Disallow non-subdomain wildcards such as https:// and https://*.com wildcard

patterns in the extension's Content Security policy and update the documentation to clarify the constraints of the CSP. BUG=404295 Review URL: https://codereview.chromium.org/481643002 Cr-Commit-Position: refs/heads/master@{#290699} git-svn-id: svn://svn.chromium.org/chrome/trunk/src@290699 0039d316-1c4b-4281-b951-d872f2087c98
author: rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98> 2014-08-19 23:48:22 +0000
committer: rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98> 2014-08-19 23:50:05 +0000
commit: 30f0f606ce6b03f865ae2792ca0ca2498e49092a (patch)
tree: 0ea8ba3c4b32a18e3d375407db91f687ffe983e0 /extensions/common/csp_validator_unittest.cc
parent: 04caf73c3a5edfd8d10d07e29c7e77a932fdd882 (diff)
download: chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.zip
chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.gz
chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.bz2
1 files changed, 19 insertions, 0 deletions
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
index 693a7910..727a068 100644
--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -99,11 +99,30 @@ TEST(ExtensionCSPValidator, IsSecure) {
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://", Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://*.*.google.com:*/",
+      Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://www.*.google.com/",
+      Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' https://www.*.google.com:*/",
+      Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION));
 
   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
author	rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98>	2014-08-19 23:48:22 +0000
committer	rob@robwu.nl <rob@robwu.nl@0039d316-1c4b-4281-b951-d872f2087c98>	2014-08-19 23:50:05 +0000
commit	30f0f606ce6b03f865ae2792ca0ca2498e49092a (patch)
tree	0ea8ba3c4b32a18e3d375407db91f687ffe983e0 /extensions/common/csp_validator_unittest.cc
parent	04caf73c3a5edfd8d10d07e29c7e77a932fdd882 (diff)
download	chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.zip chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.gz chromium_src-30f0f606ce6b03f865ae2792ca0ca2498e49092a.tar.bz2