src/chrome/common/extensions/csp_validator_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/common/extensions/csp_validator.h"
   6 #include "testing/gtest/include/gtest/gtest.h"
   7
   8 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
   9 using extensions::csp_validator::ContentSecurityPolicyIsSecure;
  10 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
  11 using extensions::Manifest;
  12
  13 TEST(ExtensionCSPValidator, IsLegal) {
  14   EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
  15   EXPECT_TRUE(ContentSecurityPolicyIsLegal(
  16       "default-src 'self'; script-src http://www.google.com"));
  17   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  18       "default-src 'self';\nscript-src http://www.google.com"));
  19   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  20       "default-src 'self';\rscript-src http://www.google.com"));
  21   EXPECT_FALSE(ContentSecurityPolicyIsLegal(
  22       "default-src 'self';,script-src http://www.google.com"));
  23 }
  24
  25 TEST(ExtensionCSPValidator, IsSecure) {
  26   EXPECT_FALSE(
  27       ContentSecurityPolicyIsSecure(std::string(), Manifest::TYPE_EXTENSION));
  28   EXPECT_FALSE(ContentSecurityPolicyIsSecure("img-src https://google.com",
  29                                              Manifest::TYPE_EXTENSION));
  30
  31   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  32       "default-src *", Manifest::TYPE_EXTENSION));
  33   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  34       "default-src 'self'", Manifest::TYPE_EXTENSION));
  35   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  36       "default-src 'none'", Manifest::TYPE_EXTENSION));
  37   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  38       "default-src 'self' ftp://google.com", Manifest::TYPE_EXTENSION));
  39   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  40       "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
  41
  42   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  43       "default-src *; default-src 'self'", Manifest::TYPE_EXTENSION));
  44   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  45       "default-src 'self'; default-src *", Manifest::TYPE_EXTENSION));
  46   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  47       "default-src 'self'; default-src *; script-src *; script-src 'self'",
  48        Manifest::TYPE_EXTENSION));
  49   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  50       "default-src 'self'; default-src *; script-src 'self'; script-src *",
  51       Manifest::TYPE_EXTENSION));
  52
  53   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  54       "default-src *; script-src 'self'", Manifest::TYPE_EXTENSION));
  55   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  56       "default-src *; script-src 'self'; img-src 'self'",
  57       Manifest::TYPE_EXTENSION));
  58   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  59       "default-src *; script-src 'self'; object-src 'self'",
  60       Manifest::TYPE_EXTENSION));
  61   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  62       "script-src 'self'; object-src 'self'", Manifest::TYPE_EXTENSION));
  63   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  64       "default-src 'unsafe-eval'", Manifest::TYPE_EXTENSION));
  65   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  66       "default-src 'unsafe-eval'", Manifest::TYPE_LEGACY_PACKAGED_APP));
  67
  68   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  69       "default-src 'unsafe-eval'", Manifest::TYPE_PLATFORM_APP));
  70   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  71       "default-src 'unsafe-inline'", Manifest::TYPE_EXTENSION));
  72   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  73       "default-src 'unsafe-inline' 'none'", Manifest::TYPE_EXTENSION));
  74   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  75       "default-src 'self' http://google.com", Manifest::TYPE_EXTENSION));
  76   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  77       "default-src 'self' https://google.com", Manifest::TYPE_EXTENSION));
  78   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  79       "default-src 'self' chrome://resources", Manifest::TYPE_EXTENSION));
  80   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  81       "default-src 'self' chrome-extension://aabbcc",
  82       Manifest::TYPE_EXTENSION));
  83   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
  84      "default-src 'self' chrome-extension-resource://aabbcc",
  85      Manifest::TYPE_EXTENSION));
  86   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  87       "default-src 'self' https:", Manifest::TYPE_EXTENSION));
  88   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  89       "default-src 'self' http:", Manifest::TYPE_EXTENSION));
  90   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  91       "default-src 'self' google.com", Manifest::TYPE_EXTENSION));
  92
  93   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  94       "default-src 'self' *", Manifest::TYPE_EXTENSION));
  95   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  96       "default-src 'self' *:*", Manifest::TYPE_EXTENSION));
  97   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
  98       "default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
  99   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 100       "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
 101   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 102       "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
 103   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 104       "default-src 'self' https://*:*/", Manifest::TYPE_EXTENSION));
 105   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 106       "default-src 'self' https://*:*/path", Manifest::TYPE_EXTENSION));
 107
 108   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 109       "default-src 'self' https://*.google.com", Manifest::TYPE_EXTENSION));
 110   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 111       "default-src 'self' https://*.google.com:1", Manifest::TYPE_EXTENSION));
 112   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 113       "default-src 'self' https://*.google.com:*", Manifest::TYPE_EXTENSION));
 114   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 115       "default-src 'self' https://*.google.com:1/", Manifest::TYPE_EXTENSION));
 116   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 117       "default-src 'self' https://*.google.com:*/", Manifest::TYPE_EXTENSION));
 118
 119   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 120       "default-src 'self' http://127.0.0.1", Manifest::TYPE_EXTENSION));
 121   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 122       "default-src 'self' http://localhost", Manifest::TYPE_EXTENSION));
 123   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 124       "default-src 'self' http://lOcAlHoSt", Manifest::TYPE_EXTENSION));
 125   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 126       "default-src 'self' http://127.0.0.1:9999", Manifest::TYPE_EXTENSION));
 127   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 128       "default-src 'self' http://localhost:8888", Manifest::TYPE_EXTENSION));
 129   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 130       "default-src 'self' http://127.0.0.1.example.com",
 131       Manifest::TYPE_EXTENSION));
 132   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 133       "default-src 'self' http://localhost.example.com",
 134       Manifest::TYPE_EXTENSION));
 135
 136   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 137       "default-src 'self' blob:", Manifest::TYPE_EXTENSION));
 138   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 139       "default-src 'self' blob:http://example.com/XXX",
 140       Manifest::TYPE_EXTENSION));
 141   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
 142       "default-src 'self' filesystem:", Manifest::TYPE_EXTENSION));
 143   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
 144       "default-src 'self' filesystem:http://example.com/XXX",
 145       Manifest::TYPE_EXTENSION));
 146 }
 147
 148 TEST(ExtensionCSPValidator, IsSandboxed) {
 149   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
 150                                                 Manifest::TYPE_EXTENSION));
 151   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
 152                                                 Manifest::TYPE_EXTENSION));
 153
 154   // Sandbox directive is required.
 155   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 156       "sandbox", Manifest::TYPE_EXTENSION));
 157
 158   // Additional sandbox tokens are OK.
 159   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 160       "sandbox allow-scripts", Manifest::TYPE_EXTENSION));
 161   // Except for allow-same-origin.
 162   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
 163       "sandbox allow-same-origin", Manifest::TYPE_EXTENSION));
 164
 165   // Additional directives are OK.
 166   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 167       "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION));
 168
 169   // Extensions allow navigation, platform apps don't.
 170   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 171       "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
 172   EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
 173       "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
 174
 175   // Popups are OK.
 176   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 177       "sandbox allow-popups", Manifest::TYPE_EXTENSION));
 178   EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
 179       "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
 180 }