OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/common/manifest_handlers/csp_info.h" | 5 #include "extensions/common/manifest_handlers/csp_info.h" |
6 | 6 |
7 #include "base/memory/scoped_ptr.h" | 7 #include "base/memory/scoped_ptr.h" |
8 #include "base/strings/string_util.h" | 8 #include "base/strings/string_util.h" |
9 #include "base/strings/utf_string_conversions.h" | 9 #include "base/strings/utf_string_conversions.h" |
10 #include "base/values.h" | 10 #include "base/values.h" |
11 #include "extensions/common/csp_validator.h" | 11 #include "extensions/common/csp_validator.h" |
12 #include "extensions/common/install_warning.h" | 12 #include "extensions/common/install_warning.h" |
13 #include "extensions/common/manifest_constants.h" | 13 #include "extensions/common/manifest_constants.h" |
14 #include "extensions/common/manifest_handlers/sandboxed_page_info.h" | 14 #include "extensions/common/manifest_handlers/sandboxed_page_info.h" |
15 | 15 |
16 namespace extensions { | 16 namespace extensions { |
17 | 17 |
18 namespace keys = manifest_keys; | 18 namespace keys = manifest_keys; |
19 namespace errors = manifest_errors; | 19 namespace errors = manifest_errors; |
20 | 20 |
21 using csp_validator::ContentSecurityPolicyIsLegal; | 21 using csp_validator::ContentSecurityPolicyIsLegal; |
22 using csp_validator::SanitizeContentSecurityPolicy; | 22 using csp_validator::SanitizeContentSecurityPolicy; |
23 | 23 |
24 namespace { | 24 namespace { |
25 | 25 |
26 const char kDefaultContentSecurityPolicy[] = | 26 const char kDefaultContentSecurityPolicy[] = |
27 "script-src 'self' chrome-extension-resource:; object-src 'self';"; | 27 "script-src 'self' blob: filesystem: chrome-extension-resource:; " |
28 "object-src 'self' blob: filesystem:;"; | |
28 | 29 |
29 #define PLATFORM_APP_LOCAL_CSP_SOURCES \ | 30 #define PLATFORM_APP_LOCAL_CSP_SOURCES \ |
30 "'self' data: chrome-extension-resource:" | 31 "'self' blob: filesystem: data: chrome-extension-resource:" |
31 const char kDefaultPlatformAppContentSecurityPolicy[] = | 32 const char kDefaultPlatformAppContentSecurityPolicy[] = |
32 // Platform apps can only use local resources by default. | 33 // Platform apps can only use local resources by default. |
33 "default-src 'self' chrome-extension-resource:;" | 34 "default-src 'self' blob: filesystem: chrome-extension-resource:;" |
Finnur
2015/06/16 13:20:01
This sounds like a reasonable approach if blob: an
| |
34 // For remote resources, they can fetch them via XMLHttpRequest. | 35 // For remote resources, they can fetch them via XMLHttpRequest. |
35 " connect-src *;" | 36 " connect-src *;" |
36 // And serve them via data: or same-origin (blob:, filesystem:) URLs | 37 // And serve them via data: or same-origin (blob:, filesystem:) URLs |
37 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';" | 38 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES |
38 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 39 " 'unsafe-inline';" |
39 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 40 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES |
40 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 41 ";" |
42 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES | |
43 ";" | |
44 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES | |
45 ";" | |
Mike West
2015/06/16 13:04:47
This is all `git cl format`. Sorry. :/
Finnur
2015/06/16 13:20:01
Hmm... Looks less readable and therefore more erro
| |
41 // Media can be loaded from remote resources since: | 46 // Media can be loaded from remote resources since: |
42 // 1. <video> and <audio> have good fallback behavior when offline or under | 47 // 1. <video> and <audio> have good fallback behavior when offline or under |
43 // spotty connectivity. | 48 // spotty connectivity. |
44 // 2. Fetching via XHR and serving via blob: URLs currently does not allow | 49 // 2. Fetching via XHR and serving via blob: URLs currently does not allow |
45 // streaming or partial buffering. | 50 // streaming or partial buffering. |
46 " media-src *;"; | 51 " media-src *;"; |
47 | 52 |
48 int GetValidatorOptions(Extension* extension) { | 53 int GetValidatorOptions(Extension* extension) { |
49 int options = csp_validator::OPTIONS_NONE; | 54 int options = csp_validator::OPTIONS_NONE; |
50 | 55 |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
151 type == Manifest::TYPE_LEGACY_PACKAGED_APP; | 156 type == Manifest::TYPE_LEGACY_PACKAGED_APP; |
152 } | 157 } |
153 | 158 |
154 const std::vector<std::string> CSPHandler::Keys() const { | 159 const std::vector<std::string> CSPHandler::Keys() const { |
155 const std::string& key = is_platform_app_ ? | 160 const std::string& key = is_platform_app_ ? |
156 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; | 161 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; |
157 return SingleKey(key); | 162 return SingleKey(key); |
158 } | 163 } |
159 | 164 |
160 } // namespace extensions | 165 } // namespace extensions |
OLD | NEW |