1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "extensions/common/csp_validator.h"
6
7 #include "base/strings/string_split.h"
8 #include "base/strings/string_tokenizer.h"
9 #include "base/strings/string_util.h"
10
11 namespace extensions {
12
13 namespace csp_validator {
14
15 namespace {
16
17 const char kDefaultSrc[] = "default-src";
18 const char kScriptSrc[] = "script-src";
19 const char kObjectSrc[] = "object-src";
20
21 const char kSandboxDirectiveName[] = "sandbox";
22 const char kAllowSameOriginToken[] = "allow-same-origin";
23 const char kAllowTopNavigation[] = "allow-top-navigation";
24
25 struct DirectiveStatus {
DirectiveStatusextensions::csp_validator::__anon5f90354b0111::DirectiveStatus26 explicit DirectiveStatus(const char* name)
27 : directive_name(name)
28 , seen_in_policy(false)
29 , is_secure(false) {
30 }
31
32 const char* directive_name;
33 bool seen_in_policy;
34 bool is_secure;
35 };
36
HasOnlySecureTokens(base::StringTokenizer & tokenizer,Manifest::Type type)37 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
38 Manifest::Type type) {
39 while (tokenizer.GetNext()) {
40 std::string source = tokenizer.token();
41 StringToLowerASCII(&source);
42
43 // Don't alow whitelisting of all hosts. This boils down to:
44 // 1. Maximum of 2 '*' characters.
45 // 2. Each '*' is either followed by a '.' or preceded by a ':'
46 int wildcards = 0;
47 size_t length = source.length();
48 for (size_t i = 0; i < length; ++i) {
49 if (source[i] == L'*') {
50 wildcards++;
51 if (wildcards > 2)
52 return false;
53
54 bool isWildcardPort = i > 0 && source[i - 1] == L':';
55 bool isWildcardSubdomain = i + 1 < length && source[i + 1] == L'.';
56 if (!isWildcardPort && !isWildcardSubdomain)
57 return false;
58 }
59 }
60
61 // We might need to relax this whitelist over time.
62 if (source == "'self'" ||
63 source == "'none'" ||
64 source == "http://127.0.0.1" ||
65 LowerCaseEqualsASCII(source, "blob:") ||
66 LowerCaseEqualsASCII(source, "filesystem:") ||
67 LowerCaseEqualsASCII(source, "http://localhost") ||
68 StartsWithASCII(source, "http://127.0.0.1:", false) ||
69 StartsWithASCII(source, "http://localhost:", false) ||
70 StartsWithASCII(source, "https://", true) ||
71 StartsWithASCII(source, "chrome://", true) ||
72 StartsWithASCII(source, "chrome-extension://", true) ||
73 StartsWithASCII(source, "chrome-extension-resource:", true)) {
74 continue;
75 }
76
77 // crbug.com/146487
78 if (type == Manifest::TYPE_EXTENSION ||
79 type == Manifest::TYPE_LEGACY_PACKAGED_APP) {
80 if (source == "'unsafe-eval'")
81 continue;
82 }
83
84 return false;
85 }
86
87 return true; // Empty values default to 'none', which is secure.
88 }
89
90 // Returns true if |directive_name| matches |status.directive_name|.
UpdateStatus(const std::string & directive_name,base::StringTokenizer & tokenizer,DirectiveStatus * status,Manifest::Type type)91 bool UpdateStatus(const std::string& directive_name,
92 base::StringTokenizer& tokenizer,
93 DirectiveStatus* status,
94 Manifest::Type type) {
95 if (status->seen_in_policy)
96 return false;
97 if (directive_name != status->directive_name)
98 return false;
99 status->seen_in_policy = true;
100 status->is_secure = HasOnlySecureTokens(tokenizer, type);
101 return true;
102 }
103
104 } // namespace
105
ContentSecurityPolicyIsLegal(const std::string & policy)106 bool ContentSecurityPolicyIsLegal(const std::string& policy) {
107 // We block these characters to prevent HTTP header injection when
108 // representing the content security policy as an HTTP header.
109 const char kBadChars[] = {',', '\r', '\n', '\0'};
110
111 return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) ==
112 std::string::npos;
113 }
114
ContentSecurityPolicyIsSecure(const std::string & policy,Manifest::Type type)115 bool ContentSecurityPolicyIsSecure(const std::string& policy,
116 Manifest::Type type) {
117 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
118 std::vector<std::string> directives;
119 base::SplitString(policy, ';', &directives);
120
121 DirectiveStatus default_src_status(kDefaultSrc);
122 DirectiveStatus script_src_status(kScriptSrc);
123 DirectiveStatus object_src_status(kObjectSrc);
124
125 for (size_t i = 0; i < directives.size(); ++i) {
126 std::string& input = directives[i];
127 base::StringTokenizer tokenizer(input, " \t\r\n");
128 if (!tokenizer.GetNext())
129 continue;
130
131 std::string directive_name = tokenizer.token();
132 StringToLowerASCII(&directive_name);
133
134 if (UpdateStatus(directive_name, tokenizer, &default_src_status, type))
135 continue;
136 if (UpdateStatus(directive_name, tokenizer, &script_src_status, type))
137 continue;
138 if (UpdateStatus(directive_name, tokenizer, &object_src_status, type))
139 continue;
140 }
141
142 if (script_src_status.seen_in_policy && !script_src_status.is_secure)
143 return false;
144
145 if (object_src_status.seen_in_policy && !object_src_status.is_secure)
146 return false;
147
148 if (default_src_status.seen_in_policy && !default_src_status.is_secure) {
149 return script_src_status.seen_in_policy &&
150 object_src_status.seen_in_policy;
151 }
152
153 return default_src_status.seen_in_policy ||
154 (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
155 }
156
ContentSecurityPolicyIsSandboxed(const std::string & policy,Manifest::Type type)157 bool ContentSecurityPolicyIsSandboxed(
158 const std::string& policy, Manifest::Type type) {
159 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
160 std::vector<std::string> directives;
161 base::SplitString(policy, ';', &directives);
162
163 bool seen_sandbox = false;
164
165 for (size_t i = 0; i < directives.size(); ++i) {
166 std::string& input = directives[i];
167 base::StringTokenizer tokenizer(input, " \t\r\n");
168 if (!tokenizer.GetNext())
169 continue;
170
171 std::string directive_name = tokenizer.token();
172 StringToLowerASCII(&directive_name);
173
174 if (directive_name != kSandboxDirectiveName)
175 continue;
176
177 seen_sandbox = true;
178
179 while (tokenizer.GetNext()) {
180 std::string token = tokenizer.token();
181 StringToLowerASCII(&token);
182
183 // The same origin token negates the sandboxing.
184 if (token == kAllowSameOriginToken)
185 return false;
186
187 // Platform apps don't allow navigation.
188 if (type == Manifest::TYPE_PLATFORM_APP) {
189 if (token == kAllowTopNavigation)
190 return false;
191 }
192 }
193 }
194
195 return seen_sandbox;
196 }
197
198 } // csp_validator
199
200 } // extensions
201