Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(47)

Unified Diff: extensions/common/csp_validator_unittest.cc

Issue 760513003: Only allow insecure object-src directives for whitelisted mime types (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extensions-csp3
Patch Set: Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: extensions/common/csp_validator_unittest.cc
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
index 436d4502715c41d3e127f4477e53293deebd3266..1afa0b1a3f387f40d138e3df09215a6d7a2b9138 100644
--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -8,6 +8,9 @@
using extensions::csp_validator::ContentSecurityPolicyIsLegal;
using extensions::csp_validator::ContentSecurityPolicyIsSecure;
using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
+using extensions::csp_validator::OPTIONS_NONE;
+using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
+using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
using extensions::Manifest;
TEST(ExtensionCSPValidator, IsLegal) {
@@ -24,156 +27,187 @@ TEST(ExtensionCSPValidator, IsLegal) {
TEST(ExtensionCSPValidator, IsSecure) {
EXPECT_FALSE(
- ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION));
+ ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *", Manifest::TYPE_EXTENSION));
+ "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self'", Manifest::TYPE_EXTENSION));
+ "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'none'", Manifest::TYPE_EXTENSION));
+ "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION));
+ "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION));
+ "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src *; script-src 'self'",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src 'self'; script-src *",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION));
+ "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; img-src 'self'",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; object-src 'self'",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION));
+ "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION));
- EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP));
+ "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP));
+ "default-src 'unsafe-eval'", OPTIONS_NONE));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION));
+ "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION));
+ "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION));
+ "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension://aabbcc",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension-resource://aabbcc",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https:", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http:", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *", Manifest::TYPE_EXTENSION));
+ "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*", Manifest::TYPE_EXTENSION));
+ "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
+ "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
+ "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
// "https://" is an invalid CSP, so it will be ignored by Blink.
// TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.*.google.com:*/",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://www.*.google.com/",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://www.*.google.com:*/",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION));
+ "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION));
+ "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION));
+ "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://127.0.0.1.example.com",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://localhost.example.com",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' blob:", Manifest::TYPE_EXTENSION));
+ "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' blob:http://example.com/XXX",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION));
+ "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' filesystem:http://example.com/XXX",
- Manifest::TYPE_EXTENSION));
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://*.googleapis.com",
+ OPTIONS_ALLOW_UNSAFE_EVAL));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION));
+ "default-src 'self' https://x.googleapis.com",
+ OPTIONS_ALLOW_UNSAFE_EVAL));
// "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
// authors have been using this string anyway, so we cannot refuse this string
// until extensions can be loaded with an invalid CSP. http://crbug.com/434773
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
- "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION));
+ "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL));
+
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src *", OPTIONS_NONE));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src *; plugin-types application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src *; "
+ "plugin-types application/x-shockwave-flash",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src *; "
+ "plugin-types application/x-shockwave-flash application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src http://www.example.com; "
+ "plugin-types application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+ "object-src http://www.example.com blob:; script-src 'self'; "
+ "plugin-types application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+ "script-src 'self'; object-src http://*.example.com; "
+ "plugin-types application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
+ EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+ "script-src *; object-src *; plugin-types application/pdf",
+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
}
TEST(ExtensionCSPValidator, IsSandboxed) {

Powered by Google App Engine
This is Rietveld 408576698