Support hash-source CSP directive in extensions/apps

Support CSP hashes (http://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage). The validation is strict and follows the standard by the letter. Blink also accepts sha1 and URL-encoded base64, but the extension's CSP validator only accepts the syntax as specified by the CSP2 standard. This allows the Blink implementation to become standard-compliant in the future without breaking extensions. Also, the CSP validator will now preserve the case of the CSP tokens, mainly because base64 is case-sensitive. And base::StringToLowerASCII is deprecated, which is another reason to change to base::ToLowerASCII. BUG=446036 Review URL: https://codereview.chromium.org/1285523002 Cr-Commit-Position: refs/heads/master@{#342737}
author: rob <rob@robwu.nl> 2015-08-10 16:36:45 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-08-10 23:37:18 +0000
commit: 8131e678f35f3984805c049fcc66cc2d3ecc2d2d (patch)
tree: d9d10ff327422ec50d4416f67f02ab01d95050e8 /extensions/common/csp_validator_unittest.cc
parent: caa7fbff19c6451b185d70edd0e05516c3e856f9 (diff)
download: chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.zip
chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.gz
chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.bz2
1 files changed, 33 insertions, 9 deletions
diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
index a9728f9..ed80024 100644
--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -311,9 +311,9 @@ TEST(ExtensionCSPValidator, IsSecure) {
       "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL));
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL));
-  EXPECT_TRUE(CheckSanitizeCSP(
-      "default-src 'self' http://lOcAlHoSt;", OPTIONS_ALLOW_UNSAFE_EVAL,
-      "default-src 'self' http://localhost;"));
+  EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;",
+                               OPTIONS_ALLOW_UNSAFE_EVAL,
+                               "default-src 'self' http://lOcAlHoSt;"));
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL));
   EXPECT_TRUE(CheckSanitizeCSP(
@@ -333,16 +333,14 @@ TEST(ExtensionCSPValidator, IsSecure) {
       "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL));
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' blob:http://example.com/XXX",
-      OPTIONS_ALLOW_UNSAFE_EVAL,
-      "default-src 'self';",
-      InsecureValueWarning("default-src", "blob:http://example.com/xxx")));
+      OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';",
+      InsecureValueWarning("default-src", "blob:http://example.com/XXX")));
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL));
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' filesystem:http://example.com/XX",
-      OPTIONS_ALLOW_UNSAFE_EVAL,
-      "default-src 'self';",
-      InsecureValueWarning("default-src", "filesystem:http://example.com/xx")));
+      OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';",
+      InsecureValueWarning("default-src", "filesystem:http://example.com/XX")));
 
   EXPECT_TRUE(CheckSanitizeCSP(
       "default-src 'self' https://*.googleapis.com;",
@@ -393,6 +391,32 @@ TEST(ExtensionCSPValidator, IsSecure) {
       OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
       "script-src; object-src *; plugin-types application/pdf;",
       InsecureValueWarning("script-src", "*")));
+
+  EXPECT_TRUE(CheckSanitizeCSP(
+      "default-src; script-src"
+      " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='"
+      " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS"
+      "t'"
+      " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw"
+      "vCSapSz5CVoUGHQcxv43UQg==';",
+      OPTIONS_NONE));
+
+  // Reject non-standard algorithms, even if they are still supported by Blink.
+  EXPECT_TRUE(CheckSanitizeCSP(
+      "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';",
+      OPTIONS_NONE, "default-src; script-src;",
+      InsecureValueWarning("script-src",
+                           "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='")));
+
+  EXPECT_TRUE(CheckSanitizeCSP(
+      "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ"
+      "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';",
+      OPTIONS_NONE, "default-src; script-src;",
+      InsecureValueWarning(
+          "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="),
+      InsecureValueWarning(
+          "script-src",
+          "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='")));
 }
 
 TEST(ExtensionCSPValidator, IsSandboxed) {
author	rob <rob@robwu.nl>	2015-08-10 16:36:45 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-08-10 23:37:18 +0000
commit	8131e678f35f3984805c049fcc66cc2d3ecc2d2d (patch)
tree	d9d10ff327422ec50d4416f67f02ab01d95050e8 /extensions/common/csp_validator_unittest.cc
parent	caa7fbff19c6451b185d70edd0e05516c3e856f9 (diff)
download	chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.zip chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.gz chromium_src-8131e678f35f3984805c049fcc66cc2d3ecc2d2d.tar.bz2