1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "extensions/common/csp_validator.h" 6#include "testing/gtest/include/gtest/gtest.h" 7 8using extensions::csp_validator::ContentSecurityPolicyIsLegal; 9using extensions::csp_validator::ContentSecurityPolicyIsSecure; 10using extensions::csp_validator::ContentSecurityPolicyIsSandboxed; 11using extensions::Manifest; 12 13TEST(ExtensionCSPValidator, IsLegal) { 14 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo")); 15 EXPECT_TRUE(ContentSecurityPolicyIsLegal( 16 "default-src 'self'; script-src http://www.google.com")); 17 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 18 "default-src 'self';\nscript-src http://www.google.com")); 19 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 20 "default-src 'self';\rscript-src http://www.google.com")); 21 EXPECT_FALSE(ContentSecurityPolicyIsLegal( 22 "default-src 'self';,script-src http://www.google.com")); 23} 24 25TEST(ExtensionCSPValidator, IsSecure) { 26 EXPECT_FALSE( 27 ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION)); 28 EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com", 29 Manifest::TYPE_EXTENSION)); 30 31 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 32 "default-src *", Manifest::TYPE_EXTENSION)); 33 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 34 "default-src 'self'", Manifest::TYPE_EXTENSION)); 35 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 36 "default-src 'none'", Manifest::TYPE_EXTENSION)); 37 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 38 "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION)); 39 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 40 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 41 42 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 43 "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION)); 44 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 45 "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION)); 46 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 47 "default-src 'self'; default-src *; script-src *; script-src 'self'", 48 Manifest::TYPE_EXTENSION)); 49 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 50 "default-src 'self'; default-src *; script-src 'self'; script-src *", 51 Manifest::TYPE_EXTENSION)); 52 53 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 54 "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION)); 55 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 56 "default-src *; script-src 'self'; img-src 'self'", 57 Manifest::TYPE_EXTENSION)); 58 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 59 "default-src *; script-src 'self'; object-src 'self'", 60 Manifest::TYPE_EXTENSION)); 61 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 62 "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION)); 63 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 64 "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION)); 65 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 66 "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP)); 67 68 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 69 "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP)); 70 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 71 "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION)); 72 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 73 "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION)); 74 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 75 "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION)); 76 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 77 "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION)); 78 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 79 "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION)); 80 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 81 "default-src 'self' chrome-extension://aabbcc", 82 Manifest::TYPE_EXTENSION)); 83 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 84 "default-src 'self' chrome-extension-resource://aabbcc", 85 Manifest::TYPE_EXTENSION)); 86 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 87 "default-src 'self' https:", Manifest::TYPE_EXTENSION)); 88 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 89 "default-src 'self' http:", Manifest::TYPE_EXTENSION)); 90 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 91 "default-src 'self' google.com", Manifest::TYPE_EXTENSION)); 92 93 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 94 "default-src 'self' *", Manifest::TYPE_EXTENSION)); 95 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 96 "default-src 'self' *:*", Manifest::TYPE_EXTENSION)); 97 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 98 "default-src 'self' *:*/", Manifest::TYPE_EXTENSION)); 99 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 100 "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION)); 101 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 102 "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION)); 103 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 104 "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION)); 105 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 106 "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION)); 107 108 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 109 "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION)); 110 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 111 "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION)); 112 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 113 "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION)); 114 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 115 "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION)); 116 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 117 "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION)); 118 119 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 120 "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION)); 121 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 122 "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION)); 123 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 124 "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION)); 125 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 126 "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION)); 127 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 128 "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION)); 129 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 130 "default-src 'self' http://127.0.0.1.example.com", 131 Manifest::TYPE_EXTENSION)); 132 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 133 "default-src 'self' http://localhost.example.com", 134 Manifest::TYPE_EXTENSION)); 135 136 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 137 "default-src 'self' blob:", Manifest::TYPE_EXTENSION)); 138 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 139 "default-src 'self' blob:http://example.com/XXX", 140 Manifest::TYPE_EXTENSION)); 141 EXPECT_TRUE(ContentSecurityPolicyIsSecure( 142 "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION)); 143 EXPECT_FALSE(ContentSecurityPolicyIsSecure( 144 "default-src 'self' filesystem:http://example.com/XXX", 145 Manifest::TYPE_EXTENSION)); 146} 147 148TEST(ExtensionCSPValidator, IsSandboxed) { 149 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(), 150 Manifest::TYPE_EXTENSION)); 151 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com", 152 Manifest::TYPE_EXTENSION)); 153 154 // Sandbox directive is required. 155 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 156 "sandbox", Manifest::TYPE_EXTENSION)); 157 158 // Additional sandbox tokens are OK. 159 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 160 "sandbox allow-scripts", Manifest::TYPE_EXTENSION)); 161 // Except for allow-same-origin. 162 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 163 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION)); 164 165 // Additional directives are OK. 166 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 167 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION)); 168 169 // Extensions allow navigation, platform apps don't. 170 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 171 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION)); 172 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed( 173 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP)); 174 175 // Popups are OK. 176 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 177 "sandbox allow-popups", Manifest::TYPE_EXTENSION)); 178 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed( 179 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP)); 180} 181