Index: chrome/common/extensions/csp_validator.h |
=================================================================== |
--- chrome/common/extensions/csp_validator.h (revision 0) |
+++ chrome/common/extensions/csp_validator.h (revision 0) |
@@ -0,0 +1,33 @@ |
+// Copyright (c) 2011 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |
+#define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |
+#pragma once |
+ |
+#include <string> |
+ |
+namespace extensions { |
+ |
+namespace csp_validator { |
+ |
+// Checks whether the given |policy| is legal for use in the extension system. |
+// This check just ensures that the policy doesn't contain any characters that |
+// will cause problems when we transmit the policy in an HTTP header. |
+bool ContentSecurityPolicyIsLegal(const std::string& policy); |
+ |
+// Checks whether the given |policy| meets the minimum security requirements |
+// for use in the extension system. The philosophy behind our minimum |
+// requirements is that an XSS vulnerability in the extension should not be |
+// able to execute script, even in the precense of an active network attacker. |
+// Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is |
+// script or object inclusion from insecure schemes. Also, the use of * is |
+// forbidden for scripts and objects. |
+bool ContentSecurityPolicyIsSecure(const std::string& policy); |
+ |
+} // namespace csp_validator |
+ |
+} // namespace extensions |
+ |
+#endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |