Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(197)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/manifest_handlers/csp_info.cc

Issue 1361763005: Disallow CSP source * matching of data:, blob:, and filesystem: URLs (Closed) Base URL: https://chromium.googlesource.com/chromium/src@master
Patch Set: Better extensions fix Created 5 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/offline_apps.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/manifest_handlers/csp_info.h" 5 #include "extensions/common/manifest_handlers/csp_info.h"
6 6
7 #include "base/memory/scoped_ptr.h" 7 #include "base/memory/scoped_ptr.h"
8 #include "base/strings/string_util.h" 8 #include "base/strings/string_util.h"
9 #include "base/strings/utf_string_conversions.h" 9 #include "base/strings/utf_string_conversions.h"
10 #include "base/values.h" 10 #include "base/values.h"
(...skipping 16 matching lines...) Expand all
27 "script-src 'self' blob: filesystem: chrome-extension-resource:; " 27 "script-src 'self' blob: filesystem: chrome-extension-resource:; "
28 "object-src 'self' blob: filesystem:;"; 28 "object-src 'self' blob: filesystem:;";
29 29
30 #define PLATFORM_APP_LOCAL_CSP_SOURCES \ 30 #define PLATFORM_APP_LOCAL_CSP_SOURCES \
31 "'self' blob: filesystem: data: chrome-extension-resource:" 31 "'self' blob: filesystem: data: chrome-extension-resource:"
32 32
33 const char kDefaultPlatformAppContentSecurityPolicy[] = 33 const char kDefaultPlatformAppContentSecurityPolicy[] =
34 // Platform apps can only use local resources by default. 34 // Platform apps can only use local resources by default.
35 "default-src 'self' blob: filesystem: chrome-extension-resource:;" 35 "default-src 'self' blob: filesystem: chrome-extension-resource:;"
36 // For remote resources, they can fetch them via XMLHttpRequest. 36 // For remote resources, they can fetch them via XMLHttpRequest.
37 " connect-src *;" 37 " connect-src * data: blob: filesystem:;"
38 // And serve them via data: or same-origin (blob:, filesystem:) URLs 38 // And serve them via data: or same-origin (blob:, filesystem:) URLs
39 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';" 39 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
40 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 40 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
41 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 41 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
42 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 42 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
43 // Media can be loaded from remote resources since: 43 // Media can be loaded from remote resources since:
44 // 1. <video> and <audio> have good fallback behavior when offline or under 44 // 1. <video> and <audio> have good fallback behavior when offline or under
45 // spotty connectivity. 45 // spotty connectivity.
46 // 2. Fetching via XHR and serving via blob: URLs currently does not allow 46 // 2. Fetching via XHR and serving via blob: URLs currently does not allow
47 // streaming or partial buffering. 47 // streaming or partial buffering.
48 " media-src *;"; 48 " media-src * data: blob: filesystem:;";
49 49
50 int GetValidatorOptions(Extension* extension) { 50 int GetValidatorOptions(Extension* extension) {
51 int options = csp_validator::OPTIONS_NONE; 51 int options = csp_validator::OPTIONS_NONE;
52 52
53 // crbug.com/146487 53 // crbug.com/146487
54 if (extension->GetType() == Manifest::TYPE_EXTENSION || 54 if (extension->GetType() == Manifest::TYPE_EXTENSION ||
55 extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) { 55 extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) {
56 options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; 56 options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
57 } 57 }
58 58
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
153 type == Manifest::TYPE_LEGACY_PACKAGED_APP; 153 type == Manifest::TYPE_LEGACY_PACKAGED_APP;
154 } 154 }
155 155
156 const std::vector<std::string> CSPHandler::Keys() const { 156 const std::vector<std::string> CSPHandler::Keys() const {
157 const std::string& key = is_platform_app_ ? 157 const std::string& key = is_platform_app_ ?
158 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; 158 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
159 return SingleKey(key); 159 return SingleKey(key);
160 } 160 }
161 161
162 } // namespace extensions 162 } // namespace extensions
OLDNEW
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/offline_apps.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698