1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/common/csp_validator.h"
#include "testing/gtest/include/gtest/gtest.h"
using extensions::csp_validator::ContentSecurityPolicyIsLegal;
using extensions::csp_validator::ContentSecurityPolicyIsSecure;
using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
using extensions::Manifest;
TEST(ExtensionCSPValidator, IsLegal) {
EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
EXPECT_TRUE(ContentSecurityPolicyIsLegal(
"default-src 'self'; script-src http://www.google.com"));
EXPECT_FALSE(ContentSecurityPolicyIsLegal(
"default-src 'self';\nscript-src http://www.google.com"));
EXPECT_FALSE(ContentSecurityPolicyIsLegal(
"default-src 'self';\rscript-src http://www.google.com"));
EXPECT_FALSE(ContentSecurityPolicyIsLegal(
"default-src 'self';,script-src http://www.google.com"));
}
TEST(ExtensionCSPValidator, IsSecure) {
EXPECT_FALSE(
ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self'", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'none'", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *; default-src 'self'", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src *; script-src 'self'",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self'; default-src *; script-src 'self'; script-src *",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; img-src 'self'",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src *; script-src 'self'; object-src 'self'",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://google.com", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension://aabbcc",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension-resource://aabbcc",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https:", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http:", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' google.com", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' *", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' *:*", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.com", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.*.google.com:*/",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://www.*.google.com/",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://www.*.google.com:*/",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome://*", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://localhost", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://127.0.0.1.example.com",
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' http://localhost.example.com",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' blob:", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' blob:http://example.com/XXX",
Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSecure(
"default-src 'self' filesystem:", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSecure(
"default-src 'self' filesystem:http://example.com/XXX",
Manifest::TYPE_EXTENSION));
}
TEST(ExtensionCSPValidator, IsSandboxed) {
EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
Manifest::TYPE_EXTENSION));
// Sandbox directive is required.
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox", Manifest::TYPE_EXTENSION));
// Additional sandbox tokens are OK.
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-scripts", Manifest::TYPE_EXTENSION));
// Except for allow-same-origin.
EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-same-origin", Manifest::TYPE_EXTENSION));
// Additional directives are OK.
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION));
// Extensions allow navigation, platform apps don't.
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
// Popups are OK.
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-popups", Manifest::TYPE_EXTENSION));
EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
"sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
}
|
