Home | History | Annotate | Download | only in common 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "extensions/common/csp_validator.h"
      6 #include "testing/gtest/include/gtest/gtest.h"
      7 
      8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
      9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;
     10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
     11 using extensions::Manifest;
     12 
     13 TEST(ExtensionCSPValidator, IsLegal) {
     14   EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
     15   EXPECT_TRUE(ContentSecurityPolicyIsLegal(
     16       "default-src 'self'; script-src http://www.google.com"));
     17   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
     18       "default-src 'self';\nscript-src http://www.google.com"));
     19   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
     20       "default-src 'self';\rscript-src http://www.google.com"));
     21   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
     22       "default-src 'self';,script-src http://www.google.com"));
     23 }
     24 
     25 TEST(ExtensionCSPValidator, IsSecure) {
     26   EXPECT_FALSE(
     27       ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION));
     28   EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
     29                                              Manifest::TYPE_EXTENSION));
     30 
     31   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     32       "default-src *", Manifest::TYPE_EXTENSION));
     33   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     34       "default-src 'self'", Manifest::TYPE_EXTENSION));
     35   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     36       "default-src 'none'", Manifest::TYPE_EXTENSION));
     37   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     38       "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION));
     39   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     40       "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
     41 
     42   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     43       "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION));
     44   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     45       "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION));
     46   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     47       "default-src 'self'; default-src *; script-src *; script-src 'self'",
     48        Manifest::TYPE_EXTENSION));
     49   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     50       "default-src 'self'; default-src *; script-src 'self'; script-src *",
     51       Manifest::TYPE_EXTENSION));
     52 
     53   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     54       "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION));
     55   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     56       "default-src *; script-src 'self'; img-src 'self'",
     57       Manifest::TYPE_EXTENSION));
     58   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     59       "default-src *; script-src 'self'; object-src 'self'",
     60       Manifest::TYPE_EXTENSION));
     61   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     62       "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION));
     63   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     64       "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION));
     65   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     66       "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP));
     67 
     68   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     69       "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP));
     70   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     71       "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION));
     72   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     73       "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION));
     74   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     75       "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION));
     76   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     77       "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
     78   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     79       "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION));
     80   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     81       "default-src 'self' chrome-extension://aabbcc",
     82       Manifest::TYPE_EXTENSION));
     83   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
     84      "default-src 'self' chrome-extension-resource://aabbcc",
     85      Manifest::TYPE_EXTENSION));
     86   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     87       "default-src 'self' https:", Manifest::TYPE_EXTENSION));
     88   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     89       "default-src 'self' http:", Manifest::TYPE_EXTENSION));
     90   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     91       "default-src 'self' google.com", Manifest::TYPE_EXTENSION));
     92 
     93   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     94       "default-src 'self' *", Manifest::TYPE_EXTENSION));
     95   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     96       "default-src 'self' *:*", Manifest::TYPE_EXTENSION));
     97   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
     98       "default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
     99   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    100       "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
    101   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    102       "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
    103   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    104       "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
    105   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    106       "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
    107 
    108   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    109       "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
    110   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    111       "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION));
    112   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    113       "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION));
    114   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    115       "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION));
    116   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    117       "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION));
    118 
    119   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    120       "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION));
    121   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    122       "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION));
    123   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    124       "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION));
    125   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    126       "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION));
    127   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    128       "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION));
    129   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    130       "default-src 'self' http://127.0.0.1.example.com",
    131       Manifest::TYPE_EXTENSION));
    132   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    133       "default-src 'self' http://localhost.example.com",
    134       Manifest::TYPE_EXTENSION));
    135 
    136   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    137       "default-src 'self' blob:", Manifest::TYPE_EXTENSION));
    138   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    139       "default-src 'self' blob:http://example.com/XXX",
    140       Manifest::TYPE_EXTENSION));
    141   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
    142       "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION));
    143   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
    144       "default-src 'self' filesystem:http://example.com/XXX",
    145       Manifest::TYPE_EXTENSION));
    146 }
    147 
    148 TEST(ExtensionCSPValidator, IsSandboxed) {
    149   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
    150                                                 Manifest::TYPE_EXTENSION));
    151   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
    152                                                 Manifest::TYPE_EXTENSION));
    153 
    154   // Sandbox directive is required.
    155   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    156       "sandbox", Manifest::TYPE_EXTENSION));
    157 
    158   // Additional sandbox tokens are OK.
    159   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    160       "sandbox allow-scripts", Manifest::TYPE_EXTENSION));
    161   // Except for allow-same-origin.
    162   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
    163       "sandbox allow-same-origin", Manifest::TYPE_EXTENSION));
    164 
    165   // Additional directives are OK.
    166   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    167       "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION));
    168 
    169   // Extensions allow navigation, platform apps don't.
    170   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    171       "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
    172   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
    173       "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
    174 
    175   // Popups are OK.
    176   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    177       "sandbox allow-popups", Manifest::TYPE_EXTENSION));
    178   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
    179       "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
    180 }
    181