Restrict app sandbox's CSP to disallow loading web content in them.

extensions/common/manifest_handlers/sandboxed_page_info.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
 
 #include <stddef.h>
 
 #include <memory>
 
 #include "base/lazy_instance.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "extensions/common/csp_validator.h"
 #include "extensions/common/error_utils.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/url_pattern.h"
 
 namespace extensions {
 
 namespace {
 
 namespace keys = extensions::manifest_keys;
 namespace errors = manifest_errors;
 
 const char kDefaultSandboxedPageContentSecurityPolicy[] =
-    "sandbox allow-scripts allow-forms allow-popups allow-modals";
+    "sandbox allow-scripts allow-forms allow-popups allow-modals; "
+    "script-src 'self'; child-src 'self';";
 
 static base::LazyInstance<SandboxedPageInfo> g_empty_sandboxed_info =
     LAZY_INSTANCE_INITIALIZER;
 
 const SandboxedPageInfo& GetSandboxedPageInfo(const Extension* extension) {
   SandboxedPageInfo* info = static_cast<SandboxedPageInfo*>(
       extension->GetManifestData(keys::kSandboxedPages));
   return info ? *info : g_empty_sandboxed_info.Get();
 }
 
@@ skipping 47 matching lines @@
           errors::kInvalidURLPatternError, extension->url().spec());
       return false;
     }
     while (relative_path[0] == '/')
       relative_path = relative_path.substr(1, relative_path.length() - 1);
     pattern.SetPath(pattern.path() + relative_path);
     sandboxed_info->pages.AddPattern(pattern);
   }
 
   if (extension->manifest()->HasPath(keys::kSandboxedPagesCSP)) {
-    if (!extension->manifest()->GetString(
-            keys::kSandboxedPagesCSP,
-            &sandboxed_info->content_security_policy)) {
+    std::string content_security_policy;
+    if (!extension->manifest()->GetString(keys::kSandboxedPagesCSP,
+                                          &content_security_policy)) {
       *error = base::ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
       return false;
     }
 
-    if (!csp_validator::ContentSecurityPolicyIsLegal(
-            sandboxed_info->content_security_policy) ||
+    if (!csp_validator::ContentSecurityPolicyIsLegal(content_security_policy) ||
         !csp_validator::ContentSecurityPolicyIsSandboxed(
-            sandboxed_info->content_security_policy, extension->GetType())) {
+            content_security_policy, extension->GetType())) {
       *error = base::ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
       return false;
     }
+
+    sandboxed_info->content_security_policy =
+        csp_validator::GetEffectiveSandoxedPageCSP(content_security_policy);
   } else {
     sandboxed_info->content_security_policy =
         kDefaultSandboxedPageContentSecurityPolicy;
-    CHECK(csp_validator::ContentSecurityPolicyIsSandboxed(
-        sandboxed_info->content_security_policy, extension->GetType()));
   }
+  CHECK(csp_validator::ContentSecurityPolicyIsSandboxed(
+      sandboxed_info->content_security_policy, extension->GetType()));
 
   extension->SetManifestData(keys::kSandboxedPages, sandboxed_info.release());
   return true;
 }
 
 const std::vector<std::string> SandboxedPageHandler::Keys() const {
   return SingleKey(keys::kSandboxedPages);
 }
 
 }  // namespace extensions