chrome/common/extensions/csp_validator_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/common/extensions/csp_validator.h"
   6 #include "testing/gtest/include/gtest/gtest.h"
   7
   8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
   9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;
  10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
  11 using extensions::Extension;
  12
  13 TEST(ExtensionCSPValidator, IsLegal) {
  14   EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
  15   EXPECT_TRUE(ContentSecurityPolicyIsLegal(
  16       "default-src 'self'; script-src http://www.google.com"));
  17   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  18       "default-src 'self';\nscript-src http://www.google.com"));
  19   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  20       "default-src 'self';\rscript-src http://www.google.com"));
  21   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  22       "default-src 'self';,script-src http://www.google.com"));
  23 }
  24
  25 TEST(ExtensionCSPValidator, IsSecure) {
  26   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  27       "", Extension::TYPE_EXTENSION));
  28   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  29       "img-src https://google.com", Extension::TYPE_EXTENSION));
  30
  31   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  32       "default-src *", Extension::TYPE_EXTENSION));
  33   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  34       "default-src 'self'", Extension::TYPE_EXTENSION));
  35   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  36       "default-src 'none'", Extension::TYPE_EXTENSION));
  37   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  38       "default-src 'self' ftp://google.com", Extension::TYPE_EXTENSION));
  39   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  40       "default-src 'self' https://google.com", Extension::TYPE_EXTENSION));
  41
  42   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  43       "default-src *; default-src 'self'", Extension::TYPE_EXTENSION));
  44   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  45       "default-src 'self'; default-src *", Extension::TYPE_EXTENSION));
  46   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  47       "default-src 'self'; default-src *; script-src *; script-src 'self'",
  48        Extension::TYPE_EXTENSION));
  49   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  50       "default-src 'self'; default-src *; script-src 'self'; script-src *",
  51       Extension::TYPE_EXTENSION));
  52
  53   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  54       "default-src *; script-src 'self'", Extension::TYPE_EXTENSION));
  55   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  56       "default-src *; script-src 'self'; img-src 'self'",
  57       Extension::TYPE_EXTENSION));
  58   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  59       "default-src *; script-src 'self'; object-src 'self'",
  60       Extension::TYPE_EXTENSION));
  61   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  62       "script-src 'self'; object-src 'self'", Extension::TYPE_EXTENSION));
  63   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  64       "default-src 'unsafe-eval'", Extension::TYPE_EXTENSION));
  65   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  66       "default-src 'unsafe-eval'", Extension::TYPE_LEGACY_PACKAGED_APP));
  67
  68   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  69       "default-src 'unsafe-eval'", Extension::TYPE_PLATFORM_APP));
  70   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  71       "default-src 'unsafe-inline'", Extension::TYPE_EXTENSION));
  72   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  73       "default-src 'unsafe-inline' 'none'", Extension::TYPE_EXTENSION));
  74   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  75       "default-src 'self' http://google.com", Extension::TYPE_EXTENSION));
  76   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  77       "default-src 'self' https://google.com", Extension::TYPE_EXTENSION));
  78   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  79       "default-src 'self' chrome://resources", Extension::TYPE_EXTENSION));
  80   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  81       "default-src 'self' chrome-extension://aabbcc",
  82       Extension::TYPE_EXTENSION));
  83   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  84      "default-src 'self' chrome-extension-resource://aabbcc",
  85      Extension::TYPE_EXTENSION));
  86   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  87       "default-src 'self' https:", Extension::TYPE_EXTENSION));
  88   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  89       "default-src 'self' http:", Extension::TYPE_EXTENSION));
  90   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  91       "default-src 'self' google.com", Extension::TYPE_EXTENSION));
  92
  93   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  94       "default-src 'self' *", Extension::TYPE_EXTENSION));
  95   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  96       "default-src 'self' *:*", Extension::TYPE_EXTENSION));
  97   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  98       "default-src 'self' *:*/", Extension::TYPE_EXTENSION));
  99   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 100       "default-src 'self' *:*/path", Extension::TYPE_EXTENSION));
 101   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 102       "default-src 'self' https://*:*", Extension::TYPE_EXTENSION));
 103   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 104       "default-src 'self' https://*:*/", Extension::TYPE_EXTENSION));
 105   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 106       "default-src 'self' https://*:*/path", Extension::TYPE_EXTENSION));
 107
 108   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 109       "default-src 'self' https://*.google.com", Extension::TYPE_EXTENSION));
 110   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 111       "default-src 'self' https://*.google.com:1", Extension::TYPE_EXTENSION));
 112   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 113       "default-src 'self' https://*.google.com:*", Extension::TYPE_EXTENSION));
 114   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 115       "default-src 'self' https://*.google.com:1/", Extension::TYPE_EXTENSION));
 116   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 117       "default-src 'self' https://*.google.com:*/", Extension::TYPE_EXTENSION));
 118
 119   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 120       "default-src 'self' http://127.0.0.1", Extension::TYPE_EXTENSION));
 121   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 122       "default-src 'self' http://localhost", Extension::TYPE_EXTENSION));
 123   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 124       "default-src 'self' http://lOcAlHoSt", Extension::TYPE_EXTENSION));
 125   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 126       "default-src 'self' http://127.0.0.1:9999", Extension::TYPE_EXTENSION));
 127   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 128       "default-src 'self' http://localhost:8888", Extension::TYPE_EXTENSION));
 129   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 130       "default-src 'self' http://127.0.0.1.example.com",
 131       Extension::TYPE_EXTENSION));
 132   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 133       "default-src 'self' http://localhost.example.com",
 134       Extension::TYPE_EXTENSION));
 135
 136   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 137       "default-src 'self' blob:", Extension::TYPE_EXTENSION));
 138   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 139       "default-src 'self' blob:http://example.com/XXX",
 140       Extension::TYPE_EXTENSION));
 141   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 142       "default-src 'self' filesystem:", Extension::TYPE_EXTENSION));
 143   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 144       "default-src 'self' filesystem:http://example.com/XXX",
 145       Extension::TYPE_EXTENSION));
 146 }
 147
 148 TEST(ExtensionCSPValidator, IsSandboxed) {
 149   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("", Extension::TYPE_EXTENSION));
 150   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
 151       "img-src https://google.com", Extension::TYPE_EXTENSION));
 152
 153   // Sandbox directive is required.
 154   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 155       "sandbox", Extension::TYPE_EXTENSION));
 156
 157   // Additional sandbox tokens are OK.
 158   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 159       "sandbox allow-scripts", Extension::TYPE_EXTENSION));
 160   // Except for allow-same-origin.
 161   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
 162       "sandbox allow-same-origin", Extension::TYPE_EXTENSION));
 163
 164   // Additional directives are OK.
 165   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 166       "sandbox; img-src https://google.com", Extension::TYPE_EXTENSION));
 167
 168   // Extensions allow navigation, platform apps don't.
 169   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 170       "sandbox allow-top-navigation", Extension::TYPE_EXTENSION));
 171   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
 172       "sandbox allow-top-navigation", Extension::TYPE_PLATFORM_APP));
 173
 174   // Popups are OK.
 175   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 176       "sandbox allow-popups", Extension::TYPE_EXTENSION));
 177   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 178       "sandbox allow-popups", Extension::TYPE_PLATFORM_APP));
 179 }