1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "extensions/common/csp_validator.h" 6 #include "testing/gtest/include/gtest/gtest.h" 7 8 using extensions::csp_validator::ContentSecurityPolicyIsLegal; 9 using extensions::csp_validator::ContentSecurityPolicyIsSecure; 10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; 11 using extensions::Manifest; 12 13 TEST(ExtensionCSPValidator, IsLegal) { 14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); 15 EXPECT_TRUE(ContentSecurityPolicyIsLegal( 16 "default-src 'self'; script-src http://www.google.com")); 17 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 18 "default-src 'self';\nscript-src http://www.google.com")); 19 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 20 "default-src 'self';\rscript-src http://www.google.com")); 21 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 22 "default-src 'self';,script-src http://www.google.com")); 23 } 24 25 TEST(ExtensionCSPValidator, IsSecure) { 26 EXPECT_FALSE( 27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); 28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", 29 Manifest::TYPE_EXTENSION)); 30 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 32 "default-src *", Manifest::TYPE_EXTENSION)); 33 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 34 "default-src 'self'", Manifest::TYPE_EXTENSION)); 35 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 36 "default-src 'none'", Manifest::TYPE_EXTENSION)); 37 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); 39 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 41 42 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); 44 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); 46 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 47 "default-src 'self'; default-src *; script-src *; script-src 'self'", 48 Manifest::TYPE_EXTENSION)); 49 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 50 "default-src 'self'; default-src *; script-src 'self'; script-src *", 51 Manifest::TYPE_EXTENSION)); 52 53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); 55 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 56 "default-src *; script-src 'self'; img-src 'self'", 57 Manifest::TYPE_EXTENSION)); 58 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 59 "default-src *; script-src 'self'; object-src 'self'", 60 Manifest::TYPE_EXTENSION)); 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); 63 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); 65 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); 67 68 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); 70 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); 72 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); 74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); 76 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 78 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); 80 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 81 "default-src 'self' chrome-extension://aabbcc", 82 Manifest::TYPE_EXTENSION)); 83 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 84 "default-src 'self' chrome-extension-resource://aabbcc", 85 Manifest::TYPE_EXTENSION)); 86 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 87 "default-src 'self' https:", Manifest::TYPE_EXTENSION)); 88 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 89 "default-src 'self' http:", Manifest::TYPE_EXTENSION)); 90 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); 92 93 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 94 "default-src 'self' *", Manifest::TYPE_EXTENSION)); 95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); 97 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); 99 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); 101 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 102 "default-src 'self' https://", Manifest::TYPE_EXTENSION)); 103 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 104 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); 105 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 106 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); 107 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 108 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); 109 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 110 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION)); 111 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 112 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION)); 113 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 114 "default-src 'self' https://*.*.google.com:*/", 115 Manifest::TYPE_EXTENSION)); 116 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 117 "default-src 'self' https://www.*.google.com/", 118 Manifest::TYPE_EXTENSION)); 119 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 120 "default-src 'self' https://www.*.google.com:*/", 121 Manifest::TYPE_EXTENSION)); 122 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 123 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION)); 124 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 125 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION)); 126 127 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 128 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); 129 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 130 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); 131 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 132 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); 133 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 134 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); 135 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 136 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); 137 138 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 139 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); 140 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 141 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); 142 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 143 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); 144 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 145 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); 146 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 147 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); 148 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 149 "default-src 'self' http://127.0.0.1.example.com", 150 Manifest::TYPE_EXTENSION)); 151 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 152 "default-src 'self' http://localhost.example.com", 153 Manifest::TYPE_EXTENSION)); 154 155 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 156 "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); 157 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 158 "default-src 'self' blob:http://example.com/XXX", 159 Manifest::TYPE_EXTENSION)); 160 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 161 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); 162 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 163 "default-src 'self' filesystem:http://example.com/XXX", 164 Manifest::TYPE_EXTENSION)); 165 166 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 167 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION)); 168 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 169 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION)); 170 } 171 172 TEST(ExtensionCSPValidator, IsSandboxed) { 173 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), 174 Manifest::TYPE_EXTENSION)); 175 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", 176 Manifest::TYPE_EXTENSION)); 177 178 // Sandbox directive is required. 179 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 180 "sandbox", Manifest::TYPE_EXTENSION)); 181 182 // Additional sandbox tokens are OK. 183 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 184 "sandbox allow-scripts", Manifest::TYPE_EXTENSION)); 185 // Except for allow-same-origin. 186 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 187 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION)); 188 189 // Additional directives are OK. 190 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 191 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION)); 192 193 // Extensions allow navigation, platform apps don't. 194 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 195 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); 196 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 197 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); 198 199 // Popups are OK. 200 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 201 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); 202 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 203 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); 204 } 205
