chrome.tabs.update unescapes Url component.
[chromium-blink-merge.git] / extensions / common / csp_validator_unittest.cc
bloba9728f9d1be293ccf38895502fd296f5577d8c4b
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/csp_validator.h"
6 #include "extensions/common/error_utils.h"
7 #include "extensions/common/install_warning.h"
8 #include "extensions/common/manifest_constants.h"
9 #include "testing/gtest/include/gtest/gtest.h"
11 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
12 using extensions::csp_validator::SanitizeContentSecurityPolicy;
13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
14 using extensions::csp_validator::OPTIONS_NONE;
15 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
16 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
17 using extensions::ErrorUtils;
18 using extensions::InstallWarning;
19 using extensions::Manifest;
21 namespace {
23 std::string InsecureValueWarning(const std::string& directive,
24 const std::string& value) {
25 return ErrorUtils::FormatErrorMessage(
26 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
29 std::string MissingSecureSrcWarning(const std::string& directive) {
30 return ErrorUtils::FormatErrorMessage(
31 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
34 testing::AssertionResult CheckSanitizeCSP(
35 const std::string& policy,
36 int options,
37 const std::string& expected_csp,
38 const std::vector<std::string>& expected_warnings) {
39 std::vector<InstallWarning> actual_warnings;
40 std::string actual_csp = SanitizeContentSecurityPolicy(policy,
41 options,
42 &actual_warnings);
43 if (actual_csp != expected_csp)
44 return testing::AssertionFailure()
45 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n"
46 << "Expected CSP: " << expected_csp << "\n"
47 << " Actual CSP: " << actual_csp;
49 if (expected_warnings.size() != actual_warnings.size()) {
50 testing::Message msg;
51 msg << "Expected " << expected_warnings.size()
52 << " warnings, but got " << actual_warnings.size();
53 for (size_t i = 0; i < actual_warnings.size(); ++i)
54 msg << "\nWarning " << i << " " << actual_warnings[i].message;
55 return testing::AssertionFailure() << msg;
58 for (size_t i = 0; i < expected_warnings.size(); ++i) {
59 if (expected_warnings[i] != actual_warnings[i].message)
60 return testing::AssertionFailure()
61 << "Unexpected warning from SanitizeContentSecurityPolicy.\n"
62 << "Expected warning[" << i << "]: " << expected_warnings[i]
63 << " Actual warning[" << i << "]: " << actual_warnings[i].message;
65 return testing::AssertionSuccess();
68 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
69 int options) {
70 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>());
73 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
74 int options,
75 const std::string& expected_csp) {
76 std::vector<std::string> expected_warnings;
77 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
80 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
81 int options,
82 const std::string& expected_csp,
83 const std::string& warning1) {
84 std::vector<std::string> expected_warnings(1, warning1);
85 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
88 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
89 int options,
90 const std::string& expected_csp,
91 const std::string& warning1,
92 const std::string& warning2) {
93 std::vector<std::string> expected_warnings(1, warning1);
94 expected_warnings.push_back(warning2);
95 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
98 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
99 int options,
100 const std::string& expected_csp,
101 const std::string& warning1,
102 const std::string& warning2,
103 const std::string& warning3) {
104 std::vector<std::string> expected_warnings(1, warning1);
105 expected_warnings.push_back(warning2);
106 expected_warnings.push_back(warning3);
107 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
110 }; // namespace
112 TEST(ExtensionCSPValidator, IsLegal) {
113 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
114 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
115 "default-src 'self'; script-src http://www.google.com"));
116 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
117 "default-src 'self';\nscript-src http://www.google.com"));
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
119 "default-src 'self';\rscript-src http://www.google.com"));
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
121 "default-src 'self';,script-src http://www.google.com"));
124 TEST(ExtensionCSPValidator, IsSecure) {
125 EXPECT_TRUE(CheckSanitizeCSP(
126 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL,
127 "script-src 'self' chrome-extension-resource:; object-src 'self';",
128 MissingSecureSrcWarning("script-src"),
129 MissingSecureSrcWarning("object-src")));
130 EXPECT_TRUE(CheckSanitizeCSP(
131 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
132 "img-src https://google.com; script-src 'self'"
133 " chrome-extension-resource:; object-src 'self';",
134 MissingSecureSrcWarning("script-src"),
135 MissingSecureSrcWarning("object-src")));
136 EXPECT_TRUE(CheckSanitizeCSP(
137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL,
138 "script-src; object-src 'self';",
139 InsecureValueWarning("script-src", "a"),
140 InsecureValueWarning("script-src", "b"),
141 MissingSecureSrcWarning("object-src")));
143 EXPECT_TRUE(CheckSanitizeCSP(
144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL,
145 "default-src;",
146 InsecureValueWarning("default-src", "*")));
147 EXPECT_TRUE(CheckSanitizeCSP(
148 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
149 EXPECT_TRUE(CheckSanitizeCSP(
150 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL));
151 EXPECT_TRUE(CheckSanitizeCSP(
152 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
153 "default-src 'self';",
154 InsecureValueWarning("default-src", "ftp://google.com")));
155 EXPECT_TRUE(CheckSanitizeCSP(
156 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
158 EXPECT_TRUE(CheckSanitizeCSP(
159 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
160 "default-src; default-src 'self';",
161 InsecureValueWarning("default-src", "*")));
162 EXPECT_TRUE(CheckSanitizeCSP(
163 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL,
164 "default-src 'self'; default-src;"));
165 EXPECT_TRUE(CheckSanitizeCSP(
166 "default-src 'self'; default-src *; script-src *; script-src 'self'",
167 OPTIONS_ALLOW_UNSAFE_EVAL,
168 "default-src 'self'; default-src; script-src; script-src 'self';",
169 InsecureValueWarning("script-src", "*")));
170 EXPECT_TRUE(CheckSanitizeCSP(
171 "default-src 'self'; default-src *; script-src 'self'; script-src *;",
172 OPTIONS_ALLOW_UNSAFE_EVAL,
173 "default-src 'self'; default-src; script-src 'self'; script-src;"));
174 EXPECT_TRUE(CheckSanitizeCSP(
175 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
176 "default-src; script-src 'self';",
177 InsecureValueWarning("default-src", "*")));
178 EXPECT_TRUE(CheckSanitizeCSP(
179 "default-src *; script-src 'self'; img-src 'self'",
180 OPTIONS_ALLOW_UNSAFE_EVAL,
181 "default-src; script-src 'self'; img-src 'self';",
182 InsecureValueWarning("default-src", "*")));
183 EXPECT_TRUE(CheckSanitizeCSP(
184 "default-src *; script-src 'self'; object-src 'self';",
185 OPTIONS_ALLOW_UNSAFE_EVAL,
186 "default-src; script-src 'self'; object-src 'self';"));
187 EXPECT_TRUE(CheckSanitizeCSP(
188 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
189 EXPECT_TRUE(CheckSanitizeCSP(
190 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL));
192 EXPECT_TRUE(CheckSanitizeCSP(
193 "default-src 'unsafe-eval'", OPTIONS_NONE,
194 "default-src;",
195 InsecureValueWarning("default-src", "'unsafe-eval'")));
196 EXPECT_TRUE(CheckSanitizeCSP(
197 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL,
198 "default-src;",
199 InsecureValueWarning("default-src", "'unsafe-inline'")));
200 EXPECT_TRUE(CheckSanitizeCSP(
201 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL,
202 "default-src 'none';",
203 InsecureValueWarning("default-src", "'unsafe-inline'")));
204 EXPECT_TRUE(CheckSanitizeCSP(
205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
206 "default-src 'self';",
207 InsecureValueWarning("default-src", "http://google.com")));
208 EXPECT_TRUE(CheckSanitizeCSP(
209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
210 EXPECT_TRUE(CheckSanitizeCSP(
211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL));
212 EXPECT_TRUE(CheckSanitizeCSP(
213 "default-src 'self' chrome-extension://aabbcc;",
214 OPTIONS_ALLOW_UNSAFE_EVAL));
215 EXPECT_TRUE(CheckSanitizeCSP(
216 "default-src 'self' chrome-extension-resource://aabbcc;",
217 OPTIONS_ALLOW_UNSAFE_EVAL));
218 EXPECT_TRUE(CheckSanitizeCSP(
219 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL,
220 "default-src 'self';",
221 InsecureValueWarning("default-src", "https:")));
222 EXPECT_TRUE(CheckSanitizeCSP(
223 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL,
224 "default-src 'self';",
225 InsecureValueWarning("default-src", "http:")));
226 EXPECT_TRUE(CheckSanitizeCSP(
227 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
228 "default-src 'self';",
229 InsecureValueWarning("default-src", "google.com")));
231 EXPECT_TRUE(CheckSanitizeCSP(
232 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL,
233 "default-src 'self';",
234 InsecureValueWarning("default-src", "*")));
235 EXPECT_TRUE(CheckSanitizeCSP(
236 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL,
237 "default-src 'self';",
238 InsecureValueWarning("default-src", "*:*")));
239 EXPECT_TRUE(CheckSanitizeCSP(
240 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
241 "default-src 'self';",
242 InsecureValueWarning("default-src", "*:*/")));
243 EXPECT_TRUE(CheckSanitizeCSP(
244 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
245 "default-src 'self';",
246 InsecureValueWarning("default-src", "*:*/path")));
247 EXPECT_TRUE(CheckSanitizeCSP(
248 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL,
249 "default-src 'self';",
250 InsecureValueWarning("default-src", "https://")));
251 EXPECT_TRUE(CheckSanitizeCSP(
252 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL,
253 "default-src 'self';",
254 InsecureValueWarning("default-src", "https://*:*")));
255 EXPECT_TRUE(CheckSanitizeCSP(
256 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
257 "default-src 'self';",
258 InsecureValueWarning("default-src", "https://*:*/")));
259 EXPECT_TRUE(CheckSanitizeCSP(
260 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
261 "default-src 'self';",
262 InsecureValueWarning("default-src", "https://*:*/path")));
263 EXPECT_TRUE(CheckSanitizeCSP(
264 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL,
265 "default-src 'self';",
266 InsecureValueWarning("default-src", "https://*.com")));
267 EXPECT_TRUE(CheckSanitizeCSP(
268 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
269 "default-src 'self';",
270 InsecureValueWarning("default-src", "https://*.*.google.com/")));
271 EXPECT_TRUE(CheckSanitizeCSP(
272 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
273 "default-src 'self';",
274 InsecureValueWarning("default-src", "https://*.*.google.com:*/")));
275 EXPECT_TRUE(CheckSanitizeCSP(
276 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
277 "default-src 'self';",
278 InsecureValueWarning("default-src", "https://www.*.google.com/")));
279 EXPECT_TRUE(CheckSanitizeCSP(
280 "default-src 'self' https://www.*.google.com:*/",
281 OPTIONS_ALLOW_UNSAFE_EVAL,
282 "default-src 'self';",
283 InsecureValueWarning("default-src", "https://www.*.google.com:*/")));
284 EXPECT_TRUE(CheckSanitizeCSP(
285 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL,
286 "default-src 'self';",
287 InsecureValueWarning("default-src", "chrome://*")));
288 EXPECT_TRUE(CheckSanitizeCSP(
289 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL,
290 "default-src 'self';",
291 InsecureValueWarning("default-src", "chrome-extension://*")));
292 EXPECT_TRUE(CheckSanitizeCSP(
293 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL,
294 "default-src 'self';",
295 InsecureValueWarning("default-src", "chrome-extension://")));
297 EXPECT_TRUE(CheckSanitizeCSP(
298 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
299 EXPECT_TRUE(CheckSanitizeCSP(
300 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL));
301 EXPECT_TRUE(CheckSanitizeCSP(
302 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL));
303 EXPECT_TRUE(CheckSanitizeCSP(
304 "default-src 'self' https://*.google.com:1/;",
305 OPTIONS_ALLOW_UNSAFE_EVAL));
306 EXPECT_TRUE(CheckSanitizeCSP(
307 "default-src 'self' https://*.google.com:*/;",
308 OPTIONS_ALLOW_UNSAFE_EVAL));
310 EXPECT_TRUE(CheckSanitizeCSP(
311 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL));
312 EXPECT_TRUE(CheckSanitizeCSP(
313 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL));
314 EXPECT_TRUE(CheckSanitizeCSP(
315 "default-src 'self' http://lOcAlHoSt;", OPTIONS_ALLOW_UNSAFE_EVAL,
316 "default-src 'self' http://localhost;"));
317 EXPECT_TRUE(CheckSanitizeCSP(
318 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL));
319 EXPECT_TRUE(CheckSanitizeCSP(
320 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL));
321 EXPECT_TRUE(CheckSanitizeCSP(
322 "default-src 'self' http://127.0.0.1.example.com",
323 OPTIONS_ALLOW_UNSAFE_EVAL,
324 "default-src 'self';",
325 InsecureValueWarning("default-src", "http://127.0.0.1.example.com")));
326 EXPECT_TRUE(CheckSanitizeCSP(
327 "default-src 'self' http://localhost.example.com",
328 OPTIONS_ALLOW_UNSAFE_EVAL,
329 "default-src 'self';",
330 InsecureValueWarning("default-src", "http://localhost.example.com")));
332 EXPECT_TRUE(CheckSanitizeCSP(
333 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL));
334 EXPECT_TRUE(CheckSanitizeCSP(
335 "default-src 'self' blob:http://example.com/XXX",
336 OPTIONS_ALLOW_UNSAFE_EVAL,
337 "default-src 'self';",
338 InsecureValueWarning("default-src", "blob:http://example.com/xxx")));
339 EXPECT_TRUE(CheckSanitizeCSP(
340 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL));
341 EXPECT_TRUE(CheckSanitizeCSP(
342 "default-src 'self' filesystem:http://example.com/XX",
343 OPTIONS_ALLOW_UNSAFE_EVAL,
344 "default-src 'self';",
345 InsecureValueWarning("default-src", "filesystem:http://example.com/xx")));
347 EXPECT_TRUE(CheckSanitizeCSP(
348 "default-src 'self' https://*.googleapis.com;",
349 OPTIONS_ALLOW_UNSAFE_EVAL));
350 EXPECT_TRUE(CheckSanitizeCSP(
351 "default-src 'self' https://x.googleapis.com;",
352 OPTIONS_ALLOW_UNSAFE_EVAL));
354 EXPECT_TRUE(CheckSanitizeCSP(
355 "script-src 'self'; object-src *", OPTIONS_NONE,
356 "script-src 'self'; object-src;",
357 InsecureValueWarning("object-src", "*")));
358 EXPECT_TRUE(CheckSanitizeCSP(
359 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
360 "script-src 'self'; object-src;",
361 InsecureValueWarning("object-src", "*")));
362 EXPECT_TRUE(CheckSanitizeCSP(
363 "script-src 'self'; object-src *; plugin-types application/pdf;",
364 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
365 EXPECT_TRUE(CheckSanitizeCSP(
366 "script-src 'self'; object-src *; "
367 "plugin-types application/x-shockwave-flash",
368 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
369 "script-src 'self'; object-src; "
370 "plugin-types application/x-shockwave-flash;",
371 InsecureValueWarning("object-src", "*")));
372 EXPECT_TRUE(CheckSanitizeCSP(
373 "script-src 'self'; object-src *; "
374 "plugin-types application/x-shockwave-flash application/pdf;",
375 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
376 "script-src 'self'; object-src; "
377 "plugin-types application/x-shockwave-flash application/pdf;",
378 InsecureValueWarning("object-src", "*")));
379 EXPECT_TRUE(CheckSanitizeCSP(
380 "script-src 'self'; object-src http://www.example.com; "
381 "plugin-types application/pdf;",
382 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
383 EXPECT_TRUE(CheckSanitizeCSP(
384 "object-src http://www.example.com blob:; script-src 'self'; "
385 "plugin-types application/pdf;",
386 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
387 EXPECT_TRUE(CheckSanitizeCSP(
388 "script-src 'self'; object-src http://*.example.com; "
389 "plugin-types application/pdf;",
390 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
391 EXPECT_TRUE(CheckSanitizeCSP(
392 "script-src *; object-src *; plugin-types application/pdf;",
393 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
394 "script-src; object-src *; plugin-types application/pdf;",
395 InsecureValueWarning("script-src", "*")));
398 TEST(ExtensionCSPValidator, IsSandboxed) {
399 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
400 Manifest::TYPE_EXTENSION));
401 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
402 Manifest::TYPE_EXTENSION));
404 // Sandbox directive is required.
405 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
406 "sandbox", Manifest::TYPE_EXTENSION));
408 // Additional sandbox tokens are OK.
409 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
410 "sandbox allow-scripts", Manifest::TYPE_EXTENSION));
411 // Except for allow-same-origin.
412 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
413 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION));
415 // Additional directives are OK.
416 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
417 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION));
419 // Extensions allow navigation, platform apps don't.
420 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
421 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
422 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
423 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
425 // Popups are OK.
426 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
427 "sandbox allow-popups", Manifest::TYPE_EXTENSION));
428 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
429 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));