permissions_data_unittest.cc revision 90dce4d38c5ff5333bea97d859d4e484e27edf0c
1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include <vector> 6 7#include "base/command_line.h" 8#include "base/memory/ref_counted.h" 9#include "base/string16.h" 10#include "base/strings/utf_string_conversions.h" 11#include "chrome/common/chrome_switches.h" 12#include "chrome/common/chrome_version_info.h" 13#include "chrome/common/extensions/extension.h" 14#include "chrome/common/extensions/extension_manifest_constants.h" 15#include "chrome/common/extensions/extension_test_util.h" 16#include "chrome/common/extensions/features/feature.h" 17#include "chrome/common/extensions/permissions/api_permission.h" 18#include "chrome/common/extensions/permissions/permission_set.h" 19#include "chrome/common/extensions/permissions/permissions_data.h" 20#include "chrome/common/extensions/permissions/socket_permission.h" 21#include "content/public/common/socket_permission_request.h" 22#include "extensions/common/error_utils.h" 23#include "extensions/common/id_util.h" 24#include "extensions/common/url_pattern_set.h" 25#include "testing/gtest/include/gtest/gtest.h" 26 27using content::SocketPermissionRequest; 28using extension_test_util::LoadManifest; 29using extension_test_util::LoadManifestUnchecked; 30using extension_test_util::LoadManifestStrict; 31 32namespace extensions { 33 34namespace { 35 36bool CheckSocketPermission( 37 scoped_refptr<Extension> extension, 38 SocketPermissionRequest::OperationType type, 39 const char* host, 40 int port) { 41 SocketPermission::CheckParam param(type, host, port); 42 return PermissionsData::CheckAPIPermissionWithParam( 43 extension, APIPermission::kSocket, ¶m); 44} 45 46} // namespace 47 48TEST(ExtensionPermissionsTest, EffectiveHostPermissions) { 49 scoped_refptr<Extension> extension; 50 URLPatternSet hosts; 51 52 extension = LoadManifest("effective_host_permissions", "empty.json"); 53 EXPECT_EQ( 54 0u, 55 PermissionsData::GetEffectiveHostPermissions( 56 extension).patterns().size()); 57 EXPECT_FALSE(hosts.MatchesURL(GURL("http://www.google.com"))); 58 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 59 60 extension = LoadManifest("effective_host_permissions", "one_host.json"); 61 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 62 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.google.com"))); 63 EXPECT_FALSE(hosts.MatchesURL(GURL("https://www.google.com"))); 64 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 65 66 extension = LoadManifest("effective_host_permissions", 67 "one_host_wildcard.json"); 68 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 69 EXPECT_TRUE(hosts.MatchesURL(GURL("http://google.com"))); 70 EXPECT_TRUE(hosts.MatchesURL(GURL("http://foo.google.com"))); 71 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 72 73 extension = LoadManifest("effective_host_permissions", "two_hosts.json"); 74 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 75 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.google.com"))); 76 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.reddit.com"))); 77 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 78 79 extension = LoadManifest("effective_host_permissions", 80 "https_not_considered.json"); 81 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 82 EXPECT_TRUE(hosts.MatchesURL(GURL("http://google.com"))); 83 EXPECT_TRUE(hosts.MatchesURL(GURL("https://google.com"))); 84 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 85 86 extension = LoadManifest("effective_host_permissions", 87 "two_content_scripts.json"); 88 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 89 EXPECT_TRUE(hosts.MatchesURL(GURL("http://google.com"))); 90 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.reddit.com"))); 91 EXPECT_TRUE(extension->GetActivePermissions()->HasEffectiveAccessToURL( 92 GURL("http://www.reddit.com"))); 93 EXPECT_TRUE(hosts.MatchesURL(GURL("http://news.ycombinator.com"))); 94 EXPECT_TRUE(extension->GetActivePermissions()->HasEffectiveAccessToURL( 95 GURL("http://news.ycombinator.com"))); 96 EXPECT_FALSE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 97 98 extension = LoadManifest("effective_host_permissions", "all_hosts.json"); 99 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 100 EXPECT_TRUE(hosts.MatchesURL(GURL("http://test/"))); 101 EXPECT_FALSE(hosts.MatchesURL(GURL("https://test/"))); 102 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.google.com"))); 103 EXPECT_TRUE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 104 105 extension = LoadManifest("effective_host_permissions", "all_hosts2.json"); 106 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 107 EXPECT_TRUE(hosts.MatchesURL(GURL("http://test/"))); 108 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.google.com"))); 109 EXPECT_TRUE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 110 111 extension = LoadManifest("effective_host_permissions", "all_hosts3.json"); 112 hosts = PermissionsData::GetEffectiveHostPermissions(extension); 113 EXPECT_FALSE(hosts.MatchesURL(GURL("http://test/"))); 114 EXPECT_TRUE(hosts.MatchesURL(GURL("https://test/"))); 115 EXPECT_TRUE(hosts.MatchesURL(GURL("http://www.google.com"))); 116 EXPECT_TRUE(PermissionsData::HasEffectiveAccessToAllHosts(extension)); 117} 118 119TEST(ExtensionPermissionsTest, SocketPermissions) { 120 // Set feature current channel to appropriate value. 121 Feature::ScopedCurrentChannel scoped_channel( 122 chrome::VersionInfo::CHANNEL_DEV); 123 scoped_refptr<Extension> extension; 124 std::string error; 125 126 extension = LoadManifest("socket_permissions", "empty.json"); 127 EXPECT_FALSE(CheckSocketPermission(extension, 128 SocketPermissionRequest::TCP_CONNECT, "www.example.com", 80)); 129 130 extension = LoadManifestUnchecked("socket_permissions", 131 "socket1.json", 132 Manifest::INTERNAL, Extension::NO_FLAGS, 133 &error); 134 EXPECT_TRUE(extension == NULL); 135 ASSERT_EQ(ErrorUtils::FormatErrorMessage( 136 extension_manifest_errors::kInvalidPermission, "socket"), error); 137 138 extension = LoadManifest("socket_permissions", "socket2.json"); 139 EXPECT_TRUE(CheckSocketPermission(extension, 140 SocketPermissionRequest::TCP_CONNECT, "www.example.com", 80)); 141 EXPECT_FALSE(CheckSocketPermission( 142 extension, SocketPermissionRequest::UDP_BIND, "", 80)); 143 EXPECT_TRUE(CheckSocketPermission( 144 extension, SocketPermissionRequest::UDP_BIND, "", 8888)); 145 146 EXPECT_FALSE(CheckSocketPermission( 147 extension, SocketPermissionRequest::UDP_SEND_TO, "example.com", 1900)); 148 EXPECT_TRUE(CheckSocketPermission( 149 extension, 150 SocketPermissionRequest::UDP_SEND_TO, 151 "239.255.255.250", 1900)); 152} 153 154// This tests the API permissions with an empty manifest (one that just 155// specifies a name and a version and nothing else). 156TEST(ExtensionPermissionsTest, ApiPermissions) { 157 const struct { 158 const char* permission_name; 159 bool expect_success; 160 } kTests[] = { 161 // Negative test. 162 { "non_existing_permission", false }, 163 // Test default module/package permission. 164 { "browserAction", true }, 165 { "devtools", true }, 166 { "extension", true }, 167 { "i18n", true }, 168 { "pageAction", true }, 169 { "pageActions", true }, 170 { "test", true }, 171 // Some negative tests. 172 { "bookmarks", false }, 173 { "cookies", false }, 174 { "history", false }, 175 // Make sure we find the module name after stripping '.' and '/'. 176 { "browserAction/abcd/onClick", true }, 177 { "browserAction.abcd.onClick", true }, 178 // Test Tabs functions. 179 { "tabs.create", true}, 180 { "tabs.duplicate", true}, 181 { "tabs.onRemoved", true}, 182 { "tabs.remove", true}, 183 { "tabs.update", true}, 184 { "tabs.getSelected", true}, 185 { "tabs.onUpdated", true }, 186 // Test getPermissionWarnings functions. Only one requires permissions. 187 { "management.getPermissionWarningsById", false }, 188 { "management.getPermissionWarningsByManifest", true }, 189 }; 190 191 scoped_refptr<Extension> extension; 192 extension = LoadManifest("empty_manifest", "empty.json"); 193 194 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTests); ++i) { 195 EXPECT_EQ(kTests[i].expect_success, 196 extension->HasAPIPermission(kTests[i].permission_name)) 197 << "Permission being tested: " << kTests[i].permission_name; 198 } 199} 200 201TEST(ExtensionPermissionsTest, GetPermissionMessages_ManyAPIPermissions) { 202 scoped_refptr<Extension> extension; 203 extension = LoadManifest("permissions", "many-apis.json"); 204 std::vector<string16> warnings = 205 PermissionsData::GetPermissionMessageStrings(extension); 206 ASSERT_EQ(6u, warnings.size()); 207 EXPECT_EQ("Access your data on api.flickr.com", 208 UTF16ToUTF8(warnings[0])); 209 EXPECT_EQ("Read and modify your bookmarks", UTF16ToUTF8(warnings[1])); 210 EXPECT_EQ("Detect your physical location", UTF16ToUTF8(warnings[2])); 211 EXPECT_EQ("Read and modify your browsing history", UTF16ToUTF8(warnings[3])); 212 EXPECT_EQ("Access your tabs and browsing activity", UTF16ToUTF8(warnings[4])); 213 EXPECT_EQ("Manage your apps, extensions, and themes", 214 UTF16ToUTF8(warnings[5])); 215} 216 217TEST(ExtensionPermissionsTest, GetPermissionMessages_LocationApiPermission) { 218 scoped_refptr<Extension> extension; 219 extension = LoadManifest("permissions", 220 "location-api.json", 221 Manifest::COMPONENT, 222 Extension::NO_FLAGS); 223 std::vector<string16> warnings = 224 PermissionsData::GetPermissionMessageStrings(extension); 225 ASSERT_EQ(1u, warnings.size()); 226 EXPECT_EQ("Detect your physical location", UTF16ToUTF8(warnings[0])); 227} 228 229TEST(ExtensionPermissionsTest, GetPermissionMessages_ManyHosts) { 230 scoped_refptr<Extension> extension; 231 extension = LoadManifest("permissions", "many-hosts.json"); 232 std::vector<string16> warnings = 233 PermissionsData::GetPermissionMessageStrings(extension); 234 ASSERT_EQ(1u, warnings.size()); 235 EXPECT_EQ("Access your data on encrypted.google.com and www.google.com", 236 UTF16ToUTF8(warnings[0])); 237} 238 239TEST(ExtensionPermissionsTest, GetPermissionMessages_Plugins) { 240 scoped_refptr<Extension> extension; 241 extension = LoadManifest("permissions", "plugins.json"); 242 std::vector<string16> warnings = 243 PermissionsData::GetPermissionMessageStrings(extension); 244 // We don't parse the plugins key on Chrome OS, so it should not ask for any 245 // permissions. 246#if defined(OS_CHROMEOS) 247 ASSERT_EQ(0u, warnings.size()); 248#else 249 ASSERT_EQ(1u, warnings.size()); 250 EXPECT_EQ("Access all data on your computer and the websites you visit", 251 UTF16ToUTF8(warnings[0])); 252#endif 253} 254 255// Base class for testing the CanExecuteScriptOnPage and CanCaptureVisiblePage 256// methods of Extension for extensions with various permissions. 257class ExtensionScriptAndCaptureVisibleTest : public testing::Test { 258 protected: 259 ExtensionScriptAndCaptureVisibleTest() 260 : http_url("http://www.google.com"), 261 http_url_with_path("http://www.google.com/index.html"), 262 https_url("https://www.google.com"), 263 file_url("file:///foo/bar"), 264 favicon_url("chrome://favicon/http://www.google.com"), 265 extension_url("chrome-extension://" + 266 id_util::GenerateIdForPath( 267 base::FilePath(FILE_PATH_LITERAL("foo")))), 268 settings_url("chrome://settings"), 269 about_url("about:flags") { 270 urls_.insert(http_url); 271 urls_.insert(http_url_with_path); 272 urls_.insert(https_url); 273 urls_.insert(file_url); 274 urls_.insert(favicon_url); 275 urls_.insert(extension_url); 276 urls_.insert(settings_url); 277 urls_.insert(about_url); 278 // Ignore the policy delegate for this test. 279 PermissionsData::SetPolicyDelegate(NULL); 280 } 281 282 bool AllowedScript(const Extension* extension, const GURL& url, 283 const GURL& top_url) { 284 return PermissionsData::CanExecuteScriptOnPage( 285 extension, url, top_url, -1, NULL, -1, NULL); 286 } 287 288 bool BlockedScript(const Extension* extension, const GURL& url, 289 const GURL& top_url) { 290 return !PermissionsData::CanExecuteScriptOnPage( 291 extension, url, top_url, -1, NULL, -1, NULL); 292 } 293 294 bool Allowed(const Extension* extension, const GURL& url) { 295 return Allowed(extension, url, -1); 296 } 297 298 bool Allowed(const Extension* extension, const GURL& url, int tab_id) { 299 return (PermissionsData::CanExecuteScriptOnPage( 300 extension, url, url, tab_id, NULL, -1, NULL) && 301 PermissionsData::CanCaptureVisiblePage( 302 extension, url, tab_id, NULL)); 303 } 304 305 bool CaptureOnly(const Extension* extension, const GURL& url) { 306 return CaptureOnly(extension, url, -1); 307 } 308 309 bool CaptureOnly(const Extension* extension, const GURL& url, int tab_id) { 310 return !PermissionsData::CanExecuteScriptOnPage( 311 extension, url, url, tab_id, NULL, -1, NULL) && 312 PermissionsData::CanCaptureVisiblePage(extension, url, tab_id, NULL); 313 } 314 315 bool Blocked(const Extension* extension, const GURL& url) { 316 return Blocked(extension, url, -1); 317 } 318 319 bool Blocked(const Extension* extension, const GURL& url, int tab_id) { 320 return !(PermissionsData::CanExecuteScriptOnPage( 321 extension, url, url, tab_id, NULL, -1, NULL) || 322 PermissionsData::CanCaptureVisiblePage( 323 extension, url, tab_id, NULL)); 324 } 325 326 bool AllowedExclusivelyOnTab( 327 const Extension* extension, 328 const std::set<GURL>& allowed_urls, 329 int tab_id) { 330 bool result = true; 331 for (std::set<GURL>::iterator it = urls_.begin(); it != urls_.end(); ++it) { 332 const GURL& url = *it; 333 if (allowed_urls.count(url)) 334 result &= Allowed(extension, url, tab_id); 335 else 336 result &= Blocked(extension, url, tab_id); 337 } 338 return result; 339 } 340 341 // URLs that are "safe" to provide scripting and capture visible tab access 342 // to if the permissions allow it. 343 const GURL http_url; 344 const GURL http_url_with_path; 345 const GURL https_url; 346 const GURL file_url; 347 348 // We should allow host permission but not scripting permission for favicon 349 // urls. 350 const GURL favicon_url; 351 352 // URLs that regular extensions should never get access to. 353 const GURL extension_url; 354 const GURL settings_url; 355 const GURL about_url; 356 357 private: 358 // The set of all URLs above. 359 std::set<GURL> urls_; 360}; 361 362TEST_F(ExtensionScriptAndCaptureVisibleTest, Permissions) { 363 // Test <all_urls> for regular extensions. 364 scoped_refptr<Extension> extension = LoadManifestStrict("script_and_capture", 365 "extension_regular_all.json"); 366 367 EXPECT_TRUE(Allowed(extension, http_url)); 368 EXPECT_TRUE(Allowed(extension, https_url)); 369 EXPECT_TRUE(Blocked(extension, file_url)); 370 EXPECT_TRUE(Blocked(extension, settings_url)); 371 EXPECT_TRUE(CaptureOnly(extension, favicon_url)); 372 EXPECT_TRUE(Blocked(extension, about_url)); 373 EXPECT_TRUE(Blocked(extension, extension_url)); 374 375 // Test access to iframed content. 376 GURL within_extension_url = extension->GetResourceURL("page.html"); 377 EXPECT_TRUE(AllowedScript(extension, http_url, http_url_with_path)); 378 EXPECT_TRUE(AllowedScript(extension, https_url, http_url_with_path)); 379 EXPECT_TRUE(AllowedScript(extension, http_url, within_extension_url)); 380 EXPECT_TRUE(AllowedScript(extension, https_url, within_extension_url)); 381 EXPECT_TRUE(BlockedScript(extension, http_url, extension_url)); 382 EXPECT_TRUE(BlockedScript(extension, https_url, extension_url)); 383 384 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, settings_url)); 385 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, about_url)); 386 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 387 388 // Test * for scheme, which implies just the http/https schemes. 389 extension = LoadManifestStrict("script_and_capture", 390 "extension_wildcard.json"); 391 EXPECT_TRUE(Allowed(extension, http_url)); 392 EXPECT_TRUE(Allowed(extension, https_url)); 393 EXPECT_TRUE(Blocked(extension, settings_url)); 394 EXPECT_TRUE(Blocked(extension, about_url)); 395 EXPECT_TRUE(Blocked(extension, file_url)); 396 EXPECT_TRUE(Blocked(extension, favicon_url)); 397 extension = LoadManifest("script_and_capture", 398 "extension_wildcard_settings.json"); 399 EXPECT_TRUE(Blocked(extension, settings_url)); 400 401 // Having chrome://*/ should not work for regular extensions. Note that 402 // for favicon access, we require the explicit pattern chrome://favicon/*. 403 std::string error; 404 extension = LoadManifestUnchecked("script_and_capture", 405 "extension_wildcard_chrome.json", 406 Manifest::INTERNAL, Extension::NO_FLAGS, 407 &error); 408 EXPECT_TRUE(extension == NULL); 409 EXPECT_EQ( 410 ErrorUtils::FormatErrorMessage( 411 extension_manifest_errors::kInvalidPermissionScheme, 412 "chrome://*/"), 413 error); 414 415 // Having chrome://favicon/* should not give you chrome://* 416 extension = LoadManifestStrict("script_and_capture", 417 "extension_chrome_favicon_wildcard.json"); 418 EXPECT_TRUE(Blocked(extension, settings_url)); 419 EXPECT_TRUE(CaptureOnly(extension, favicon_url)); 420 EXPECT_TRUE(Blocked(extension, about_url)); 421 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 422 423 // Having http://favicon should not give you chrome://favicon 424 extension = LoadManifestStrict("script_and_capture", 425 "extension_http_favicon.json"); 426 EXPECT_TRUE(Blocked(extension, settings_url)); 427 EXPECT_TRUE(Blocked(extension, favicon_url)); 428 429 // Component extensions with <all_urls> should get everything. 430 extension = LoadManifest("script_and_capture", "extension_component_all.json", 431 Manifest::COMPONENT, Extension::NO_FLAGS); 432 EXPECT_TRUE(Allowed(extension, http_url)); 433 EXPECT_TRUE(Allowed(extension, https_url)); 434 EXPECT_TRUE(Allowed(extension, settings_url)); 435 EXPECT_TRUE(Allowed(extension, about_url)); 436 EXPECT_TRUE(Allowed(extension, favicon_url)); 437 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 438 439 // Component extensions should only get access to what they ask for. 440 extension = LoadManifest("script_and_capture", 441 "extension_component_google.json", Manifest::COMPONENT, 442 Extension::NO_FLAGS); 443 EXPECT_TRUE(Allowed(extension, http_url)); 444 EXPECT_TRUE(Blocked(extension, https_url)); 445 EXPECT_TRUE(Blocked(extension, file_url)); 446 EXPECT_TRUE(Blocked(extension, settings_url)); 447 EXPECT_TRUE(Blocked(extension, favicon_url)); 448 EXPECT_TRUE(Blocked(extension, about_url)); 449 EXPECT_TRUE(Blocked(extension, extension_url)); 450 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, settings_url)); 451} 452 453 454TEST_F(ExtensionScriptAndCaptureVisibleTest, PermissionsWithChromeURLsEnabled) { 455 CommandLine::ForCurrentProcess()->AppendSwitch( 456 switches::kExtensionsOnChromeURLs); 457 458 scoped_refptr<Extension> extension; 459 460 // Test <all_urls> for regular extensions. 461 extension = LoadManifestStrict("script_and_capture", 462 "extension_regular_all.json"); 463 EXPECT_TRUE(Allowed(extension, http_url)); 464 EXPECT_TRUE(Allowed(extension, https_url)); 465 EXPECT_TRUE(Blocked(extension, file_url)); 466 EXPECT_TRUE(Blocked(extension, settings_url)); 467 EXPECT_TRUE(Allowed(extension, favicon_url)); // chrome:// requested 468 EXPECT_TRUE(Blocked(extension, about_url)); 469 EXPECT_TRUE(Blocked(extension, extension_url)); 470 471 // Test access to iframed content. 472 GURL within_extension_url = extension->GetResourceURL("page.html"); 473 EXPECT_TRUE(AllowedScript(extension, http_url, http_url_with_path)); 474 EXPECT_TRUE(AllowedScript(extension, https_url, http_url_with_path)); 475 EXPECT_TRUE(AllowedScript(extension, http_url, within_extension_url)); 476 EXPECT_TRUE(AllowedScript(extension, https_url, within_extension_url)); 477 EXPECT_TRUE(BlockedScript(extension, http_url, extension_url)); 478 EXPECT_TRUE(BlockedScript(extension, https_url, extension_url)); 479 480 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, settings_url)); 481 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, about_url)); 482 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 483 484 // Test * for scheme, which implies just the http/https schemes. 485 extension = LoadManifestStrict("script_and_capture", 486 "extension_wildcard.json"); 487 EXPECT_TRUE(Allowed(extension, http_url)); 488 EXPECT_TRUE(Allowed(extension, https_url)); 489 EXPECT_TRUE(Blocked(extension, settings_url)); 490 EXPECT_TRUE(Blocked(extension, about_url)); 491 EXPECT_TRUE(Blocked(extension, file_url)); 492 EXPECT_TRUE(Blocked(extension, favicon_url)); 493 extension = LoadManifest("script_and_capture", 494 "extension_wildcard_settings.json"); 495 EXPECT_TRUE(Blocked(extension, settings_url)); 496 497 // Having chrome://*/ should work for regular extensions with the flag 498 // enabled. 499 std::string error; 500 extension = LoadManifestUnchecked("script_and_capture", 501 "extension_wildcard_chrome.json", 502 Manifest::INTERNAL, Extension::NO_FLAGS, 503 &error); 504 EXPECT_FALSE(extension == NULL); 505 EXPECT_TRUE(Blocked(extension, http_url)); 506 EXPECT_TRUE(Blocked(extension, https_url)); 507 EXPECT_TRUE(Allowed(extension, settings_url)); 508 EXPECT_TRUE(Blocked(extension, about_url)); 509 EXPECT_TRUE(Blocked(extension, file_url)); 510 EXPECT_TRUE(Allowed(extension, favicon_url)); // chrome:// requested 511 512 // Having chrome://favicon/* should not give you chrome://* 513 extension = LoadManifestStrict("script_and_capture", 514 "extension_chrome_favicon_wildcard.json"); 515 EXPECT_TRUE(Blocked(extension, settings_url)); 516 EXPECT_TRUE(Allowed(extension, favicon_url)); // chrome:// requested 517 EXPECT_TRUE(Blocked(extension, about_url)); 518 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 519 520 // Having http://favicon should not give you chrome://favicon 521 extension = LoadManifestStrict("script_and_capture", 522 "extension_http_favicon.json"); 523 EXPECT_TRUE(Blocked(extension, settings_url)); 524 EXPECT_TRUE(Blocked(extension, favicon_url)); 525 526 // Component extensions with <all_urls> should get everything. 527 extension = LoadManifest("script_and_capture", "extension_component_all.json", 528 Manifest::COMPONENT, Extension::NO_FLAGS); 529 EXPECT_TRUE(Allowed(extension, http_url)); 530 EXPECT_TRUE(Allowed(extension, https_url)); 531 EXPECT_TRUE(Allowed(extension, settings_url)); 532 EXPECT_TRUE(Allowed(extension, about_url)); 533 EXPECT_TRUE(Allowed(extension, favicon_url)); 534 EXPECT_TRUE(PermissionsData::HasHostPermission(extension, favicon_url)); 535 536 // Component extensions should only get access to what they ask for. 537 extension = LoadManifest("script_and_capture", 538 "extension_component_google.json", Manifest::COMPONENT, 539 Extension::NO_FLAGS); 540 EXPECT_TRUE(Allowed(extension, http_url)); 541 EXPECT_TRUE(Blocked(extension, https_url)); 542 EXPECT_TRUE(Blocked(extension, file_url)); 543 EXPECT_TRUE(Blocked(extension, settings_url)); 544 EXPECT_TRUE(Blocked(extension, favicon_url)); 545 EXPECT_TRUE(Blocked(extension, about_url)); 546 EXPECT_TRUE(Blocked(extension, extension_url)); 547 EXPECT_FALSE(PermissionsData::HasHostPermission(extension, settings_url)); 548} 549 550TEST_F(ExtensionScriptAndCaptureVisibleTest, TabSpecific) { 551 scoped_refptr<Extension> extension = 552 LoadManifestStrict("script_and_capture", "tab_specific.json"); 553 554 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 0).get()); 555 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 1).get()); 556 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 2).get()); 557 558 std::set<GURL> no_urls; 559 560 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 0)); 561 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 1)); 562 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 563 564 URLPatternSet allowed_hosts; 565 allowed_hosts.AddPattern(URLPattern(URLPattern::SCHEME_ALL, 566 http_url.spec())); 567 std::set<GURL> allowed_urls; 568 allowed_urls.insert(http_url); 569 // http_url_with_path() will also be allowed, because Extension should be 570 // considering the security origin of the URL not the URL itself, and 571 // http_url is in allowed_hosts. 572 allowed_urls.insert(http_url_with_path); 573 574 { 575 scoped_refptr<PermissionSet> permissions( 576 new PermissionSet(APIPermissionSet(), allowed_hosts, URLPatternSet())); 577 PermissionsData::UpdateTabSpecificPermissions(extension, 0, permissions); 578 EXPECT_EQ(permissions->explicit_hosts(), 579 PermissionsData::GetTabSpecificPermissions( 580 extension, 0)->explicit_hosts()); 581 } 582 583 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, allowed_urls, 0)); 584 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 1)); 585 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 586 587 PermissionsData::ClearTabSpecificPermissions(extension, 0); 588 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 0).get()); 589 590 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 0)); 591 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 1)); 592 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 593 594 std::set<GURL> more_allowed_urls = allowed_urls; 595 more_allowed_urls.insert(https_url); 596 URLPatternSet more_allowed_hosts = allowed_hosts; 597 more_allowed_hosts.AddPattern(URLPattern(URLPattern::SCHEME_ALL, 598 https_url.spec())); 599 600 { 601 scoped_refptr<PermissionSet> permissions( 602 new PermissionSet(APIPermissionSet(), allowed_hosts, URLPatternSet())); 603 PermissionsData::UpdateTabSpecificPermissions(extension, 0, permissions); 604 EXPECT_EQ(permissions->explicit_hosts(), 605 PermissionsData::GetTabSpecificPermissions( 606 extension, 0)->explicit_hosts()); 607 608 permissions = new PermissionSet(APIPermissionSet(), 609 more_allowed_hosts, 610 URLPatternSet()); 611 PermissionsData::UpdateTabSpecificPermissions(extension, 1, permissions); 612 EXPECT_EQ(permissions->explicit_hosts(), 613 PermissionsData::GetTabSpecificPermissions( 614 extension, 1)->explicit_hosts()); 615 } 616 617 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, allowed_urls, 0)); 618 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, more_allowed_urls, 1)); 619 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 620 621 PermissionsData::ClearTabSpecificPermissions(extension, 0); 622 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 0).get()); 623 624 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 0)); 625 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, more_allowed_urls, 1)); 626 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 627 628 PermissionsData::ClearTabSpecificPermissions(extension, 1); 629 EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension, 1).get()); 630 631 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 0)); 632 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 1)); 633 EXPECT_TRUE(AllowedExclusivelyOnTab(extension, no_urls, 2)); 634} 635 636} // namespace extensions 637