| OLD | NEW |
|---|
| 1 <h1>Content Security Policy (CSP)</h1> | 1 <h1>Content Security Policy (CSP)</h1> |
| 2 | 2 |
| 3 | 3 |
| 4 <p> | 4 <p> |
| 5 In order to mitigate a large class of potental cross-site scripting issues, | 5 In order to mitigate a large class of potental cross-site scripting issues, |
| 6 Chrome's extension system has incorporated the general concept of | 6 Chrome's extension system has incorporated the general concept of |
| 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> | 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> |
| 8 <strong>Content Security Policy (CSP)</strong> | 8 <strong>Content Security Policy (CSP)</strong> |
| 9 </a>. This introduces some fairly strict policies that will make extensions | 9 </a>. This introduces some fairly strict policies that will make extensions |
| 10 more secure by default, and provides you with the ability to create and | 10 more secure by default, and provides you with the ability to create and |
| (...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 313 | 313 |
| 314 <h3 id="relaxing-eval">Evaluated JavaScript</h3> | 314 <h3 id="relaxing-eval">Evaluated JavaScript</h3> |
| 315 | 315 |
| 316 <p> | 316 <p> |
| 317 The policy against <code>eval()</code> and its relatives like | 317 The policy against <code>eval()</code> and its relatives like |
| 318 <code>setTimeout(String)</code>, <code>setInterval(String)</code>, and | 318 <code>setTimeout(String)</code>, <code>setInterval(String)</code>, and |
| 319 <code>new Function(String)</code> can be relaxed by adding | 319 <code>new Function(String)</code> can be relaxed by adding |
| 320 <code>'unsafe-eval'</code> to your policy: | 320 <code>'unsafe-eval'</code> to your policy: |
| 321 </p> | 321 </p> |
| 322 | 322 |
| 323 <pre>"content_security_policy": "script-src 'self' 'unsafe-eval'"</pre> | 323 <pre>"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'se
lf'"</pre> |
| 324 | 324 |
| 325 <p> | 325 <p> |
| 326 However, we strongly recommend against doing this. These functions are | 326 However, we strongly recommend against doing this. These functions are |
| 327 notorious XSS attack vectors. | 327 notorious XSS attack vectors. |
| 328 </p> | 328 </p> |
| 329 | 329 |
| 330 <h2 id="tightening">Tightening the default policy</h2> | 330 <h2 id="tightening">Tightening the default policy</h2> |
| 331 | 331 |
| 332 <p> | 332 <p> |
| 333 You may, of course, tighten this policy to whatever extent your extension | 333 You may, of course, tighten this policy to whatever extent your extension |
| 334 allows in order to increase security at the expense of convenience. To specify | 334 allows in order to increase security at the expense of convenience. To specify |
| 335 that your extension can only load resources of <em>any</em> type (images, etc) | 335 that your extension can only load resources of <em>any</em> type (images, etc) |
| 336 from its own package, for example, a policy of <code>default-src 'self'</code> | 336 from its own package, for example, a policy of <code>default-src 'self'</code> |
| 337 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample | 337 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample |
| 338 extension is a good example of an extension that's been locked down above and | 338 extension is a good example of an extension that's been locked down above and |
| 339 beyond the defaults. | 339 beyond the defaults. |
| 340 </p> | 340 </p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10905258:
Tweaking the "insecure CSP" error message to clarify that both 'script-src' and 'object-src' must b… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src