| OLD | NEW |
|---|
| 1 <h1>Content Security Policy</h1> | 1 <h1>Content Security Policy</h1> |
| 2 | 2 |
| 3 | 3 |
| 4 <p> | 4 <p> |
| 5 If you're not familiar with Content Security Policy (CSP), | 5 If you're not familiar with Content Security Policy (CSP), |
| 6 <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy
/">An Introduction to Content Security Policy</a> | 6 <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy
/">An Introduction to Content Security Policy</a> |
| 7 is a good starting point. | 7 is a good starting point. |
| 8 That document covers the broader web platform view of CSP; | 8 That document covers the broader web platform view of CSP; |
| 9 Chrome App CSP isn't as flexible. | 9 Chrome App CSP isn't as flexible. |
| 10 You should also read the | 10 You should also read the |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 44 (except for video and audio resources). | 44 (except for video and audio resources). |
| 45 You can’t embed external resources in an iframe.</li> | 45 You can’t embed external resources in an iframe.</li> |
| 46 <li>You can’t use string-to-JavaScript methods like | 46 <li>You can’t use string-to-JavaScript methods like |
| 47 <code>eval()</code> and <code>new Function()</code>.</li> | 47 <code>eval()</code> and <code>new Function()</code>.</li> |
| 48 </ul> | 48 </ul> |
| 49 | 49 |
| 50 <p>This is implemented via the following policy value:</p> | 50 <p>This is implemented via the following policy value:</p> |
| 51 | 51 |
| 52 <pre> | 52 <pre> |
| 53 default-src 'self'; | 53 default-src 'self'; |
| 54 connect-src *; | 54 connect-src * data: blob: filesystem:; |
| 55 style-src 'self' data: chrome-extension-resource: 'unsafe-inline'; | 55 style-src 'self' data: chrome-extension-resource: 'unsafe-inline'; |
| 56 img-src 'self' data: chrome-extension-resource:; | 56 img-src 'self' data: chrome-extension-resource:; |
| 57 frame-src 'self' data: chrome-extension-resource:; | 57 frame-src 'self' data: chrome-extension-resource:; |
| 58 font-src 'self' data: chrome-extension-resource:; | 58 font-src 'self' data: chrome-extension-resource:; |
| 59 media-src *; | 59 media-src * data: blob: filesystem:; |
| 60 </pre> | 60 </pre> |
| 61 | 61 |
| 62 <p> | 62 <p> |
| 63 Your Chrome App can only refer to scripts and objects | 63 Your Chrome App can only refer to scripts and objects |
| 64 within your app, with the exception of media files | 64 within your app, with the exception of media files |
| 65 (apps can refer to video and audio outside the package). | 65 (apps can refer to video and audio outside the package). |
| 66 Chrome extensions will let you relax the default Content Security Policy; | 66 Chrome extensions will let you relax the default Content Security Policy; |
| 67 Chrome Apps won’t. | 67 Chrome Apps won’t. |
| 68 </p> | 68 </p> |
| 69 | 69 |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 | 117 |
| 118 <h3 id="embed_content">Embed web content</h3> | 118 <h3 id="embed_content">Embed web content</h3> |
| 119 | 119 |
| 120 <p> | 120 <p> |
| 121 Instead of using an iframe, | 121 Instead of using an iframe, |
| 122 you can call out to an external URL using a webview tag | 122 you can call out to an external URL using a webview tag |
| 123 (see <a href="app_external#webview">Embed external web pages</a>). | 123 (see <a href="app_external#webview">Embed external web pages</a>). |
| 124 </p> | 124 </p> |
| 125 | 125 |
| 126 <p class="backtotop"><a href="#top">Back to top</a></p> | 126 <p class="backtotop"><a href="#top">Back to top</a></p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1361763005:
Disallow CSP source * matching of data:, blob:, and filesystem: URLs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src@master