; script-src 'self'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src *; script-src 'self'; img-src 'self'", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| "default-src *; script-src 'self'; object-src 'self'", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); |
| + "script-src 'self'; object-src 'self'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); |
| - EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); |
| + "default-src 'unsafe-eval'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); |
| + "default-src 'unsafe-eval'", NO_OPTIONS)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); |
| + "default-src 'unsafe-inline'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); |
| + "default-src 'unsafe-inline' 'none'", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' chrome://resources", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' chrome-extension://aabbcc", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' chrome-extension-resource://aabbcc", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https:", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https:", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http:", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http:", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' *", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' *", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' *:*", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' *:*/", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' *:*/path", ALLOW_UNSAFE_EVAL)); |
| // "https://" is an invalid CSP, so it will be ignored by Blink. |
| // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*:*", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*:*/", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*:*/path", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.*.google.com/", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' https://*.*.google.com:*/", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' https://www.*.google.com/", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' https://www.*.google.com:*/", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' chrome://*", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' chrome-extension://*", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.google.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.google.com:1", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.google.com:*", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.google.com:1/", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.google.com:*/", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://127.0.0.1", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://localhost", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://lOcAlHoSt", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://127.0.0.1:9999", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' http://localhost:8888", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' http://127.0.0.1.example.com", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' http://localhost.example.com", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' blob:", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' blob:http://example.com/XXX", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' filesystem:", ALLOW_UNSAFE_EVAL)); |
| EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| "default-src 'self' filesystem:http://example.com/XXX", |
| - Manifest::TYPE_EXTENSION)); |
| + ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://*.googleapis.com", ALLOW_UNSAFE_EVAL)); |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' https://x.googleapis.com", ALLOW_UNSAFE_EVAL)); |
| // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension |
| // authors have been using this string anyway, so we cannot refuse this string |
| // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 |
| EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| - "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION)); |
| + "default-src 'self' chrome-extension://", ALLOW_UNSAFE_EVAL)); |
| + |
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| + "script-src 'self'; object-src *", 0)); |
|
Sam McNally
2014/11/24 04:40:15
NO_OPTIONS.
raymes
2014/11/25 13:34:11
Done.
|
| + EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| + "script-src 'self'; object-src *", ALLOW_INSECURE_OBJECT_SRC)); |
| + EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| + "script-src 'self'; object-src http://www.example.com", |
| + ALLOW_INSECURE_OBJECT_SRC)); |
| + EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| + "object-src http://www.example.com blob:; script-src 'self'", |
| + ALLOW_INSECURE_OBJECT_SRC)); |
| + EXPECT_TRUE(ContentSecurityPolicyIsSecure( |
| + "script-src 'self'; object-src http://*.example.com", |
| + ALLOW_INSECURE_OBJECT_SRC)); |
| + EXPECT_FALSE(ContentSecurityPolicyIsSecure( |
| + "script-src *; object-src *;", ALLOW_INSECURE_OBJECT_SRC)); |
|
not at google - send to devlin
2014/11/24 18:18:03
Could you test somewhere ALLOW_UNSAFE_EVAL|ALLOW_I
not at google - send to devlin
2014/11/24 18:19:33
I regret making this comment. Never mind.
|
| } |
| TEST(ExtensionCSPValidator, IsSandboxed) { |
