OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/common/extensions/extension.h" | 5 #include "chrome/common/extensions/extension.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 | 8 |
9 #include "base/base64.h" | 9 #include "base/base64.h" |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "base/command_line.h" | 11 #include "base/command_line.h" |
12 #include "base/file_path.h" | 12 #include "base/file_path.h" |
13 #include "base/file_util.h" | 13 #include "base/file_util.h" |
14 #include "base/i18n/rtl.h" | 14 #include "base/i18n/rtl.h" |
15 #include "base/logging.h" | 15 #include "base/logging.h" |
16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
17 #include "base/stl_util.h" | 17 #include "base/stl_util.h" |
18 #include "base/string16.h" | 18 #include "base/string16.h" |
19 #include "base/string_number_conversions.h" | 19 #include "base/string_number_conversions.h" |
20 #include "base/string_util.h" | 20 #include "base/string_util.h" |
21 #include "base/utf_string_conversions.h" | 21 #include "base/utf_string_conversions.h" |
22 #include "base/values.h" | 22 #include "base/values.h" |
23 #include "base/version.h" | 23 #include "base/version.h" |
24 #include "crypto/sha2.h" | 24 #include "crypto/sha2.h" |
25 #include "chrome/common/chrome_constants.h" | 25 #include "chrome/common/chrome_constants.h" |
26 #include "chrome/common/chrome_switches.h" | 26 #include "chrome/common/chrome_switches.h" |
27 #include "chrome/common/chrome_version_info.h" | 27 #include "chrome/common/chrome_version_info.h" |
28 #include "chrome/common/extensions/csp_validator.h" | |
28 #include "chrome/common/extensions/extension_action.h" | 29 #include "chrome/common/extensions/extension_action.h" |
29 #include "chrome/common/extensions/extension_constants.h" | 30 #include "chrome/common/extensions/extension_constants.h" |
30 #include "chrome/common/extensions/extension_error_utils.h" | 31 #include "chrome/common/extensions/extension_error_utils.h" |
31 #include "chrome/common/extensions/extension_l10n_util.h" | 32 #include "chrome/common/extensions/extension_l10n_util.h" |
32 #include "chrome/common/extensions/extension_resource.h" | 33 #include "chrome/common/extensions/extension_resource.h" |
33 #include "chrome/common/extensions/extension_sidebar_defaults.h" | 34 #include "chrome/common/extensions/extension_sidebar_defaults.h" |
34 #include "chrome/common/extensions/extension_sidebar_utils.h" | 35 #include "chrome/common/extensions/extension_sidebar_utils.h" |
35 #include "chrome/common/extensions/file_browser_handler.h" | 36 #include "chrome/common/extensions/file_browser_handler.h" |
36 #include "chrome/common/extensions/user_script.h" | 37 #include "chrome/common/extensions/user_script.h" |
37 #include "chrome/common/url_constants.h" | 38 #include "chrome/common/url_constants.h" |
38 #include "googleurl/src/url_util.h" | 39 #include "googleurl/src/url_util.h" |
39 #include "grit/chromium_strings.h" | 40 #include "grit/chromium_strings.h" |
40 #include "grit/generated_resources.h" | 41 #include "grit/generated_resources.h" |
41 #include "grit/theme_resources.h" | 42 #include "grit/theme_resources.h" |
42 #include "net/base/registry_controlled_domain.h" | 43 #include "net/base/registry_controlled_domain.h" |
43 #include "third_party/skia/include/core/SkBitmap.h" | 44 #include "third_party/skia/include/core/SkBitmap.h" |
44 #include "ui/base/l10n/l10n_util.h" | 45 #include "ui/base/l10n/l10n_util.h" |
45 #include "ui/base/resource/resource_bundle.h" | 46 #include "ui/base/resource/resource_bundle.h" |
46 #include "webkit/glue/image_decoder.h" | 47 #include "webkit/glue/image_decoder.h" |
47 #include "webkit/glue/web_intent_service_data.h" | 48 #include "webkit/glue/web_intent_service_data.h" |
48 | 49 |
49 namespace keys = extension_manifest_keys; | 50 namespace keys = extension_manifest_keys; |
50 namespace values = extension_manifest_values; | 51 namespace values = extension_manifest_values; |
51 namespace errors = extension_manifest_errors; | 52 namespace errors = extension_manifest_errors; |
52 | 53 |
54 using extension_csp_validator::ContentSecurityPolicyIsLegal; | |
55 using extension_csp_validator::ContentSecurityPolicyIsSecure; | |
56 | |
53 namespace { | 57 namespace { |
54 | 58 |
55 const int kModernManifestVersion = 1; | 59 const int kModernManifestVersion = 1; |
56 const int kPEMOutputColumns = 65; | 60 const int kPEMOutputColumns = 65; |
57 | 61 |
58 // KEY MARKERS | 62 // KEY MARKERS |
59 const char kKeyBeginHeaderMarker[] = "-----BEGIN"; | 63 const char kKeyBeginHeaderMarker[] = "-----BEGIN"; |
60 const char kKeyBeginFooterMarker[] = "-----END"; | 64 const char kKeyBeginFooterMarker[] = "-----END"; |
61 const char kKeyInfoEndMarker[] = "KEY-----"; | 65 const char kKeyInfoEndMarker[] = "KEY-----"; |
62 const char kPublic[] = "PUBLIC"; | 66 const char kPublic[] = "PUBLIC"; |
(...skipping 2170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2233 } | 2237 } |
2234 } | 2238 } |
2235 | 2239 |
2236 if (source.HasKey(keys::kContentSecurityPolicy)) { | 2240 if (source.HasKey(keys::kContentSecurityPolicy)) { |
2237 std::string content_security_policy; | 2241 std::string content_security_policy; |
2238 if (!source.GetString(keys::kContentSecurityPolicy, | 2242 if (!source.GetString(keys::kContentSecurityPolicy, |
2239 &content_security_policy)) { | 2243 &content_security_policy)) { |
2240 *error = errors::kInvalidContentSecurityPolicy; | 2244 *error = errors::kInvalidContentSecurityPolicy; |
2241 return false; | 2245 return false; |
2242 } | 2246 } |
2243 // We block these characters to prevent HTTP header injection when | 2247 if (!ContentSecurityPolicyIsLegal(content_security_policy)) { |
2244 // representing the content security policy as an HTTP header. | |
2245 const char kBadCSPCharacters[] = {'\r', '\n', '\0'}; | |
2246 if (content_security_policy.find_first_of(kBadCSPCharacters, 0, | |
2247 arraysize(kBadCSPCharacters)) != | |
2248 std::string::npos) { | |
2249 *error = errors::kInvalidContentSecurityPolicy; | 2248 *error = errors::kInvalidContentSecurityPolicy; |
2250 return false; | 2249 return false; |
2251 } | 2250 } |
2251 if (manifest_version_ >= 2 && | |
2252 !ContentSecurityPolicyIsSecure(content_security_policy)) { | |
2253 *error = errors::kInvalidContentSecurityPolicy; | |
2254 return false; | |
2255 } | |
2256 | |
2252 content_security_policy_ = content_security_policy; | 2257 content_security_policy_ = content_security_policy; |
2253 } else if (manifest_version_ >= 2) { | 2258 } else if (manifest_version_ >= 2) { |
2254 // Manifest version 2 introduced a default Content-Security-Policy. | 2259 // Manifest version 2 introduced a default Content-Security-Policy. |
2255 // TODO(abarth): Should we continue to let extensions override the | 2260 // TODO(abarth): Should we continue to let extensions override the |
2256 // default Content-Security-Policy? | 2261 // default Content-Security-Policy? |
2257 content_security_policy_ = kDefaultContentSecurityPolicy; | 2262 content_security_policy_ = kDefaultContentSecurityPolicy; |
2263 DCHECK(ContentSecurityPolicyIsSecure(content_security_policy_)); | |
Aaron Boodman
2011/12/02 05:51:42
The extension system prefers CHECK to DCHECK.
| |
2258 } | 2264 } |
2259 | 2265 |
2260 // Initialize devtools page url (optional). | 2266 // Initialize devtools page url (optional). |
2261 if (source.HasKey(keys::kDevToolsPage)) { | 2267 if (source.HasKey(keys::kDevToolsPage)) { |
2262 std::string devtools_str; | 2268 std::string devtools_str; |
2263 if (!source.GetString(keys::kDevToolsPage, &devtools_str)) { | 2269 if (!source.GetString(keys::kDevToolsPage, &devtools_str)) { |
2264 *error = errors::kInvalidDevToolsPage; | 2270 *error = errors::kInvalidDevToolsPage; |
2265 return false; | 2271 return false; |
2266 } | 2272 } |
2267 if (!api_permissions.count(ExtensionAPIPermission::kExperimental)) { | 2273 if (!api_permissions.count(ExtensionAPIPermission::kExperimental)) { |
(...skipping 811 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3079 already_disabled(false), | 3085 already_disabled(false), |
3080 extension(extension) {} | 3086 extension(extension) {} |
3081 | 3087 |
3082 UpdatedExtensionPermissionsInfo::UpdatedExtensionPermissionsInfo( | 3088 UpdatedExtensionPermissionsInfo::UpdatedExtensionPermissionsInfo( |
3083 const Extension* extension, | 3089 const Extension* extension, |
3084 const ExtensionPermissionSet* permissions, | 3090 const ExtensionPermissionSet* permissions, |
3085 Reason reason) | 3091 Reason reason) |
3086 : reason(reason), | 3092 : reason(reason), |
3087 extension(extension), | 3093 extension(extension), |
3088 permissions(permissions) {} | 3094 permissions(permissions) {} |
OLD | NEW |