Allow extenions to override the default content_security_policy, but require

chrome/common/extensions/csp_validator.h

Index: chrome/common/extensions/csp_validator.h
===================================================================
--- chrome/common/extensions/csp_validator.h	(revision 0)
+++ chrome/common/extensions/csp_validator.h	(revision 0)
@@ -0,0 +1,29 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
+#define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
+#pragma once
+
+#include <string>
+
+namespace extension_csp_validator {

[Aaron Boodman, 2011/12/02 05:51:42]

We're working on introducing a new 'extensions' namespace. How do you feel about
extensions::csp_validator::Foo()? Too fancy?

[Aaron Boodman, 2011/12/02 05:52:20]

Sorry, I meant to change this to be more assertive before publishing. I think
you should do this.

+
+// Checks whether the given |policy| is legal for use in the extension system.
+// This check just ensures that the policy doesn't contain any characters that
+// will cause problems when we transmit the policy in an HTTP header.
+bool ContentSecurityPolicyIsLegal(const std::string& policy);
+
+// Checks whether the given |policy| meets the minimum security requirements
+// for use in the extension system. The philosophy behind our minimum
+// requirements is that an XSS vulnerability in the extension should not be
+// able to execute script, even in the precense of an active network attacker.
+// Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is
+// script or object inclusion from insecure schemes. Also, the use of * is
+// forbidden for scripts and objects.
+bool ContentSecurityPolicyIsSecure(const std::string& policy);
+
+};
+
+#endif  // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_