OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
7 #pragma once | |
8 | |
9 #include <string> | |
10 | |
11 namespace extension_csp_validator { | |
Aaron Boodman
2011/12/02 05:51:42
We're working on introducing a new 'extensions' na
Aaron Boodman
2011/12/02 05:52:20
Sorry, I meant to change this to be more assertive
| |
12 | |
13 // Checks whether the given |policy| is legal for use in the extension system. | |
14 // This check just ensures that the policy doesn't contain any characters that | |
15 // will cause problems when we transmit the policy in an HTTP header. | |
16 bool ContentSecurityPolicyIsLegal(const std::string& policy); | |
17 | |
18 // Checks whether the given |policy| meets the minimum security requirements | |
19 // for use in the extension system. The philosophy behind our minimum | |
20 // requirements is that an XSS vulnerability in the extension should not be | |
21 // able to execute script, even in the precense of an active network attacker. | |
22 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is | |
23 // script or object inclusion from insecure schemes. Also, the use of * is | |
24 // forbidden for scripts and objects. | |
25 bool ContentSecurityPolicyIsSecure(const std::string& policy); | |
26 | |
27 }; | |
28 | |
29 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
OLD | NEW |