chrome/common/extensions/extension.cc - Issue 8773028: Allow extenions to override the default content_security_policy, but require

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/common/extensions/extension.cc

Issue 8773028: Allow extenions to override the default content_security_policy, but require (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/common/extensions/extension.cc

===================================================================

--- chrome/common/extensions/extension.cc (revision 112565)

+++ chrome/common/extensions/extension.cc (working copy)

@@ -25,6 +25,7 @@

#include "chrome/common/chrome_constants.h"

#include "chrome/common/chrome_switches.h"

#include "chrome/common/chrome_version_info.h"

+#include "chrome/common/extensions/csp_validator.h"

#include "chrome/common/extensions/extension_action.h"

#include "chrome/common/extensions/extension_constants.h"

#include "chrome/common/extensions/extension_error_utils.h"

@@ -50,6 +51,9 @@

namespace values = extension_manifest_values;

namespace errors = extension_manifest_errors;

+using extension_csp_validator::ContentSecurityPolicyIsLegal;

+using extension_csp_validator::ContentSecurityPolicyIsSecure;

namespace {

const int kModernManifestVersion = 1;

@@ -2240,21 +2244,23 @@

*error = errors::kInvalidContentSecurityPolicy;

return false;

}

- // We block these characters to prevent HTTP header injection when

- // representing the content security policy as an HTTP header.

- const char kBadCSPCharacters[] = {'\r', '\n', '\0'};

- if (content_security_policy.find_first_of(kBadCSPCharacters, 0,

- arraysize(kBadCSPCharacters)) !=

- std::string::npos) {

+ if (!ContentSecurityPolicyIsLegal(content_security_policy)) {

*error = errors::kInvalidContentSecurityPolicy;

return false;

}

+ if (manifest_version_ >= 2 &&

+ !ContentSecurityPolicyIsSecure(content_security_policy)) {

+ *error = errors::kInvalidContentSecurityPolicy;

+ return false;

+ }

content_security_policy_ = content_security_policy;

} else if (manifest_version_ >= 2) {

// Manifest version 2 introduced a default Content-Security-Policy.

// TODO(abarth): Should we continue to let extensions override the

// default Content-Security-Policy?

content_security_policy_ = kDefaultContentSecurityPolicy;

+ DCHECK(ContentSecurityPolicyIsSecure(content_security_policy_));

Aaron Boodman 2011/12/02 05:51:42 The extension system prefers CHECK to DCHECK.

}

// Initialize devtools page url (optional).

« chrome/common/extensions/csp_validator.cc ('K') | « chrome/common/extensions/csp_validator_unittest.cc ('k') | no next file » | no next file with comments »