Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(83)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/csp_validator.cc

Issue 2574763003: Remove chrome-extension-resource:// scheme (Closed)
Patch Set: Silently strip chrome-extension-resource:// from CSP directives. Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « extensions/common/constants.cc ('k') | extensions/common/csp_validator_unittest.cc » ('j') | extensions/shell/common/shell_content_client.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/csp_validator.h" 5 #include "extensions/common/csp_validator.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 8
9 #include <vector> 9 #include <vector>
10 10
(...skipping 13 matching lines...) Expand all
24 namespace csp_validator { 24 namespace csp_validator {
25 25
26 namespace { 26 namespace {
27 27
28 const char kDefaultSrc[] = "default-src"; 28 const char kDefaultSrc[] = "default-src";
29 const char kScriptSrc[] = "script-src"; 29 const char kScriptSrc[] = "script-src";
30 const char kObjectSrc[] = "object-src"; 30 const char kObjectSrc[] = "object-src";
31 const char kPluginTypes[] = "plugin-types"; 31 const char kPluginTypes[] = "plugin-types";
32 32
33 const char kObjectSrcDefaultDirective[] = "object-src 'self';"; 33 const char kObjectSrcDefaultDirective[] = "object-src 'self';";
34 const char kScriptSrcDefaultDirective[] = 34 const char kScriptSrcDefaultDirective[] = "script-src 'self';";
35 "script-src 'self' chrome-extension-resource:;";
36 35
37 const char kSandboxDirectiveName[] = "sandbox"; 36 const char kSandboxDirectiveName[] = "sandbox";
38 const char kAllowSameOriginToken[] = "allow-same-origin"; 37 const char kAllowSameOriginToken[] = "allow-same-origin";
39 const char kAllowTopNavigation[] = "allow-top-navigation"; 38 const char kAllowTopNavigation[] = "allow-top-navigation";
40 39
41 // This is the list of plugin types which are fully sandboxed and are safe to 40 // This is the list of plugin types which are fully sandboxed and are safe to
42 // load up in an extension, regardless of the URL they are navigated to. 41 // load up in an extension, regardless of the URL they are navigated to.
43 const char* const kSandboxedPluginTypes[] = { 42 const char* const kSandboxedPluginTypes[] = {
44 "application/pdf", 43 "application/pdf",
45 "application/x-google-chrome-pdf", 44 "application/x-google-chrome-pdf",
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after
169 base::StartsWith(source_lower, "http://127.0.0.1:", 168 base::StartsWith(source_lower, "http://127.0.0.1:",
170 base::CompareCase::SENSITIVE) || 169 base::CompareCase::SENSITIVE) ||
171 base::StartsWith(source_lower, "http://localhost:", 170 base::StartsWith(source_lower, "http://localhost:",
172 base::CompareCase::SENSITIVE) || 171 base::CompareCase::SENSITIVE) ||
173 isNonWildcardTLD(source_lower, "https://", true) || 172 isNonWildcardTLD(source_lower, "https://", true) ||
174 isNonWildcardTLD(source_lower, "chrome://", false) || 173 isNonWildcardTLD(source_lower, "chrome://", false) ||
175 isNonWildcardTLD(source_lower, 174 isNonWildcardTLD(source_lower,
176 std::string(extensions::kExtensionScheme) + 175 std::string(extensions::kExtensionScheme) +
177 url::kStandardSchemeSeparator, 176 url::kStandardSchemeSeparator,
178 false) || 177 false) ||
179 IsHashSource(source_literal) || 178 IsHashSource(source_literal)) {
180 base::StartsWith(source_lower, "chrome-extension-resource:",
181 base::CompareCase::SENSITIVE)) {
182 is_secure_csp_token = true; 179 is_secure_csp_token = true;
183 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) && 180 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) &&
184 source_lower == "'unsafe-eval'") { 181 source_lower == "'unsafe-eval'") {
185 is_secure_csp_token = true; 182 is_secure_csp_token = true;
183 } else if (base::StartsWith(source_lower, "chrome-extension-resource:",
184 base::CompareCase::SENSITIVE)) {
185 // The "chrome-extension-resource" scheme has been removed from the
186 // codebase, but it may still appear in existing CSPs. Silently ignore it.
187 continue;
186 } 188 }
187 189
188 if (is_secure_csp_token) { 190 if (is_secure_csp_token) {
189 sane_csp_parts->push_back(source_literal); 191 sane_csp_parts->push_back(source_literal);
190 } else if (warnings) { 192 } else if (warnings) {
191 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( 193 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage(
192 manifest_errors::kInvalidCSPInsecureValue, source_literal, 194 manifest_errors::kInvalidCSPInsecureValue, source_literal,
193 directive_name))); 195 directive_name)));
194 } 196 }
195 } 197 }
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after
367 } 369 }
368 } 370 }
369 } 371 }
370 372
371 return seen_sandbox; 373 return seen_sandbox;
372 } 374 }
373 375
374 } // namespace csp_validator 376 } // namespace csp_validator
375 377
376 } // namespace extensions 378 } // namespace extensions
OLDNEW
« no previous file with comments | « extensions/common/constants.cc ('k') | extensions/common/csp_validator_unittest.cc » ('j') | extensions/shell/common/shell_content_client.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698