Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(24)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/csp_validator_unittest.cc

Issue 760513003: Only allow insecure object-src directives for whitelisted mime types (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extensions-csp3
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/csp_validator.h" 5 #include "extensions/common/csp_validator.h"
6 #include "testing/gtest/include/gtest/gtest.h" 6 #include "testing/gtest/include/gtest/gtest.h"
7 7
8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;
10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after
173 "default-src 'self' https://x.googleapis.com", 173 "default-src 'self' https://x.googleapis.com",
174 OPTIONS_ALLOW_UNSAFE_EVAL)); 174 OPTIONS_ALLOW_UNSAFE_EVAL));
175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension 175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
176 // authors have been using this string anyway, so we cannot refuse this string 176 // authors have been using this string anyway, so we cannot refuse this string
177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
178 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 178 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL)); 179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL));
180 180
181 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 181 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
182 "script-src 'self'; object-src *", OPTIONS_NONE)); 182 "script-src 'self'; object-src *", OPTIONS_NONE));
183 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 183 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
185 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 185 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
186 "script-src 'self'; object-src http://www.example.com", 186 "script-src 'self'; object-src *; plugin-types application/pdf",
187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
188 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
189 "script-src 'self'; object-src *; "
190 "plugin-types application/x-shockwave-flash",
191 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
192 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
193 "script-src 'self'; object-src *; "
194 "plugin-types application/x-shockwave-flash application/pdf",
187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 195 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
188 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 196 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
189 "object-src http://www.example.com blob:; script-src 'self'", 197 "script-src 'self'; object-src http://www.example.com; "
198 "plugin-types application/pdf",
190 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 199 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
191 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 200 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
192 "script-src 'self'; object-src http://*.example.com", 201 "object-src http://www.example.com blob:; script-src 'self'; "
202 "plugin-types application/pdf",
203 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
204 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
205 "script-src 'self'; object-src http://*.example.com; "
206 "plugin-types application/pdf",
193 OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 207 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
194 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 208 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
195 "script-src *; object-src *;", OPTIONS_ALLOW_INSECURE_OBJECT_SRC)); 209 "script-src *; object-src *; plugin-types application/pdf",
210 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
196 } 211 }
197 212
198 TEST(ExtensionCSPValidator, IsSandboxed) { 213 TEST(ExtensionCSPValidator, IsSandboxed) {
199 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), 214 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
200 Manifest::TYPE_EXTENSION)); 215 Manifest::TYPE_EXTENSION));
201 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", 216 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
202 Manifest::TYPE_EXTENSION)); 217 Manifest::TYPE_EXTENSION));
203 218
204 // Sandbox directive is required. 219 // Sandbox directive is required.
205 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 220 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
(...skipping 15 matching lines...) Expand all
221 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); 236 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
222 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 237 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
223 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); 238 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
224 239
225 // Popups are OK. 240 // Popups are OK.
226 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 241 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
227 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); 242 "sandbox allow-popups", Manifest::TYPE_EXTENSION));
228 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 243 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
229 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); 244 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
230 } 245 }
OLDNEW
« extensions/common/csp_validator.cc ('K') | « extensions/common/csp_validator.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698