diff options
| -rw-r--r-- | extensions/common/csp_validator.cc | 6 | ||||
| -rw-r--r-- | extensions/common/csp_validator_unittest.cc | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc index 65edd0a..23af91c 100644 --- a/extensions/common/csp_validator.cc +++ b/extensions/common/csp_validator.cc @@ -54,6 +54,12 @@ bool isNonWildcardTLD(const std::string& url, if (end_of_host == std::string::npos) end_of_host = url.size(); + // A missing host such as "chrome-extension://" is invalid, but for backwards- + // compatibility, accept such CSP parts. They will be ignored by Blink anyway. + // TODO(robwu): Remove this special case once crbug.com/434773 is fixed. + if (start_of_host == end_of_host) + return true; + // Note: It is sufficient to only compare the first character against '*' // because the CSP only allows wildcards at the start of a directive, see // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc index 9778a5a..436d450 100644 --- a/extensions/common/csp_validator_unittest.cc +++ b/extensions/common/csp_validator_unittest.cc @@ -98,7 +98,9 @@ TEST(ExtensionCSPValidator, IsSecure) { "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); EXPECT_FALSE(ContentSecurityPolicyIsSecure( "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); - EXPECT_FALSE(ContentSecurityPolicyIsSecure( + // "https://" is an invalid CSP, so it will be ignored by Blink. + // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed. + EXPECT_TRUE(ContentSecurityPolicyIsSecure( "default-src 'self' https://", Manifest::TYPE_EXTENSION)); EXPECT_FALSE(ContentSecurityPolicyIsSecure( "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); @@ -167,6 +169,11 @@ TEST(ExtensionCSPValidator, IsSecure) { "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); EXPECT_TRUE(ContentSecurityPolicyIsSecure( "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); + // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension + // authors have been using this string anyway, so we cannot refuse this string + // until extensions can be loaded with an invalid CSP. http://crbug.com/434773 + EXPECT_TRUE(ContentSecurityPolicyIsSecure( + "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION)); } TEST(ExtensionCSPValidator, IsSandboxed) { |