Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1190)

Unified Diff: extensions/common/manifest_handlers/sandboxed_page_info.cc

Issue 2563843002: Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
Patch Set: sync @tott Created 3 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: extensions/common/manifest_handlers/sandboxed_page_info.cc
diff --git a/extensions/common/manifest_handlers/sandboxed_page_info.cc b/extensions/common/manifest_handlers/sandboxed_page_info.cc
index d3c82d5fdc12bb7301e9e6ea4c4dc626e4303e41..c8ad586b8ec130e53a8b57fb879f8b8a7ea82a99 100644
--- a/extensions/common/manifest_handlers/sandboxed_page_info.cc
+++ b/extensions/common/manifest_handlers/sandboxed_page_info.cc
@@ -25,7 +25,8 @@ namespace keys = extensions::manifest_keys;
namespace errors = manifest_errors;
const char kDefaultSandboxedPageContentSecurityPolicy[] =
- "sandbox allow-scripts allow-forms allow-popups allow-modals";
+ "sandbox allow-scripts allow-forms allow-popups allow-modals; "
+ "script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';";
static base::LazyInstance<SandboxedPageInfo> g_empty_sandboxed_info =
LAZY_INSTANCE_INITIALIZER;
@@ -93,26 +94,31 @@ bool SandboxedPageHandler::Parse(Extension* extension, base::string16* error) {
}
if (extension->manifest()->HasPath(keys::kSandboxedPagesCSP)) {
- if (!extension->manifest()->GetString(
- keys::kSandboxedPagesCSP,
- &sandboxed_info->content_security_policy)) {
+ std::string content_security_policy;
+ if (!extension->manifest()->GetString(keys::kSandboxedPagesCSP,
+ &content_security_policy)) {
*error = base::ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
return false;
}
- if (!csp_validator::ContentSecurityPolicyIsLegal(
- sandboxed_info->content_security_policy) ||
+ if (!csp_validator::ContentSecurityPolicyIsLegal(content_security_policy) ||
!csp_validator::ContentSecurityPolicyIsSandboxed(
- sandboxed_info->content_security_policy, extension->GetType())) {
+ content_security_policy, extension->GetType())) {
*error = base::ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
return false;
}
+
+ std::vector<InstallWarning> warnings;
+ sandboxed_info->content_security_policy =
+ csp_validator::GetEffectiveSandoxedPageCSP(content_security_policy,
+ &warnings);
+ extension->AddInstallWarnings(warnings);
} else {
sandboxed_info->content_security_policy =
kDefaultSandboxedPageContentSecurityPolicy;
- CHECK(csp_validator::ContentSecurityPolicyIsSandboxed(
- sandboxed_info->content_security_policy, extension->GetType()));
}
+ CHECK(csp_validator::ContentSecurityPolicyIsSandboxed(
+ sandboxed_info->content_security_policy, extension->GetType()));
extension->SetManifestData(keys::kSandboxedPages, sandboxed_info.release());
return true;

Powered by Google App Engine
This is Rietveld 408576698