1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/csp_validator.h"
6 #include "testing/gtest/include/gtest/gtest.h"
8 using extensions::csp_validator::ContentSecurityPolicyIsLegal
;
9 using extensions::csp_validator::ContentSecurityPolicyIsSecure
;
10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed
;
11 using extensions::Manifest
;
13 TEST(ExtensionCSPValidator
, IsLegal
) {
14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
15 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
16 "default-src 'self'; script-src http://www.google.com"));
17 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
18 "default-src 'self';\nscript-src http://www.google.com"));
19 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
20 "default-src 'self';\rscript-src http://www.google.com"));
21 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
22 "default-src 'self';,script-src http://www.google.com"));
25 TEST(ExtensionCSPValidator
, IsSecure
) {
27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION
));
28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
29 Manifest::TYPE_EXTENSION
));
31 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
32 "default-src *", Manifest::TYPE_EXTENSION
));
33 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
34 "default-src 'self'", Manifest::TYPE_EXTENSION
));
35 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
36 "default-src 'none'", Manifest::TYPE_EXTENSION
));
37 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION
));
39 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION
));
42 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION
));
44 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION
));
46 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
47 "default-src 'self'; default-src *; script-src *; script-src 'self'",
48 Manifest::TYPE_EXTENSION
));
49 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
50 "default-src 'self'; default-src *; script-src 'self'; script-src *",
51 Manifest::TYPE_EXTENSION
));
53 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION
));
55 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
56 "default-src *; script-src 'self'; img-src 'self'",
57 Manifest::TYPE_EXTENSION
));
58 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
59 "default-src *; script-src 'self'; object-src 'self'",
60 Manifest::TYPE_EXTENSION
));
61 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION
));
63 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION
));
65 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP
));
68 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP
));
70 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION
));
72 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION
));
74 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION
));
76 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION
));
78 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION
));
80 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
81 "default-src 'self' chrome-extension://aabbcc",
82 Manifest::TYPE_EXTENSION
));
83 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
84 "default-src 'self' chrome-extension-resource://aabbcc",
85 Manifest::TYPE_EXTENSION
));
86 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
87 "default-src 'self' https:", Manifest::TYPE_EXTENSION
));
88 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
89 "default-src 'self' http:", Manifest::TYPE_EXTENSION
));
90 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION
));
93 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
94 "default-src 'self' *", Manifest::TYPE_EXTENSION
));
95 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION
));
97 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION
));
99 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION
));
101 // "https://" is an invalid CSP, so it will be ignored by Blink.
102 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
103 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
104 "default-src 'self' https://", Manifest::TYPE_EXTENSION
));
105 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
106 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION
));
107 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
108 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION
));
109 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
110 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION
));
111 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
112 "default-src 'self' https://*.com", Manifest::TYPE_EXTENSION
));
113 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
114 "default-src 'self' https://*.*.google.com/", Manifest::TYPE_EXTENSION
));
115 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
116 "default-src 'self' https://*.*.google.com:*/",
117 Manifest::TYPE_EXTENSION
));
118 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
119 "default-src 'self' https://www.*.google.com/",
120 Manifest::TYPE_EXTENSION
));
121 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
122 "default-src 'self' https://www.*.google.com:*/",
123 Manifest::TYPE_EXTENSION
));
124 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
125 "default-src 'self' chrome://*", Manifest::TYPE_EXTENSION
));
126 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
127 "default-src 'self' chrome-extension://*", Manifest::TYPE_EXTENSION
));
129 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
130 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION
));
131 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
132 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION
));
133 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
134 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION
));
135 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
136 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION
));
137 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
138 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION
));
140 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
141 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION
));
142 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
143 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION
));
144 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
145 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION
));
146 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
147 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION
));
148 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
149 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION
));
150 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
151 "default-src 'self' http://127.0.0.1.example.com",
152 Manifest::TYPE_EXTENSION
));
153 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
154 "default-src 'self' http://localhost.example.com",
155 Manifest::TYPE_EXTENSION
));
157 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
158 "default-src 'self' blob:", Manifest::TYPE_EXTENSION
));
159 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
160 "default-src 'self' blob:http://example.com/XXX",
161 Manifest::TYPE_EXTENSION
));
162 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
163 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION
));
164 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
165 "default-src 'self' filesystem:http://example.com/XXX",
166 Manifest::TYPE_EXTENSION
));
168 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
169 "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION
));
170 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
171 "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION
));
172 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
173 // authors have been using this string anyway, so we cannot refuse this string
174 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
175 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
176 "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION
));
179 TEST(ExtensionCSPValidator
, IsSandboxed
) {
180 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
181 Manifest::TYPE_EXTENSION
));
182 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
183 Manifest::TYPE_EXTENSION
));
185 // Sandbox directive is required.
186 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
187 "sandbox", Manifest::TYPE_EXTENSION
));
189 // Additional sandbox tokens are OK.
190 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
191 "sandbox allow-scripts", Manifest::TYPE_EXTENSION
));
192 // Except for allow-same-origin.
193 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
194 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION
));
196 // Additional directives are OK.
197 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
198 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION
));
200 // Extensions allow navigation, platform apps don't.
201 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
202 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION
));
203 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
204 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP
));
207 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
208 "sandbox allow-popups", Manifest::TYPE_EXTENSION
));
209 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
210 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP
));
