| OLD | NEW |
|---|
| 1 <h1>Content Security Policy (CSP)</h1> | 1 <h1>Content Security Policy (CSP)</h1> |
| 2 | 2 |
| 3 | 3 |
| 4 <p> | 4 <p> |
| 5 In order to mitigate a large class of potential cross-site scripting issues, | 5 In order to mitigate a large class of potential cross-site scripting issues, |
| 6 Chrome's extension system has incorporated the general concept of | 6 Chrome's extension system has incorporated the general concept of |
| 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> | 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> |
| 8 <strong>Content Security Policy (CSP)</strong> | 8 <strong>Content Security Policy (CSP)</strong> |
| 9 </a>. This introduces some fairly strict policies that will make extensions | 9 </a>. This introduces some fairly strict policies that will make extensions |
| 10 more secure by default, and provides you with the ability to create and | 10 more secure by default, and provides you with the ability to create and |
| (...skipping 255 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 266 | 266 |
| 267 <p> | 267 <p> |
| 268 If you have a need for some external JavaScript or object | 268 If you have a need for some external JavaScript or object |
| 269 resources, you can relax the policy to a limited extent by whitelisting | 269 resources, you can relax the policy to a limited extent by whitelisting |
| 270 secure origins from which scripts should be accepted. We want to ensure that | 270 secure origins from which scripts should be accepted. We want to ensure that |
| 271 executable resources loaded with an extension's elevated permissions are | 271 executable resources loaded with an extension's elevated permissions are |
| 272 exactly the resources you expect, and haven't been replaced by an active | 272 exactly the resources you expect, and haven't been replaced by an active |
| 273 network attacker. As <a | 273 network attacker. As <a |
| 274 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle | 274 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle |
| 275 attacks</a> are both trivial and undetectable over HTTP, those origins will | 275 attacks</a> are both trivial and undetectable over HTTP, those origins will |
| 276 not be accepted. Currently, we allow whitelisting origins with the following | 276 not be accepted. |
| 277 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and | |
| 278 <code>chrome-extension-resource</code>. | |
| 279 </p> | 277 </p> |
| 280 | 278 |
| 281 <p> | 279 <p> |
| 280 Currently, we allow whitelisting origins with the following schemes: |
| 281 <code>blob</code>, <code>filesystem</code>, <code>https</code>, |
| 282 <code>chrome-extension</code>, and <code>chrome-extension-resource</code>. |
| 283 The host part of the origin must explicitly be specified for the |
| 284 <code>https</code> and <code>chrome-extension</code> schemes. |
| 285 Generic wildcards such as <code>https:</code>, <code>https://*</code> and |
| 286 <code>https://*.com</code> are not allowed; subdomain wildcards such as |
| 287 <code>https://*.example.com</code> are allowed. |
| 288 </p> |
| 289 |
| 290 <p> |
| 282 To ease development, we're also allowing the whitelisting of resources loaded | 291 To ease development, we're also allowing the whitelisting of resources loaded |
| 283 over HTTP from servers on your local machine. You may whitelist script and | 292 over HTTP from servers on your local machine. You may whitelist script and |
| 284 object sources on any port of either <code>http://127.0.0.1</code> or | 293 object sources on any port of either <code>http://127.0.0.1</code> or |
| 285 <code>http://localhost</code>. | 294 <code>http://localhost</code>. |
| 286 </p> | 295 </p> |
| 287 | 296 |
| 288 <p class="note"> | 297 <p class="note"> |
| 289 The restriction against resources loaded over HTTP applies only to those | 298 The restriction against resources loaded over HTTP applies only to those |
| 290 resources which are directly executed. You're still free, for example, to | 299 resources which are directly executed. You're still free, for example, to |
| 291 make XMLHTTPRequest connections to any origin you like; the default policy | 300 make XMLHTTPRequest connections to any origin you like; the default policy |
| (...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 428 within the script will be regulated by the page's CSP. | 437 within the script will be regulated by the page's CSP. |
| 429 </p> | 438 </p> |
| 430 | 439 |
| 431 <p> | 440 <p> |
| 432 Thus, depending on how you write DOM injected scripts in your extension, | 441 Thus, depending on how you write DOM injected scripts in your extension, |
| 433 changes to the page's CSP may affect the behavior of your extension. Since | 442 changes to the page's CSP may affect the behavior of your extension. Since |
| 434 content scripts are <em>not</em> affected by the page's CSP, this a great | 443 content scripts are <em>not</em> affected by the page's CSP, this a great |
| 435 reason to put as much behavior as possible of your extension into the content | 444 reason to put as much behavior as possible of your extension into the content |
| 436 script rather than DOM injected scripts. | 445 script rather than DOM injected scripts. |
| 437 </p> | 446 </p> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 481643002:
Disallow non-subdomain wildcards in the extension's CSP (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master