Chromium Code Reviews Chromium Code Reviews
Issue 8773028:
Allow extenions to override the default content_security_policy, but require (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
| 6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
| 7 #pragma once | |
| 8 | |
| 9 #include <string> | |
| 10 | |
| 11 namespace extension_csp_validator { | |
|
Aaron Boodman
2011/12/02 05:51:42
We're working on introducing a new 'extensions' na
Aaron Boodman
2011/12/02 05:52:20
Sorry, I meant to change this to be more assertive
| |
| 12 | |
| 13 // Checks whether the given |policy| is legal for use in the extension system. | |
| 14 // This check just ensures that the policy doesn't contain any characters that | |
| 15 // will cause problems when we transmit the policy in an HTTP header. | |
| 16 bool ContentSecurityPolicyIsLegal(const std::string& policy); | |
| 17 | |
| 18 // Checks whether the given |policy| meets the minimum security requirements | |
| 19 // for use in the extension system. The philosophy behind our minimum | |
| 20 // requirements is that an XSS vulnerability in the extension should not be | |
| 21 // able to execute script, even in the precense of an active network attacker. | |
| 22 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is | |
| 23 // script or object inclusion from insecure schemes. Also, the use of * is | |
| 24 // forbidden for scripts and objects. | |
| 25 bool ContentSecurityPolicyIsSecure(const std::string& policy); | |
| 26 | |
| 27 }; | |
| 28 | |
| 29 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | |
| OLD | NEW |
