Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(25)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html

Issue 2574763003: Remove chrome-extension-resource:// scheme (Closed)
Patch Set: Remove BUILD reference to resources/extension outdir. Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/app_codelab_import_todomvc.html ('k') | chrome/common/url_constants.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <h1>Content Security Policy (CSP)</h1> 1 <h1>Content Security Policy (CSP)</h1>
2 2
3 3
4 <p> 4 <p>
5 In order to mitigate a large class of potential cross-site scripting issues, 5 In order to mitigate a large class of potential cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of 6 Chrome's extension system has incorporated the general concept of
7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html">
8 <strong>Content Security Policy (CSP)</strong> 8 <strong>Content Security Policy (CSP)</strong>
9 </a>. This introduces some fairly strict policies that will make extensions 9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and 10 more secure by default, and provides you with the ability to create and
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after
280 executable resources loaded with an extension's elevated permissions are 280 executable resources loaded with an extension's elevated permissions are
281 exactly the resources you expect, and haven't been replaced by an active 281 exactly the resources you expect, and haven't been replaced by an active
282 network attacker. As <a 282 network attacker. As <a
283 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle 283 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
284 attacks</a> are both trivial and undetectable over HTTP, those origins will 284 attacks</a> are both trivial and undetectable over HTTP, those origins will
285 not be accepted. 285 not be accepted.
286 </p> 286 </p>
287 287
288 <p> 288 <p>
289 Currently, we allow whitelisting origins with the following schemes: 289 Currently, we allow whitelisting origins with the following schemes:
290 <code>blob</code>, <code>filesystem</code>, <code>https</code>, 290 <code>blob</code>, <code>filesystem</code>, <code>https</code>, and
291 <code>chrome-extension</code>, and <code>chrome-extension-resource</code>. 291 <code>chrome-extension</code>.
292 The host part of the origin must explicitly be specified for the 292 The host part of the origin must explicitly be specified for the
293 <code>https</code> and <code>chrome-extension</code> schemes. 293 <code>https</code> and <code>chrome-extension</code> schemes.
294 Generic wildcards such as <code>https:</code>, <code>https://*</code> and 294 Generic wildcards such as <code>https:</code>, <code>https://*</code> and
295 <code>https://*.com</code> are not allowed; subdomain wildcards such as 295 <code>https://*.com</code> are not allowed; subdomain wildcards such as
296 <code>https://*.example.com</code> are allowed. 296 <code>https://*.example.com</code> are allowed.
297 Domains in the <a href="https://publicsuffix.org/list/">Public Suffix list</a> 297 Domains in the <a href="https://publicsuffix.org/list/">Public Suffix list</a>
298 are also viewed as generic top-level domains. To load a resource from these 298 are also viewed as generic top-level domains. To load a resource from these
299 domains, the subdomain must explicitly be listed. For example, 299 domains, the subdomain must explicitly be listed. For example,
300 <code>https://*.cloudfront.net</code> is invalid, but 300 <code>https://*.cloudfront.net</code> is invalid, but
301 <code>https://XXXX.cloudfront.net</code> and 301 <code>https://XXXX.cloudfront.net</code> and
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after
452 within the script will be regulated by the page's CSP. 452 within the script will be regulated by the page's CSP.
453 </p> 453 </p>
454 454
455 <p> 455 <p>
456 Thus, depending on how you write DOM injected scripts in your extension, 456 Thus, depending on how you write DOM injected scripts in your extension,
457 changes to the page's CSP may affect the behavior of your extension. Since 457 changes to the page's CSP may affect the behavior of your extension. Since
458 content scripts are <em>not</em> affected by the page's CSP, this a great 458 content scripts are <em>not</em> affected by the page's CSP, this a great
459 reason to put as much behavior as possible of your extension into the content 459 reason to put as much behavior as possible of your extension into the content
460 script rather than DOM injected scripts. 460 script rather than DOM injected scripts.
461 </p> 461 </p>
OLDNEW
« no previous file with comments | « chrome/common/extensions/docs/templates/articles/app_codelab_import_todomvc.html ('k') | chrome/common/url_constants.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698