Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(150)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/manifest_handlers/csp_info.cc

Issue 1184353002: Explicitly whitelist 'blob:' and 'filesystem:' in extensions' default CSP. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Test. Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/common/extensions/manifest_tests/extension_manifests_sandboxed_unittest.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/manifest_handlers/csp_info.h" 5 #include "extensions/common/manifest_handlers/csp_info.h"
6 6
7 #include "base/memory/scoped_ptr.h" 7 #include "base/memory/scoped_ptr.h"
8 #include "base/strings/string_util.h" 8 #include "base/strings/string_util.h"
9 #include "base/strings/utf_string_conversions.h" 9 #include "base/strings/utf_string_conversions.h"
10 #include "base/values.h" 10 #include "base/values.h"
11 #include "extensions/common/csp_validator.h" 11 #include "extensions/common/csp_validator.h"
12 #include "extensions/common/install_warning.h" 12 #include "extensions/common/install_warning.h"
13 #include "extensions/common/manifest_constants.h" 13 #include "extensions/common/manifest_constants.h"
14 #include "extensions/common/manifest_handlers/sandboxed_page_info.h" 14 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
15 15
16 namespace extensions { 16 namespace extensions {
17 17
18 namespace keys = manifest_keys; 18 namespace keys = manifest_keys;
19 namespace errors = manifest_errors; 19 namespace errors = manifest_errors;
20 20
21 using csp_validator::ContentSecurityPolicyIsLegal; 21 using csp_validator::ContentSecurityPolicyIsLegal;
22 using csp_validator::SanitizeContentSecurityPolicy; 22 using csp_validator::SanitizeContentSecurityPolicy;
23 23
24 namespace { 24 namespace {
25 25
26 const char kDefaultContentSecurityPolicy[] = 26 const char kDefaultContentSecurityPolicy[] =
27 "script-src 'self' chrome-extension-resource:; object-src 'self';"; 27 "script-src 'self' blob: filesystem: chrome-extension-resource:; "
28 "object-src 'self' blob: filesystem:;";
28 29
29 #define PLATFORM_APP_LOCAL_CSP_SOURCES \ 30 #define PLATFORM_APP_LOCAL_CSP_SOURCES \
30 "'self' data: chrome-extension-resource:" 31 "'self' blob: filesystem: data: chrome-extension-resource:"
32
31 const char kDefaultPlatformAppContentSecurityPolicy[] = 33 const char kDefaultPlatformAppContentSecurityPolicy[] =
32 // Platform apps can only use local resources by default. 34 // Platform apps can only use local resources by default.
33 "default-src 'self' chrome-extension-resource:;" 35 "default-src 'self' blob: filesystem: chrome-extension-resource:;"
34 // For remote resources, they can fetch them via XMLHttpRequest. 36 // For remote resources, they can fetch them via XMLHttpRequest.
35 " connect-src *;" 37 " connect-src *;"
36 // And serve them via data: or same-origin (blob:, filesystem:) URLs 38 // And serve them via data: or same-origin (blob:, filesystem:) URLs
37 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';" 39 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
38 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 40 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
39 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 41 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
40 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 42 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
41 // Media can be loaded from remote resources since: 43 // Media can be loaded from remote resources since:
42 // 1. <video> and <audio> have good fallback behavior when offline or under 44 // 1. <video> and <audio> have good fallback behavior when offline or under
43 // spotty connectivity. 45 // spotty connectivity.
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after
151 type == Manifest::TYPE_LEGACY_PACKAGED_APP; 153 type == Manifest::TYPE_LEGACY_PACKAGED_APP;
152 } 154 }
153 155
154 const std::vector<std::string> CSPHandler::Keys() const { 156 const std::vector<std::string> CSPHandler::Keys() const {
155 const std::string& key = is_platform_app_ ? 157 const std::string& key = is_platform_app_ ?
156 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; 158 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
157 return SingleKey(key); 159 return SingleKey(key);
158 } 160 }
159 161
160 } // namespace extensions 162 } // namespace extensions
OLDNEW
« no previous file with comments | « chrome/common/extensions/manifest_tests/extension_manifests_sandboxed_unittest.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698