extensions/common/csp_validator.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "extensions/common/csp_validator.h"
   6
   7 #include <vector>
   8
   9 #include "base/strings/string_split.h"
  10 #include "base/strings/string_tokenizer.h"
  11 #include "base/strings/string_util.h"
  12 #include "content/public/common/url_constants.h"
  13 #include "extensions/common/constants.h"
  14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
  15
  16 namespace extensions {
  17
  18 namespace csp_validator {
  19
  20 namespace {
  21
  22 const char kDefaultSrc[] = "default-src";
  23 const char kScriptSrc[] = "script-src";
  24 const char kObjectSrc[] = "object-src";
  25
  26 const char kSandboxDirectiveName[] = "sandbox";
  27 const char kAllowSameOriginToken[] = "allow-same-origin";
  28 const char kAllowTopNavigation[] = "allow-top-navigation";
  29
  30 struct DirectiveStatus {
  31   explicit DirectiveStatus(const char* name)
  32     : directive_name(name)
  33     , seen_in_policy(false)
  34     , is_secure(false) {
  35   }
  36
  37   const char* directive_name;
  38   bool seen_in_policy;
  39   bool is_secure;
  40 };
  41
  42 // Returns whether |url| starts with |scheme_and_separator| and does not have a
  43 // too permissive wildcard host name. If |should_check_rcd| is true, then the
  44 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org".
  45 bool isNonWildcardTLD(const std::string& url,
  46                       const std::string& scheme_and_separator,
  47                       bool should_check_rcd) {
  48   if (!StartsWithASCII(url, scheme_and_separator, true))
  49     return false;
  50
  51   size_t start_of_host = scheme_and_separator.length();
  52
  53   size_t end_of_host = url.find("/", start_of_host);
  54   if (end_of_host == std::string::npos)
  55     end_of_host = url.size();
  56
  57   // A missing host such as "chrome-extension://" is invalid, but for backwards-
  58   // compatibility, accept such CSP parts. They will be ignored by Blink anyway.
  59   // TODO(robwu): Remove this special case once crbug.com/434773 is fixed.
  60   if (start_of_host == end_of_host)
  61     return true;
  62
  63   // Note: It is sufficient to only compare the first character against '*'
  64   // because the CSP only allows wildcards at the start of a directive, see
  65   // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax
  66   bool is_wildcard_subdomain = end_of_host > start_of_host + 2 &&
  67       url[start_of_host] == '*' && url[start_of_host + 1] == '.';
  68   if (is_wildcard_subdomain)
  69     start_of_host += 2;
  70
  71   size_t start_of_port = url.rfind(":", end_of_host);
  72   // The ":" check at the end of the following condition is used to avoid
  73   // treating the last part of an IPv6 address as a port.
  74   if (start_of_port > start_of_host && url[start_of_port - 1] != ':') {
  75     bool is_valid_port = false;
  76     // Do a quick sanity check. The following check could mistakenly flag
  77     // ":123456" or ":****" as valid, but that does not matter because the
  78     // relaxing CSP directive will just be ignored by Blink.
  79     for (size_t i = start_of_port + 1; i < end_of_host; ++i) {
  80       is_valid_port = IsAsciiDigit(url[i]) || url[i] == '*';
  81       if (!is_valid_port)
  82         break;
  83     }
  84     if (is_valid_port)
  85       end_of_host = start_of_port;
  86   }
  87
  88   std::string host(url, start_of_host, end_of_host - start_of_host);
  89   // Global wildcards are not allowed.
  90   if (host.empty() || host.find("*") != std::string::npos)
  91     return false;
  92
  93   if (!is_wildcard_subdomain || !should_check_rcd)
  94     return true;
  95
  96   // Allow *.googleapis.com to be whitelisted for backwards-compatibility.
  97   // (crbug.com/409952)
  98   if (host == "googleapis.com")
  99     return true;
 100
 101   // Wildcards on subdomains of a TLD are not allowed.
 102   size_t registry_length = net::registry_controlled_domains::GetRegistryLength(
 103       host,
 104       net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
 105       net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
 106   return registry_length != 0;
 107 }
 108
 109 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
 110                          Manifest::Type type) {
 111   while (tokenizer.GetNext()) {
 112     std::string source = tokenizer.token();
 113     base::StringToLowerASCII(&source);
 114
 115     // We might need to relax this whitelist over time.
 116     if (source == "'self'" ||
 117         source == "'none'" ||
 118         source == "http://127.0.0.1" ||
 119         LowerCaseEqualsASCII(source, "blob:") ||
 120         LowerCaseEqualsASCII(source, "filesystem:") ||
 121         LowerCaseEqualsASCII(source, "http://localhost") ||
 122         StartsWithASCII(source, "http://127.0.0.1:", true) ||
 123         StartsWithASCII(source, "http://localhost:", true) ||
 124         isNonWildcardTLD(source, "https://", true) ||
 125         isNonWildcardTLD(source, "chrome://", false) ||
 126         isNonWildcardTLD(source,
 127                          std::string(extensions::kExtensionScheme) +
 128                          url::kStandardSchemeSeparator,
 129                          false) ||
 130         StartsWithASCII(source, "chrome-extension-resource:", true)) {
 131       continue;
 132     }
 133
 134     // crbug.com/146487
 135     if (type == Manifest::TYPE_EXTENSION ||
 136         type == Manifest::TYPE_LEGACY_PACKAGED_APP) {
 137       if (source == "'unsafe-eval'")
 138         continue;
 139     }
 140
 141     return false;
 142   }
 143
 144   return true;  // Empty values default to 'none', which is secure.
 145 }
 146
 147 // Returns true if |directive_name| matches |status.directive_name|.
 148 bool UpdateStatus(const std::string& directive_name,
 149                   base::StringTokenizer& tokenizer,
 150                   DirectiveStatus* status,
 151                   Manifest::Type type) {
 152   if (status->seen_in_policy)
 153     return false;
 154   if (directive_name != status->directive_name)
 155     return false;
 156   status->seen_in_policy = true;
 157   status->is_secure = HasOnlySecureTokens(tokenizer, type);
 158   return true;
 159 }
 160
 161 }  //  namespace
 162
 163 bool ContentSecurityPolicyIsLegal(const std::string& policy) {
 164   // We block these characters to prevent HTTP header injection when
 165   // representing the content security policy as an HTTP header.
 166   const char kBadChars[] = {',', '\r', '\n', '\0'};
 167
 168   return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) ==
 169       std::string::npos;
 170 }
 171
 172 bool ContentSecurityPolicyIsSecure(const std::string& policy,
 173                                    Manifest::Type type) {
 174   // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
 175   std::vector<std::string> directives;
 176   base::SplitString(policy, ';', &directives);
 177
 178   DirectiveStatus default_src_status(kDefaultSrc);
 179   DirectiveStatus script_src_status(kScriptSrc);
 180   DirectiveStatus object_src_status(kObjectSrc);
 181
 182   for (size_t i = 0; i < directives.size(); ++i) {
 183     std::string& input = directives[i];
 184     base::StringTokenizer tokenizer(input, " \t\r\n");
 185     if (!tokenizer.GetNext())
 186       continue;
 187
 188     std::string directive_name = tokenizer.token();
 189     base::StringToLowerASCII(&directive_name);
 190
 191     if (UpdateStatus(directive_name, tokenizer, &default_src_status, type))
 192       continue;
 193     if (UpdateStatus(directive_name, tokenizer, &script_src_status, type))
 194       continue;
 195     if (UpdateStatus(directive_name, tokenizer, &object_src_status, type))
 196       continue;
 197   }
 198
 199   if (script_src_status.seen_in_policy && !script_src_status.is_secure)
 200     return false;
 201
 202   if (object_src_status.seen_in_policy && !object_src_status.is_secure)
 203     return false;
 204
 205   if (default_src_status.seen_in_policy && !default_src_status.is_secure) {
 206     return script_src_status.seen_in_policy &&
 207            object_src_status.seen_in_policy;
 208   }
 209
 210   return default_src_status.seen_in_policy ||
 211       (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
 212 }
 213
 214 bool ContentSecurityPolicyIsSandboxed(
 215     const std::string& policy, Manifest::Type type) {
 216   // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
 217   std::vector<std::string> directives;
 218   base::SplitString(policy, ';', &directives);
 219
 220   bool seen_sandbox = false;
 221
 222   for (size_t i = 0; i < directives.size(); ++i) {
 223     std::string& input = directives[i];
 224     base::StringTokenizer tokenizer(input, " \t\r\n");
 225     if (!tokenizer.GetNext())
 226       continue;
 227
 228     std::string directive_name = tokenizer.token();
 229     base::StringToLowerASCII(&directive_name);
 230
 231     if (directive_name != kSandboxDirectiveName)
 232       continue;
 233
 234     seen_sandbox = true;
 235
 236     while (tokenizer.GetNext()) {
 237       std::string token = tokenizer.token();
 238       base::StringToLowerASCII(&token);
 239
 240       // The same origin token negates the sandboxing.
 241       if (token == kAllowSameOriginToken)
 242         return false;
 243
 244       // Platform apps don't allow navigation.
 245       if (type == Manifest::TYPE_PLATFORM_APP) {
 246         if (token == kAllowTopNavigation)
 247           return false;
 248       }
 249     }
 250   }
 251
 252   return seen_sandbox;
 253 }
 254
 255 }  // namespace csp_validator
 256
 257 }  // namespace extensions