1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/csp_validator.h"
6 #include "testing/gtest/include/gtest/gtest.h"
8 using extensions::csp_validator::ContentSecurityPolicyIsLegal
;
9 using extensions::csp_validator::ContentSecurityPolicyIsSecure
;
10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed
;
11 using extensions::csp_validator::OPTIONS_NONE
;
12 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL
;
13 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC
;
14 using extensions::Manifest
;
16 TEST(ExtensionCSPValidator
, IsLegal
) {
17 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
18 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
19 "default-src 'self'; script-src http://www.google.com"));
20 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
21 "default-src 'self';\nscript-src http://www.google.com"));
22 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
23 "default-src 'self';\rscript-src http://www.google.com"));
24 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
25 "default-src 'self';,script-src http://www.google.com"));
28 TEST(ExtensionCSPValidator
, IsSecure
) {
30 ContentSecurityPolicyIsSecure(std::string(), OPTIONS_ALLOW_UNSAFE_EVAL
));
31 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
32 OPTIONS_ALLOW_UNSAFE_EVAL
));
34 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
35 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL
));
36 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
37 "default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
));
38 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
39 "default-src 'none'", OPTIONS_ALLOW_UNSAFE_EVAL
));
40 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
41 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
42 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
43 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
45 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
46 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
));
47 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
48 "default-src 'self'; default-src *", OPTIONS_ALLOW_UNSAFE_EVAL
));
49 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
50 "default-src 'self'; default-src *; script-src *; script-src 'self'",
51 OPTIONS_ALLOW_UNSAFE_EVAL
));
52 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
53 "default-src 'self'; default-src *; script-src 'self'; script-src *",
54 OPTIONS_ALLOW_UNSAFE_EVAL
));
56 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
57 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
));
58 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
59 "default-src *; script-src 'self'; img-src 'self'",
60 OPTIONS_ALLOW_UNSAFE_EVAL
));
61 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
62 "default-src *; script-src 'self'; object-src 'self'",
63 OPTIONS_ALLOW_UNSAFE_EVAL
));
64 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
65 "script-src 'self'; object-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL
));
66 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
67 "default-src 'unsafe-eval'", OPTIONS_ALLOW_UNSAFE_EVAL
));
69 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
70 "default-src 'unsafe-eval'", OPTIONS_NONE
));
71 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
72 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL
));
73 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
74 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL
));
75 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
76 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
77 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
78 "default-src 'self' https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
79 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
80 "default-src 'self' chrome://resources", OPTIONS_ALLOW_UNSAFE_EVAL
));
81 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
82 "default-src 'self' chrome-extension://aabbcc",
83 OPTIONS_ALLOW_UNSAFE_EVAL
));
84 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
85 "default-src 'self' chrome-extension-resource://aabbcc",
86 OPTIONS_ALLOW_UNSAFE_EVAL
));
87 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
88 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL
));
89 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
90 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL
));
91 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
92 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
94 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
95 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL
));
96 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
97 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL
));
98 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
99 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL
));
100 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
101 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL
));
102 // "https://" is an invalid CSP, so it will be ignored by Blink.
103 // TODO(robwu): Change to EXPECT_FALSE once http://crbug.com/434773 is fixed.
104 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
105 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL
));
106 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
107 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL
));
108 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
109 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL
));
110 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
111 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL
));
112 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
113 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
114 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
115 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL
));
116 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
117 "default-src 'self' https://*.*.google.com:*/",
118 OPTIONS_ALLOW_UNSAFE_EVAL
));
119 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
120 "default-src 'self' https://www.*.google.com/",
121 OPTIONS_ALLOW_UNSAFE_EVAL
));
122 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
123 "default-src 'self' https://www.*.google.com:*/",
124 OPTIONS_ALLOW_UNSAFE_EVAL
));
125 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
126 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL
));
127 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
128 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL
));
130 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
131 "default-src 'self' https://*.google.com", OPTIONS_ALLOW_UNSAFE_EVAL
));
132 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
133 "default-src 'self' https://*.google.com:1", OPTIONS_ALLOW_UNSAFE_EVAL
));
134 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
135 "default-src 'self' https://*.google.com:*", OPTIONS_ALLOW_UNSAFE_EVAL
));
136 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
137 "default-src 'self' https://*.google.com:1/", OPTIONS_ALLOW_UNSAFE_EVAL
));
138 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
139 "default-src 'self' https://*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL
));
141 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
142 "default-src 'self' http://127.0.0.1", OPTIONS_ALLOW_UNSAFE_EVAL
));
143 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
144 "default-src 'self' http://localhost", OPTIONS_ALLOW_UNSAFE_EVAL
));
145 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
146 "default-src 'self' http://lOcAlHoSt", OPTIONS_ALLOW_UNSAFE_EVAL
));
147 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
148 "default-src 'self' http://127.0.0.1:9999", OPTIONS_ALLOW_UNSAFE_EVAL
));
149 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
150 "default-src 'self' http://localhost:8888", OPTIONS_ALLOW_UNSAFE_EVAL
));
151 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
152 "default-src 'self' http://127.0.0.1.example.com",
153 OPTIONS_ALLOW_UNSAFE_EVAL
));
154 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
155 "default-src 'self' http://localhost.example.com",
156 OPTIONS_ALLOW_UNSAFE_EVAL
));
158 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
159 "default-src 'self' blob:", OPTIONS_ALLOW_UNSAFE_EVAL
));
160 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
161 "default-src 'self' blob:http://example.com/XXX",
162 OPTIONS_ALLOW_UNSAFE_EVAL
));
163 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
164 "default-src 'self' filesystem:", OPTIONS_ALLOW_UNSAFE_EVAL
));
165 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
166 "default-src 'self' filesystem:http://example.com/XXX",
167 OPTIONS_ALLOW_UNSAFE_EVAL
));
169 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
170 "default-src 'self' https://*.googleapis.com",
171 OPTIONS_ALLOW_UNSAFE_EVAL
));
172 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
173 "default-src 'self' https://x.googleapis.com",
174 OPTIONS_ALLOW_UNSAFE_EVAL
));
175 // "chrome-extension://" is an invalid CSP and ignored by Blink, but extension
176 // authors have been using this string anyway, so we cannot refuse this string
177 // until extensions can be loaded with an invalid CSP. http://crbug.com/434773
178 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
179 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL
));
181 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
182 "script-src 'self'; object-src *", OPTIONS_NONE
));
183 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
184 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
185 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
186 "script-src 'self'; object-src *; plugin-types application/pdf",
187 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
188 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
189 "script-src 'self'; object-src *; "
190 "plugin-types application/x-shockwave-flash",
191 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
192 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
193 "script-src 'self'; object-src *; "
194 "plugin-types application/x-shockwave-flash application/pdf",
195 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
196 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
197 "script-src 'self'; object-src http://www.example.com; "
198 "plugin-types application/pdf",
199 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
200 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
201 "object-src http://www.example.com blob:; script-src 'self'; "
202 "plugin-types application/pdf",
203 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
204 EXPECT_TRUE(ContentSecurityPolicyIsSecure(
205 "script-src 'self'; object-src http://*.example.com; "
206 "plugin-types application/pdf",
207 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
208 EXPECT_FALSE(ContentSecurityPolicyIsSecure(
209 "script-src *; object-src *; plugin-types application/pdf",
210 OPTIONS_ALLOW_INSECURE_OBJECT_SRC
));
213 TEST(ExtensionCSPValidator
, IsSandboxed
) {
214 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
215 Manifest::TYPE_EXTENSION
));
216 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
217 Manifest::TYPE_EXTENSION
));
219 // Sandbox directive is required.
220 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
221 "sandbox", Manifest::TYPE_EXTENSION
));
223 // Additional sandbox tokens are OK.
224 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
225 "sandbox allow-scripts", Manifest::TYPE_EXTENSION
));
226 // Except for allow-same-origin.
227 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
228 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION
));
230 // Additional directives are OK.
231 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
232 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION
));
234 // Extensions allow navigation, platform apps don't.
235 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
236 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION
));
237 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
238 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP
));
241 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
242 "sandbox allow-popups", Manifest::TYPE_EXTENSION
));
243 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
244 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP
));
