search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / extensions / common / csp_validator_unittest.cc
blobed80024d8dbb074d349458ea614152d069442b6b
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "extensions/common/csp_validator.h"
6 #include "extensions/common/error_utils.h"
7 #include "extensions/common/install_warning.h"
8 #include "extensions/common/manifest_constants.h"
9 #include "testing/gtest/include/gtest/gtest.h"
10
11 using extensions::csp_validator::ContentSecurityPolicyIsLegal;
12 using extensions::csp_validator::SanitizeContentSecurityPolicy;
13 using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
14 using extensions::csp_validator::OPTIONS_NONE;
15 using extensions::csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
16 using extensions::csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
17 using extensions::ErrorUtils;
18 using extensions::InstallWarning;
19 using extensions::Manifest;
20
21 namespace {
22
23 std::string InsecureValueWarning(const std::string& directive,
24 const std::string& value) {
25 return ErrorUtils::FormatErrorMessage(
26 extensions::manifest_errors::kInvalidCSPInsecureValue, value, directive);
27 }
28
29 std::string MissingSecureSrcWarning(const std::string& directive) {
30 return ErrorUtils::FormatErrorMessage(
31 extensions::manifest_errors::kInvalidCSPMissingSecureSrc, directive);
32 }
33
34 testing::AssertionResult CheckSanitizeCSP(
35 const std::string& policy,
36 int options,
37 const std::string& expected_csp,
38 const std::vector<std::string>& expected_warnings) {
39 std::vector<InstallWarning> actual_warnings;
40 std::string actual_csp = SanitizeContentSecurityPolicy(policy,
41 options,
42 &actual_warnings);
43 if (actual_csp != expected_csp)
44 return testing::AssertionFailure()
45 << "SanitizeContentSecurityPolicy returned an unexpected CSP.\n"
46 << "Expected CSP: " << expected_csp << "\n"
47 << " Actual CSP: " << actual_csp;
48
49 if (expected_warnings.size() != actual_warnings.size()) {
50 testing::Message msg;
51 msg << "Expected " << expected_warnings.size()
52 << " warnings, but got " << actual_warnings.size();
53 for (size_t i = 0; i < actual_warnings.size(); ++i)
54 msg << "\nWarning " << i << " " << actual_warnings[i].message;
55 return testing::AssertionFailure() << msg;
56 }
57
58 for (size_t i = 0; i < expected_warnings.size(); ++i) {
59 if (expected_warnings[i] != actual_warnings[i].message)
60 return testing::AssertionFailure()
61 << "Unexpected warning from SanitizeContentSecurityPolicy.\n"
62 << "Expected warning[" << i << "]: " << expected_warnings[i]
63 << " Actual warning[" << i << "]: " << actual_warnings[i].message;
64 }
65 return testing::AssertionSuccess();
66 }
67
68 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
69 int options) {
70 return CheckSanitizeCSP(policy, options, policy, std::vector<std::string>());
71 }
72
73 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
74 int options,
75 const std::string& expected_csp) {
76 std::vector<std::string> expected_warnings;
77 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
78 }
79
80 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
81 int options,
82 const std::string& expected_csp,
83 const std::string& warning1) {
84 std::vector<std::string> expected_warnings(1, warning1);
85 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
86 }
87
88 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
89 int options,
90 const std::string& expected_csp,
91 const std::string& warning1,
92 const std::string& warning2) {
93 std::vector<std::string> expected_warnings(1, warning1);
94 expected_warnings.push_back(warning2);
95 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
96 }
97
98 testing::AssertionResult CheckSanitizeCSP(const std::string& policy,
99 int options,
100 const std::string& expected_csp,
101 const std::string& warning1,
102 const std::string& warning2,
103 const std::string& warning3) {
104 std::vector<std::string> expected_warnings(1, warning1);
105 expected_warnings.push_back(warning2);
106 expected_warnings.push_back(warning3);
107 return CheckSanitizeCSP(policy, options, expected_csp, expected_warnings);
108 }
109
110 }; // namespace
111
112 TEST(ExtensionCSPValidator, IsLegal) {
113 EXPECT_TRUE(ContentSecurityPolicyIsLegal("foo"));
114 EXPECT_TRUE(ContentSecurityPolicyIsLegal(
115 "default-src 'self'; script-src http://www.google.com"));
116 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
117 "default-src 'self';\nscript-src http://www.google.com"));
118 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
119 "default-src 'self';\rscript-src http://www.google.com"));
120 EXPECT_FALSE(ContentSecurityPolicyIsLegal(
121 "default-src 'self';,script-src http://www.google.com"));
122 }
123
124 TEST(ExtensionCSPValidator, IsSecure) {
125 EXPECT_TRUE(CheckSanitizeCSP(
126 std::string(), OPTIONS_ALLOW_UNSAFE_EVAL,
127 "script-src 'self' chrome-extension-resource:; object-src 'self';",
128 MissingSecureSrcWarning("script-src"),
129 MissingSecureSrcWarning("object-src")));
130 EXPECT_TRUE(CheckSanitizeCSP(
131 "img-src https://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
132 "img-src https://google.com; script-src 'self'"
133 " chrome-extension-resource:; object-src 'self';",
134 MissingSecureSrcWarning("script-src"),
135 MissingSecureSrcWarning("object-src")));
136 EXPECT_TRUE(CheckSanitizeCSP(
137 "script-src a b", OPTIONS_ALLOW_UNSAFE_EVAL,
138 "script-src; object-src 'self';",
139 InsecureValueWarning("script-src", "a"),
140 InsecureValueWarning("script-src", "b"),
141 MissingSecureSrcWarning("object-src")));
142
143 EXPECT_TRUE(CheckSanitizeCSP(
144 "default-src *", OPTIONS_ALLOW_UNSAFE_EVAL,
145 "default-src;",
146 InsecureValueWarning("default-src", "*")));
147 EXPECT_TRUE(CheckSanitizeCSP(
148 "default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
149 EXPECT_TRUE(CheckSanitizeCSP(
150 "default-src 'none';", OPTIONS_ALLOW_UNSAFE_EVAL));
151 EXPECT_TRUE(CheckSanitizeCSP(
152 "default-src 'self' ftp://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
153 "default-src 'self';",
154 InsecureValueWarning("default-src", "ftp://google.com")));
155 EXPECT_TRUE(CheckSanitizeCSP(
156 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
157
158 EXPECT_TRUE(CheckSanitizeCSP(
159 "default-src *; default-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
160 "default-src; default-src 'self';",
161 InsecureValueWarning("default-src", "*")));
162 EXPECT_TRUE(CheckSanitizeCSP(
163 "default-src 'self'; default-src *;", OPTIONS_ALLOW_UNSAFE_EVAL,
164 "default-src 'self'; default-src;"));
165 EXPECT_TRUE(CheckSanitizeCSP(
166 "default-src 'self'; default-src *; script-src *; script-src 'self'",
167 OPTIONS_ALLOW_UNSAFE_EVAL,
168 "default-src 'self'; default-src; script-src; script-src 'self';",
169 InsecureValueWarning("script-src", "*")));
170 EXPECT_TRUE(CheckSanitizeCSP(
171 "default-src 'self'; default-src *; script-src 'self'; script-src *;",
172 OPTIONS_ALLOW_UNSAFE_EVAL,
173 "default-src 'self'; default-src; script-src 'self'; script-src;"));
174 EXPECT_TRUE(CheckSanitizeCSP(
175 "default-src *; script-src 'self'", OPTIONS_ALLOW_UNSAFE_EVAL,
176 "default-src; script-src 'self';",
177 InsecureValueWarning("default-src", "*")));
178 EXPECT_TRUE(CheckSanitizeCSP(
179 "default-src *; script-src 'self'; img-src 'self'",
180 OPTIONS_ALLOW_UNSAFE_EVAL,
181 "default-src; script-src 'self'; img-src 'self';",
182 InsecureValueWarning("default-src", "*")));
183 EXPECT_TRUE(CheckSanitizeCSP(
184 "default-src *; script-src 'self'; object-src 'self';",
185 OPTIONS_ALLOW_UNSAFE_EVAL,
186 "default-src; script-src 'self'; object-src 'self';"));
187 EXPECT_TRUE(CheckSanitizeCSP(
188 "script-src 'self'; object-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL));
189 EXPECT_TRUE(CheckSanitizeCSP(
190 "default-src 'unsafe-eval';", OPTIONS_ALLOW_UNSAFE_EVAL));
191
192 EXPECT_TRUE(CheckSanitizeCSP(
193 "default-src 'unsafe-eval'", OPTIONS_NONE,
194 "default-src;",
195 InsecureValueWarning("default-src", "'unsafe-eval'")));
196 EXPECT_TRUE(CheckSanitizeCSP(
197 "default-src 'unsafe-inline'", OPTIONS_ALLOW_UNSAFE_EVAL,
198 "default-src;",
199 InsecureValueWarning("default-src", "'unsafe-inline'")));
200 EXPECT_TRUE(CheckSanitizeCSP(
201 "default-src 'unsafe-inline' 'none'", OPTIONS_ALLOW_UNSAFE_EVAL,
202 "default-src 'none';",
203 InsecureValueWarning("default-src", "'unsafe-inline'")));
204 EXPECT_TRUE(CheckSanitizeCSP(
205 "default-src 'self' http://google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
206 "default-src 'self';",
207 InsecureValueWarning("default-src", "http://google.com")));
208 EXPECT_TRUE(CheckSanitizeCSP(
209 "default-src 'self' https://google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
210 EXPECT_TRUE(CheckSanitizeCSP(
211 "default-src 'self' chrome://resources;", OPTIONS_ALLOW_UNSAFE_EVAL));
212 EXPECT_TRUE(CheckSanitizeCSP(
213 "default-src 'self' chrome-extension://aabbcc;",
214 OPTIONS_ALLOW_UNSAFE_EVAL));
215 EXPECT_TRUE(CheckSanitizeCSP(
216 "default-src 'self' chrome-extension-resource://aabbcc;",
217 OPTIONS_ALLOW_UNSAFE_EVAL));
218 EXPECT_TRUE(CheckSanitizeCSP(
219 "default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL,
220 "default-src 'self';",
221 InsecureValueWarning("default-src", "https:")));
222 EXPECT_TRUE(CheckSanitizeCSP(
223 "default-src 'self' http:", OPTIONS_ALLOW_UNSAFE_EVAL,
224 "default-src 'self';",
225 InsecureValueWarning("default-src", "http:")));
226 EXPECT_TRUE(CheckSanitizeCSP(
227 "default-src 'self' google.com", OPTIONS_ALLOW_UNSAFE_EVAL,
228 "default-src 'self';",
229 InsecureValueWarning("default-src", "google.com")));
230
231 EXPECT_TRUE(CheckSanitizeCSP(
232 "default-src 'self' *", OPTIONS_ALLOW_UNSAFE_EVAL,
233 "default-src 'self';",
234 InsecureValueWarning("default-src", "*")));
235 EXPECT_TRUE(CheckSanitizeCSP(
236 "default-src 'self' *:*", OPTIONS_ALLOW_UNSAFE_EVAL,
237 "default-src 'self';",
238 InsecureValueWarning("default-src", "*:*")));
239 EXPECT_TRUE(CheckSanitizeCSP(
240 "default-src 'self' *:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
241 "default-src 'self';",
242 InsecureValueWarning("default-src", "*:*/")));
243 EXPECT_TRUE(CheckSanitizeCSP(
244 "default-src 'self' *:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
245 "default-src 'self';",
246 InsecureValueWarning("default-src", "*:*/path")));
247 EXPECT_TRUE(CheckSanitizeCSP(
248 "default-src 'self' https://", OPTIONS_ALLOW_UNSAFE_EVAL,
249 "default-src 'self';",
250 InsecureValueWarning("default-src", "https://")));
251 EXPECT_TRUE(CheckSanitizeCSP(
252 "default-src 'self' https://*:*", OPTIONS_ALLOW_UNSAFE_EVAL,
253 "default-src 'self';",
254 InsecureValueWarning("default-src", "https://*:*")));
255 EXPECT_TRUE(CheckSanitizeCSP(
256 "default-src 'self' https://*:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
257 "default-src 'self';",
258 InsecureValueWarning("default-src", "https://*:*/")));
259 EXPECT_TRUE(CheckSanitizeCSP(
260 "default-src 'self' https://*:*/path", OPTIONS_ALLOW_UNSAFE_EVAL,
261 "default-src 'self';",
262 InsecureValueWarning("default-src", "https://*:*/path")));
263 EXPECT_TRUE(CheckSanitizeCSP(
264 "default-src 'self' https://*.com", OPTIONS_ALLOW_UNSAFE_EVAL,
265 "default-src 'self';",
266 InsecureValueWarning("default-src", "https://*.com")));
267 EXPECT_TRUE(CheckSanitizeCSP(
268 "default-src 'self' https://*.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
269 "default-src 'self';",
270 InsecureValueWarning("default-src", "https://*.*.google.com/")));
271 EXPECT_TRUE(CheckSanitizeCSP(
272 "default-src 'self' https://*.*.google.com:*/", OPTIONS_ALLOW_UNSAFE_EVAL,
273 "default-src 'self';",
274 InsecureValueWarning("default-src", "https://*.*.google.com:*/")));
275 EXPECT_TRUE(CheckSanitizeCSP(
276 "default-src 'self' https://www.*.google.com/", OPTIONS_ALLOW_UNSAFE_EVAL,
277 "default-src 'self';",
278 InsecureValueWarning("default-src", "https://www.*.google.com/")));
279 EXPECT_TRUE(CheckSanitizeCSP(
280 "default-src 'self' https://www.*.google.com:*/",
281 OPTIONS_ALLOW_UNSAFE_EVAL,
282 "default-src 'self';",
283 InsecureValueWarning("default-src", "https://www.*.google.com:*/")));
284 EXPECT_TRUE(CheckSanitizeCSP(
285 "default-src 'self' chrome://*", OPTIONS_ALLOW_UNSAFE_EVAL,
286 "default-src 'self';",
287 InsecureValueWarning("default-src", "chrome://*")));
288 EXPECT_TRUE(CheckSanitizeCSP(
289 "default-src 'self' chrome-extension://*", OPTIONS_ALLOW_UNSAFE_EVAL,
290 "default-src 'self';",
291 InsecureValueWarning("default-src", "chrome-extension://*")));
292 EXPECT_TRUE(CheckSanitizeCSP(
293 "default-src 'self' chrome-extension://", OPTIONS_ALLOW_UNSAFE_EVAL,
294 "default-src 'self';",
295 InsecureValueWarning("default-src", "chrome-extension://")));
296
297 EXPECT_TRUE(CheckSanitizeCSP(
298 "default-src 'self' https://*.google.com;", OPTIONS_ALLOW_UNSAFE_EVAL));
299 EXPECT_TRUE(CheckSanitizeCSP(
300 "default-src 'self' https://*.google.com:1;", OPTIONS_ALLOW_UNSAFE_EVAL));
301 EXPECT_TRUE(CheckSanitizeCSP(
302 "default-src 'self' https://*.google.com:*;", OPTIONS_ALLOW_UNSAFE_EVAL));
303 EXPECT_TRUE(CheckSanitizeCSP(
304 "default-src 'self' https://*.google.com:1/;",
305 OPTIONS_ALLOW_UNSAFE_EVAL));
306 EXPECT_TRUE(CheckSanitizeCSP(
307 "default-src 'self' https://*.google.com:*/;",
308 OPTIONS_ALLOW_UNSAFE_EVAL));
309
310 EXPECT_TRUE(CheckSanitizeCSP(
311 "default-src 'self' http://127.0.0.1;", OPTIONS_ALLOW_UNSAFE_EVAL));
312 EXPECT_TRUE(CheckSanitizeCSP(
313 "default-src 'self' http://localhost;", OPTIONS_ALLOW_UNSAFE_EVAL));
314 EXPECT_TRUE(CheckSanitizeCSP("default-src 'self' http://lOcAlHoSt;",
315 OPTIONS_ALLOW_UNSAFE_EVAL,
316 "default-src 'self' http://lOcAlHoSt;"));
317 EXPECT_TRUE(CheckSanitizeCSP(
318 "default-src 'self' http://127.0.0.1:9999;", OPTIONS_ALLOW_UNSAFE_EVAL));
319 EXPECT_TRUE(CheckSanitizeCSP(
320 "default-src 'self' http://localhost:8888;", OPTIONS_ALLOW_UNSAFE_EVAL));
321 EXPECT_TRUE(CheckSanitizeCSP(
322 "default-src 'self' http://127.0.0.1.example.com",
323 OPTIONS_ALLOW_UNSAFE_EVAL,
324 "default-src 'self';",
325 InsecureValueWarning("default-src", "http://127.0.0.1.example.com")));
326 EXPECT_TRUE(CheckSanitizeCSP(
327 "default-src 'self' http://localhost.example.com",
328 OPTIONS_ALLOW_UNSAFE_EVAL,
329 "default-src 'self';",
330 InsecureValueWarning("default-src", "http://localhost.example.com")));
331
332 EXPECT_TRUE(CheckSanitizeCSP(
333 "default-src 'self' blob:;", OPTIONS_ALLOW_UNSAFE_EVAL));
334 EXPECT_TRUE(CheckSanitizeCSP(
335 "default-src 'self' blob:http://example.com/XXX",
336 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';",
337 InsecureValueWarning("default-src", "blob:http://example.com/XXX")));
338 EXPECT_TRUE(CheckSanitizeCSP(
339 "default-src 'self' filesystem:;", OPTIONS_ALLOW_UNSAFE_EVAL));
340 EXPECT_TRUE(CheckSanitizeCSP(
341 "default-src 'self' filesystem:http://example.com/XX",
342 OPTIONS_ALLOW_UNSAFE_EVAL, "default-src 'self';",
343 InsecureValueWarning("default-src", "filesystem:http://example.com/XX")));
344
345 EXPECT_TRUE(CheckSanitizeCSP(
346 "default-src 'self' https://*.googleapis.com;",
347 OPTIONS_ALLOW_UNSAFE_EVAL));
348 EXPECT_TRUE(CheckSanitizeCSP(
349 "default-src 'self' https://x.googleapis.com;",
350 OPTIONS_ALLOW_UNSAFE_EVAL));
351
352 EXPECT_TRUE(CheckSanitizeCSP(
353 "script-src 'self'; object-src *", OPTIONS_NONE,
354 "script-src 'self'; object-src;",
355 InsecureValueWarning("object-src", "*")));
356 EXPECT_TRUE(CheckSanitizeCSP(
357 "script-src 'self'; object-src *", OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
358 "script-src 'self'; object-src;",
359 InsecureValueWarning("object-src", "*")));
360 EXPECT_TRUE(CheckSanitizeCSP(
361 "script-src 'self'; object-src *; plugin-types application/pdf;",
362 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
363 EXPECT_TRUE(CheckSanitizeCSP(
364 "script-src 'self'; object-src *; "
365 "plugin-types application/x-shockwave-flash",
366 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
367 "script-src 'self'; object-src; "
368 "plugin-types application/x-shockwave-flash;",
369 InsecureValueWarning("object-src", "*")));
370 EXPECT_TRUE(CheckSanitizeCSP(
371 "script-src 'self'; object-src *; "
372 "plugin-types application/x-shockwave-flash application/pdf;",
373 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
374 "script-src 'self'; object-src; "
375 "plugin-types application/x-shockwave-flash application/pdf;",
376 InsecureValueWarning("object-src", "*")));
377 EXPECT_TRUE(CheckSanitizeCSP(
378 "script-src 'self'; object-src http://www.example.com; "
379 "plugin-types application/pdf;",
380 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
381 EXPECT_TRUE(CheckSanitizeCSP(
382 "object-src http://www.example.com blob:; script-src 'self'; "
383 "plugin-types application/pdf;",
384 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
385 EXPECT_TRUE(CheckSanitizeCSP(
386 "script-src 'self'; object-src http://*.example.com; "
387 "plugin-types application/pdf;",
388 OPTIONS_ALLOW_INSECURE_OBJECT_SRC));
389 EXPECT_TRUE(CheckSanitizeCSP(
390 "script-src *; object-src *; plugin-types application/pdf;",
391 OPTIONS_ALLOW_INSECURE_OBJECT_SRC,
392 "script-src; object-src *; plugin-types application/pdf;",
393 InsecureValueWarning("script-src", "*")));
394
395 EXPECT_TRUE(CheckSanitizeCSP(
396 "default-src; script-src"
397 " 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw='"
398 " 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcS"
399 "t'"
400 " 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9Kqw"
401 "vCSapSz5CVoUGHQcxv43UQg==';",
402 OPTIONS_NONE));
403
404 // Reject non-standard algorithms, even if they are still supported by Blink.
405 EXPECT_TRUE(CheckSanitizeCSP(
406 "default-src; script-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=';",
407 OPTIONS_NONE, "default-src; script-src;",
408 InsecureValueWarning("script-src",
409 "'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw='")));
410
411 EXPECT_TRUE(CheckSanitizeCSP(
412 "default-src; script-src 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZ"
413 "wBw= sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=';",
414 OPTIONS_NONE, "default-src; script-src;",
415 InsecureValueWarning(
416 "script-src", "'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw="),
417 InsecureValueWarning(
418 "script-src",
419 "sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='")));
420 }
421
422 TEST(ExtensionCSPValidator, IsSandboxed) {
423 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(std::string(),
424 Manifest::TYPE_EXTENSION));
425 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed("img-src https://google.com",
426 Manifest::TYPE_EXTENSION));
427
428 // Sandbox directive is required.
429 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
430 "sandbox", Manifest::TYPE_EXTENSION));
431
432 // Additional sandbox tokens are OK.
433 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
434 "sandbox allow-scripts", Manifest::TYPE_EXTENSION));
435 // Except for allow-same-origin.
436 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
437 "sandbox allow-same-origin", Manifest::TYPE_EXTENSION));
438
439 // Additional directives are OK.
440 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
441 "sandbox; img-src https://google.com", Manifest::TYPE_EXTENSION));
442
443 // Extensions allow navigation, platform apps don't.
444 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
445 "sandbox allow-top-navigation", Manifest::TYPE_EXTENSION));
446 EXPECT_FALSE(ContentSecurityPolicyIsSandboxed(
447 "sandbox allow-top-navigation", Manifest::TYPE_PLATFORM_APP));
448
449 // Popups are OK.
450 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
451 "sandbox allow-popups", Manifest::TYPE_EXTENSION));
452 EXPECT_TRUE(ContentSecurityPolicyIsSandboxed(
453 "sandbox allow-popups", Manifest::TYPE_PLATFORM_APP));
454 }