Chromium Code Reviews Chromium Code Reviews
Issue 10823074:
Adding `chrome-extension` resources to the CSP relaxation documentation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 <div id="pageData-name" class="pageData">Content Security Policy (CSP)</div> | 1 <div id="pageData-name" class="pageData">Content Security Policy (CSP)</div> |
| 2 <div id="pageData-showTOC" class="pageData">true</div> | 2 <div id="pageData-showTOC" class="pageData">true</div> |
| 3 | 3 |
| 4 <p> | 4 <p> |
| 5 In order to mitigate a large class of potental cross-site scripting issues, | 5 In order to mitigate a large class of potental cross-site scripting issues, |
| 6 Chrome's extension system has incorporated the general concept of | 6 Chrome's extension system has incorporated the general concept of |
| 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> | 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> |
| 8 <strong>Content Security Policy (CSP)</strong> | 8 <strong>Content Security Policy (CSP)</strong> |
| 9 </a>. This introduces some fairly strict policies that will make extensions | 9 </a>. This introduces some fairly strict policies that will make extensions |
| 10 more secure by default, and provides you with the ability to create and | 10 more secure by default, and provides you with the ability to create and |
| (...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 218 | 218 |
| 219 <p> | 219 <p> |
| 220 There is no mechanism for relaxing the restriction against executing inline | 220 There is no mechanism for relaxing the restriction against executing inline |
| 221 JavaScript. In particular, setting a script policy that includes | 221 JavaScript. In particular, setting a script policy that includes |
| 222 <code>unsafe-inline</code> will have no effect. This is intentional. | 222 <code>unsafe-inline</code> will have no effect. This is intentional. |
| 223 </p> | 223 </p> |
| 224 | 224 |
| 225 <p> | 225 <p> |
| 226 If, on the other hand, you have a need for some external JavaScript or object | 226 If, on the other hand, you have a need for some external JavaScript or object |
| 227 resources, you can relax the policy to a limited extent by whitelisting | 227 resources, you can relax the policy to a limited extent by whitelisting |
| 228 specific HTTPS origins from which scripts should be accepted. Whitelisting | 228 secure origins from which scripts should be accepted. We want to ensure that |
| 229 insecure HTTP resources will have no effect. This is intentional, because | 229 executable resources loaded with an extension's elevated permissions are |
| 230 we want to ensure that executable resources loaded with an extension's | 230 exactly the resources you expect, and haven't been replaced by an active |
| 231 elevated permissions is exactly the resource you expect, and hasn't been | 231 network attacker. As <a |
| 232 replaced by an active network attacker. As <a | |
| 233 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle | 232 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle |
| 234 attacks</a> are both trivial and undetectable over HTTP, only HTTPS origins | 233 attacks</a> are both trivial and undetectable over HTTP, those origins will |
| 235 will be accepted. | 234 not be accepted. <code>HTTPS</code>, on the other hand, secures the resources' |
|
Aaron Boodman
2012/07/30 08:45:11
I think it would be better to replace the last sen
| |
| 235 transport over the network, so we allow those origins in a relaxed policy. | |
| 236 <code>chrome-extension</code> and <code>chrome-extension-resource</code> | |
| 237 resources never touch the network, so they're allowed as well. | |
| 236 </p> | 238 </p> |
| 237 | 239 |
| 238 <p> | 240 <p> |
| 239 A relaxed policy definition which allows script resources to be loaded from | 241 A relaxed policy definition which allows script resources to be loaded from |
| 240 <code>example.com</code> over HTTPS might look like: | 242 <code>example.com</code> over HTTPS might look like: |
| 241 </p> | 243 </p> |
| 242 | 244 |
| 243 <pre>{ | 245 <pre>{ |
| 244 ..., | 246 ..., |
| 245 "content_security_policy": "script-src 'self' https://example.com; object-src 'self'", | 247 "content_security_policy": "script-src 'self' https://example.com; object-src 'self'", |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 264 | 266 |
| 265 <p> | 267 <p> |
| 266 You may, of course, tighten this policy to whatever extent your extension | 268 You may, of course, tighten this policy to whatever extent your extension |
| 267 allows in order to increase security at the expense of convenience. To specify | 269 allows in order to increase security at the expense of convenience. To specify |
| 268 that your extension can only load resources of <em>any</em> type (images, etc) | 270 that your extension can only load resources of <em>any</em> type (images, etc) |
| 269 from its own package, for example, a policy of <code>default-src 'self'</code> | 271 from its own package, for example, a policy of <code>default-src 'self'</code> |
| 270 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample | 272 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample |
| 271 extension is a good example of an extension that's been locked down above and | 273 extension is a good example of an extension that's been locked down above and |
| 272 beyond the defaults. | 274 beyond the defaults. |
| 273 </p> | 275 </p> |
| OLD | NEW |
