diff options
author | rob <rob@robwu.nl> | 2015-08-10 16:36:45 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-08-10 23:37:18 +0000 |
commit | 8131e678f35f3984805c049fcc66cc2d3ecc2d2d (patch) | |
tree | d9d10ff327422ec50d4416f67f02ab01d95050e8 /extensions/common/csp_validator_unittest.cc | |
parent | caa7fbff19c6451b185d70edd0e05516c3e856f9 (diff) | |
download | chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.zip chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.gz chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.bz2 |
Support hash-source CSP directive in extensions/apps
Support CSP hashes (http://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage).
The validation is strict and follows the standard by the letter.
Blink also accepts sha1 and URL-encoded base64, but the extension's CSP
validator only accepts the syntax as specified by the CSP2 standard.
This allows the Blink implementation to become standard-compliant in the
future without breaking extensions.
Also, the CSP validator will now preserve the case of the CSP tokens,
mainly because base64 is case-sensitive. And base::StringToLowerASCII
is deprecated, which is another reason to change to base::ToLowerASCII.
BUG=446036
Review URL: https://codereview.chromium.org/1285523002
Cr-Commit-Position: refs/heads/master@{#342737}
Diffstat (limited to 'extensions/common/csp_validator_unittest.cc')
-rw-r--r-- | extensions/common/csp_validator_unittest.cc | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc index a9728f9..ed80024 100644 --- a/extensions/common/csp_validator_unittest.cc +++ b/extensions/common/csp_validator_unittest.cc @@ -311,9 +311,9 @@ TEST(ExtensionCSPValidator, IsSecure) { "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL)); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL)); - EXPECT_TRUE(CheckSanitizeCSP( - "default-src 'self' http://lOcAlHoSt;", OPTIONS_ALLOW_UNSAFE_EVAL, - "default-src 'self' http://localhost;")); + EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;", + OPTIONS_ALLOW_UNSAFE_EVAL, + "default-src 'self' http://lOcAlHoSt;")); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL)); EXPECT_TRUE(CheckSanitizeCSP( @@ -333,16 +333,14 @@ TEST(ExtensionCSPValidator, IsSecure) { "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL)); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' blob:http://example.com/XXX", - OPTIONS_ALLOW_UNSAFE_EVAL, - "default-src 'self';", - InsecureValueWarning("default-src", "blob:http://example.com/xxx"))); + OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", + InsecureValueWarning("default-src", "blob:http://example.com/XXX"))); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL)); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' filesystem:http://example.com/XX", - OPTIONS_ALLOW_UNSAFE_EVAL, - "default-src 'self';", - InsecureValueWarning("default-src", "filesystem:http://example.com/xx"))); + OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';", + InsecureValueWarning("default-src", "filesystem:http://example.com/XX"))); EXPECT_TRUE(CheckSanitizeCSP( "default-src 'self' https://*.googleapis.com;", @@ -393,6 +391,32 @@ TEST(ExtensionCSPValidator, IsSecure) { OPTIONS_ALLOW_INSECURE_OBJECT_SRC, "script-src; object-src *; plugin-types application/pdf;", InsecureValueWarning("script-src", "*"))); + + EXPECT_TRUE(CheckSanitizeCSP( + "default-src; script-src" + " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='" + " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS" + "t'" + " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw" + "vCSapSz5CVoUGHQcxv43UQg==';", + OPTIONS_NONE)); + + // Reject non-standard algorithms, even if they are still supported by Blink. + EXPECT_TRUE(CheckSanitizeCSP( + "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';", + OPTIONS_NONE, "default-src; script-src;", + InsecureValueWarning("script-src", + "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='"))); + + EXPECT_TRUE(CheckSanitizeCSP( + "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ" + "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';", + OPTIONS_NONE, "default-src; script-src;", + InsecureValueWarning( + "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="), + InsecureValueWarning( + "script-src", + "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='"))); } TEST(ExtensionCSPValidator, IsSandboxed) { |