1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/csp_validator.h"
6 #include "extensions/common/error_utils.h"
7 #include "extensions/common/install_warning.h"
8 #include "extensions/common/manifest_constants.h"
9 #include "testing/gtest/include/gtest/gtest.h"
11 using extensions::csp_validator::ContentSecurityPolicyIsLegal
;
12 using extensions::csp_validator::SanitizeContentSecurityPolicy
;
13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed
;
14 using extensions::csp_validator::OPTIONS_NONE
;
15 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL
;
16 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC
;
17 using extensions::ErrorUtils
;
18 using extensions::InstallWarning
;
19 using extensions::Manifest
;
23 std::string
InsecureValueWarning(const std::string
& directive
,
24 const std::string
& value
) {
25 return ErrorUtils::FormatErrorMessage(
26 extensions::manifest_errors::kInvalidCSPInsecureValue
, value
, directive
);
29 std::string
MissingSecureSrcWarning(const std::string
& directive
) {
30 return ErrorUtils::FormatErrorMessage(
31 extensions::manifest_errors::kInvalidCSPMissingSecureSrc
, directive
);
34 testing::AssertionResult
CheckSanitizeCSP(
35 const std::string
& policy
,
37 const std::string
& expected_csp
,
38 const std::vector
<std::string
>& expected_warnings
) {
39 std::vector
<InstallWarning
> actual_warnings
;
40 std::string actual_csp
= SanitizeContentSecurityPolicy(policy
,
43 if (actual_csp
!= expected_csp
)
44 return testing::AssertionFailure()
45 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n"
46 << "Expected CSP: " << expected_csp
<< "\n"
47 << " Actual CSP: " << actual_csp
;
49 if (expected_warnings
.size() != actual_warnings
.size()) {
51 msg
<< "Expected " << expected_warnings
.size()
52 << " warnings, but got " << actual_warnings
.size();
53 for (size_t i
= 0; i
< actual_warnings
.size(); ++i
)
54 msg
<< "\nWarning " << i
<< " " << actual_warnings
[i
].message
;
55 return testing::AssertionFailure() << msg
;
58 for (size_t i
= 0; i
< expected_warnings
.size(); ++i
) {
59 if (expected_warnings
[i
] != actual_warnings
[i
].message
)
60 return testing::AssertionFailure()
61 << "Unexpected warning from SanitizeContentSecurityPolicy.\n"
62 << "Expected warning[" << i
<< "]: " << expected_warnings
[i
]
63 << " Actual warning[" << i
<< "]: " << actual_warnings
[i
].message
;
65 return testing::AssertionSuccess();
68 testing::AssertionResult
CheckSanitizeCSP(const std::string
& policy
,
70 return CheckSanitizeCSP(policy
, options
, policy
, std::vector
<std::string
>());
73 testing::AssertionResult
CheckSanitizeCSP(const std::string
& policy
,
75 const std::string
& expected_csp
) {
76 std::vector
<std::string
> expected_warnings
;
77 return CheckSanitizeCSP(policy
, options
, expected_csp
, expected_warnings
);
80 testing::AssertionResult
CheckSanitizeCSP(const std::string
& policy
,
82 const std::string
& expected_csp
,
83 const std::string
& warning1
) {
84 std::vector
<std::string
> expected_warnings(1, warning1
);
85 return CheckSanitizeCSP(policy
, options
, expected_csp
, expected_warnings
);
88 testing::AssertionResult
CheckSanitizeCSP(const std::string
& policy
,
90 const std::string
& expected_csp
,
91 const std::string
& warning1
,
92 const std::string
& warning2
) {
93 std::vector
<std::string
> expected_warnings(1, warning1
);
94 expected_warnings
.push_back(warning2
);
95 return CheckSanitizeCSP(policy
, options
, expected_csp
, expected_warnings
);
98 testing::AssertionResult
CheckSanitizeCSP(const std::string
& policy
,
100 const std::string
& expected_csp
,
101 const std::string
& warning1
,
102 const std::string
& warning2
,
103 const std::string
& warning3
) {
104 std::vector
<std::string
> expected_warnings(1, warning1
);
105 expected_warnings
.push_back(warning2
);
106 expected_warnings
.push_back(warning3
);
107 return CheckSanitizeCSP(policy
, options
, expected_csp
, expected_warnings
);
112 TEST(ExtensionCSPValidator
, IsLegal
) {
113 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
114 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
115 "default-src 'self'; script-src http://www.google.com"));
116 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
117 "default-src 'self';\nscript-src http://www.google.com"));
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
119 "default-src 'self';\rscript-src http://www.google.com"));
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
121 "default-src 'self';,script-src http://www.google.com"));
124 TEST(ExtensionCSPValidator
, IsSecure
) {
125 EXPECT_TRUE(CheckSanitizeCSP(
126 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL
,
127 "script-src 'self' chrome-extension-resource:; object-src 'self';",
128 MissingSecureSrcWarning("script-src"),
129 MissingSecureSrcWarning("object-src")));
130 EXPECT_TRUE(CheckSanitizeCSP(
131 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
,
132 "img-src https://google.com; script-src 'self'"
133 " chrome-extension-resource:; object-src 'self';",
134 MissingSecureSrcWarning("script-src"),
135 MissingSecureSrcWarning("object-src")));
136 EXPECT_TRUE(CheckSanitizeCSP(
137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL
,
138 "script-src; object-src 'self';",
139 InsecureValueWarning("script-src", "a"),
140 InsecureValueWarning("script-src", "b"),
141 MissingSecureSrcWarning("object-src")));
143 EXPECT_TRUE(CheckSanitizeCSP(
144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL
,
146 InsecureValueWarning("default-src", "*")));
147 EXPECT_TRUE(CheckSanitizeCSP(
148 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL
));
149 EXPECT_TRUE(CheckSanitizeCSP(
150 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL
));
151 EXPECT_TRUE(CheckSanitizeCSP(
152 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
,
153 "default-src 'self';",
154 InsecureValueWarning("default-src", "ftp://google.com")));
155 EXPECT_TRUE(CheckSanitizeCSP(
156 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL
));
158 EXPECT_TRUE(CheckSanitizeCSP(
159 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
,
160 "default-src; default-src 'self';",
161 InsecureValueWarning("default-src", "*")));
162 EXPECT_TRUE(CheckSanitizeCSP(
163 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL
,
164 "default-src 'self'; default-src;"));
165 EXPECT_TRUE(CheckSanitizeCSP(
166 "default-src 'self'; default-src *; script-src *; script-src 'self'",
167 OPTIONS_ALLOW_UNSAFE_EVAL
,
168 "default-src 'self'; default-src; script-src; script-src 'self';",
169 InsecureValueWarning("script-src", "*")));
170 EXPECT_TRUE(CheckSanitizeCSP(
171 "default-src 'self'; default-src *; script-src 'self'; script-src *;",
172 OPTIONS_ALLOW_UNSAFE_EVAL
,
173 "default-src 'self'; default-src; script-src 'self'; script-src;"));
174 EXPECT_TRUE(CheckSanitizeCSP(
175 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
,
176 "default-src; script-src 'self';",
177 InsecureValueWarning("default-src", "*")));
178 EXPECT_TRUE(CheckSanitizeCSP(
179 "default-src *; script-src 'self'; img-src 'self'",
180 OPTIONS_ALLOW_UNSAFE_EVAL
,
181 "default-src; script-src 'self'; img-src 'self';",
182 InsecureValueWarning("default-src", "*")));
183 EXPECT_TRUE(CheckSanitizeCSP(
184 "default-src *; script-src 'self'; object-src 'self';",
185 OPTIONS_ALLOW_UNSAFE_EVAL
,
186 "default-src; script-src 'self'; object-src 'self';"));
187 EXPECT_TRUE(CheckSanitizeCSP(
188 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL
));
189 EXPECT_TRUE(CheckSanitizeCSP(
190 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL
));
192 EXPECT_TRUE(CheckSanitizeCSP(
193 "default-src 'unsafe-eval'", OPTIONS_NONE
,
195 InsecureValueWarning("default-src", "'unsafe-eval'")));
196 EXPECT_TRUE(CheckSanitizeCSP(
197 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL
,
199 InsecureValueWarning("default-src", "'unsafe-inline'")));
200 EXPECT_TRUE(CheckSanitizeCSP(
201 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL
,
202 "default-src 'none';",
203 InsecureValueWarning("default-src", "'unsafe-inline'")));
204 EXPECT_TRUE(CheckSanitizeCSP(
205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
,
206 "default-src 'self';",
207 InsecureValueWarning("default-src", "http://google.com")));
208 EXPECT_TRUE(CheckSanitizeCSP(
209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL
));
210 EXPECT_TRUE(CheckSanitizeCSP(
211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL
));
212 EXPECT_TRUE(CheckSanitizeCSP(
213 "default-src 'self' chrome-extension://aabbcc;",
214 OPTIONS_ALLOW_UNSAFE_EVAL
));
215 EXPECT_TRUE(CheckSanitizeCSP(
216 "default-src 'self' chrome-extension-resource://aabbcc;",
217 OPTIONS_ALLOW_UNSAFE_EVAL
));
218 EXPECT_TRUE(CheckSanitizeCSP(
219 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL
,
220 "default-src 'self';",
221 InsecureValueWarning("default-src", "https:")));
222 EXPECT_TRUE(CheckSanitizeCSP(
223 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL
,
224 "default-src 'self';",
225 InsecureValueWarning("default-src", "http:")));
226 EXPECT_TRUE(CheckSanitizeCSP(
227 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL
,
228 "default-src 'self';",
229 InsecureValueWarning("default-src", "google.com")));
231 EXPECT_TRUE(CheckSanitizeCSP(
232 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL
,
233 "default-src 'self';",
234 InsecureValueWarning("default-src", "*")));
235 EXPECT_TRUE(CheckSanitizeCSP(
236 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL
,
237 "default-src 'self';",
238 InsecureValueWarning("default-src", "*:*")));
239 EXPECT_TRUE(CheckSanitizeCSP(
240 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL
,
241 "default-src 'self';",
242 InsecureValueWarning("default-src", "*:*/")));
243 EXPECT_TRUE(CheckSanitizeCSP(
244 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL
,
245 "default-src 'self';",
246 InsecureValueWarning("default-src", "*:*/path")));
247 EXPECT_TRUE(CheckSanitizeCSP(
248 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL
,
249 "default-src 'self';",
250 InsecureValueWarning("default-src", "https://")));
251 EXPECT_TRUE(CheckSanitizeCSP(
252 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL
,
253 "default-src 'self';",
254 InsecureValueWarning("default-src", "https://*:*")));
255 EXPECT_TRUE(CheckSanitizeCSP(
256 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL
,
257 "default-src 'self';",
258 InsecureValueWarning("default-src", "https://*:*/")));
259 EXPECT_TRUE(CheckSanitizeCSP(
260 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL
,
261 "default-src 'self';",
262 InsecureValueWarning("default-src", "https://*:*/path")));
263 EXPECT_TRUE(CheckSanitizeCSP(
264 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL
,
265 "default-src 'self';",
266 InsecureValueWarning("default-src", "https://*.com")));
267 EXPECT_TRUE(CheckSanitizeCSP(
268 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL
,
269 "default-src 'self';",
270 InsecureValueWarning("default-src", "https://*.*.google.com/")));
271 EXPECT_TRUE(CheckSanitizeCSP(
272 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL
,
273 "default-src 'self';",
274 InsecureValueWarning("default-src", "https://*.*.google.com:*/")));
275 EXPECT_TRUE(CheckSanitizeCSP(
276 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL
,
277 "default-src 'self';",
278 InsecureValueWarning("default-src", "https://www.*.google.com/")));
279 EXPECT_TRUE(CheckSanitizeCSP(
280 "default-src 'self' https://www.*.google.com:*/",
281 OPTIONS_ALLOW_UNSAFE_EVAL
,
282 "default-src 'self';",
283 InsecureValueWarning("default-src", "https://www.*.google.com:*/")));
284 EXPECT_TRUE(CheckSanitizeCSP(
285 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL
,
286 "default-src 'self';",
287 InsecureValueWarning("default-src", "chrome://*")));
288 EXPECT_TRUE(CheckSanitizeCSP(
289 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL
,
290 "default-src 'self';",
291 InsecureValueWarning("default-src", "chrome-extension://*")));
292 EXPECT_TRUE(CheckSanitizeCSP(
293 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL
,
294 "default-src 'self';",
295 InsecureValueWarning("default-src", "chrome-extension://")));
297 EXPECT_TRUE(CheckSanitizeCSP(
298 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL
));
299 EXPECT_TRUE(CheckSanitizeCSP(
300 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL
));
301 EXPECT_TRUE(CheckSanitizeCSP(
302 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL
));
303 EXPECT_TRUE(CheckSanitizeCSP(
304 "default-src 'self' https://*.google.com:1/;",
305 OPTIONS_ALLOW_UNSAFE_EVAL
));
306 EXPECT_TRUE(CheckSanitizeCSP(
307 "default-src 'self' https://*.google.com:*/;",
308 OPTIONS_ALLOW_UNSAFE_EVAL
));
310 EXPECT_TRUE(CheckSanitizeCSP(
311 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL
));
312 EXPECT_TRUE(CheckSanitizeCSP(
313 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL
));
314 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;",
315 OPTIONS_ALLOW_UNSAFE_EVAL
,
316 "default-src 'self' http://lOcAlHoSt;"));
317 EXPECT_TRUE(CheckSanitizeCSP(
318 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL
));
319 EXPECT_TRUE(CheckSanitizeCSP(
320 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL
));
321 EXPECT_TRUE(CheckSanitizeCSP(
322 "default-src 'self' http://127.0.0.1.example.com",
323 OPTIONS_ALLOW_UNSAFE_EVAL
,
324 "default-src 'self';",
325 InsecureValueWarning("default-src", "http://127.0.0.1.example.com")));
326 EXPECT_TRUE(CheckSanitizeCSP(
327 "default-src 'self' http://localhost.example.com",
328 OPTIONS_ALLOW_UNSAFE_EVAL
,
329 "default-src 'self';",
330 InsecureValueWarning("default-src", "http://localhost.example.com")));
332 EXPECT_TRUE(CheckSanitizeCSP(
333 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL
));
334 EXPECT_TRUE(CheckSanitizeCSP(
335 "default-src 'self' blob:http://example.com/XXX",
336 OPTIONS_ALLOW_UNSAFE_EVAL
, "default-src 'self';",
337 InsecureValueWarning("default-src", "blob:http://example.com/XXX")));
338 EXPECT_TRUE(CheckSanitizeCSP(
339 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL
));
340 EXPECT_TRUE(CheckSanitizeCSP(
341 "default-src 'self' filesystem:http://example.com/XX",
342 OPTIONS_ALLOW_UNSAFE_EVAL
, "default-src 'self';",
343 InsecureValueWarning("default-src", "filesystem:http://example.com/XX")));
345 EXPECT_TRUE(CheckSanitizeCSP(
346 "default-src 'self' https://*.googleapis.com;",
347 OPTIONS_ALLOW_UNSAFE_EVAL
));
348 EXPECT_TRUE(CheckSanitizeCSP(
349 "default-src 'self' https://x.googleapis.com;",
350 OPTIONS_ALLOW_UNSAFE_EVAL
));
352 EXPECT_TRUE(CheckSanitizeCSP(
353 "script-src 'self'; object-src *", OPTIONS_NONE
,
354 "script-src 'self'; object-src;",
355 InsecureValueWarning("object-src", "*")));
356 EXPECT_TRUE(CheckSanitizeCSP(
357 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC
,
358 "script-src 'self'; object-src;",
359 InsecureValueWarning("object-src", "*")));
360 EXPECT_TRUE(CheckSanitizeCSP(
361 "script-src 'self'; object-src *; plugin-types application/pdf;",
362 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
363 EXPECT_TRUE(CheckSanitizeCSP(
364 "script-src 'self'; object-src *; "
365 "plugin-types application/x-shockwave-flash",
366 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
,
367 "script-src 'self'; object-src; "
368 "plugin-types application/x-shockwave-flash;",
369 InsecureValueWarning("object-src", "*")));
370 EXPECT_TRUE(CheckSanitizeCSP(
371 "script-src 'self'; object-src *; "
372 "plugin-types application/x-shockwave-flash application/pdf;",
373 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
,
374 "script-src 'self'; object-src; "
375 "plugin-types application/x-shockwave-flash application/pdf;",
376 InsecureValueWarning("object-src", "*")));
377 EXPECT_TRUE(CheckSanitizeCSP(
378 "script-src 'self'; object-src http://www.example.com; "
379 "plugin-types application/pdf;",
380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
381 EXPECT_TRUE(CheckSanitizeCSP(
382 "object-src http://www.example.com blob:; script-src 'self'; "
383 "plugin-types application/pdf;",
384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
385 EXPECT_TRUE(CheckSanitizeCSP(
386 "script-src 'self'; object-src http://*.example.com; "
387 "plugin-types application/pdf;",
388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
389 EXPECT_TRUE(CheckSanitizeCSP(
390 "script-src *; object-src *; plugin-types application/pdf;",
391 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
,
392 "script-src; object-src *; plugin-types application/pdf;",
393 InsecureValueWarning("script-src", "*")));
395 EXPECT_TRUE(CheckSanitizeCSP(
396 "default-src; script-src"
397 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='"
398 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS"
400 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw"
401 "vCSapSz5CVoUGHQcxv43UQg==';",
404 // Reject non-standard algorithms, even if they are still supported by Blink.
405 EXPECT_TRUE(CheckSanitizeCSP(
406 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';",
407 OPTIONS_NONE
, "default-src; script-src;",
408 InsecureValueWarning("script-src",
409 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='")));
411 EXPECT_TRUE(CheckSanitizeCSP(
412 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ"
413 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';",
414 OPTIONS_NONE
, "default-src; script-src;",
415 InsecureValueWarning(
416 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="),
417 InsecureValueWarning(
419 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='")));
422 TEST(ExtensionCSPValidator
, IsSandboxed
) {
423 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
424 Manifest::TYPE_EXTENSION
));
425 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
426 Manifest::TYPE_EXTENSION
));
428 // Sandbox directive is required.
429 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
430 "sandbox", Manifest::TYPE_EXTENSION
));
432 // Additional sandbox tokens are OK.
433 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
434 "sandbox allow-scripts", Manifest::TYPE_EXTENSION
));
435 // Except for allow-same-origin.
436 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
437 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION
));
439 // Additional directives are OK.
440 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
441 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION
));
443 // Extensions allow navigation, platform apps don't.
444 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
445 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION
));
446 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
447 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP
));
450 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
451 "sandbox allow-popups", Manifest::TYPE_EXTENSION
));
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
453 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP
));