Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(42)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html

Issue 481643002: Disallow non-subdomain wildcards in the extension's CSP (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Disallow RCD and non-subdomain wildcards Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | extensions/common/csp_validator.cc » ('j') | extensions/common/csp_validator.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <h1>Content Security Policy (CSP)</h1> 1 <h1>Content Security Policy (CSP)</h1>
2 2
3 3
4 <p> 4 <p>
5 In order to mitigate a large class of potential cross-site scripting issues, 5 In order to mitigate a large class of potential cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of 6 Chrome's extension system has incorporated the general concept of
7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html">
8 <strong>Content Security Policy (CSP)</strong> 8 <strong>Content Security Policy (CSP)</strong>
9 </a>. This introduces some fairly strict policies that will make extensions 9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and 10 more secure by default, and provides you with the ability to create and
(...skipping 255 matching lines...) Expand 10 before | Expand all | Expand 10 after
266 266
267 <p> 267 <p>
268 If you have a need for some external JavaScript or object 268 If you have a need for some external JavaScript or object
269 resources, you can relax the policy to a limited extent by whitelisting 269 resources, you can relax the policy to a limited extent by whitelisting
270 secure origins from which scripts should be accepted. We want to ensure that 270 secure origins from which scripts should be accepted. We want to ensure that
271 executable resources loaded with an extension's elevated permissions are 271 executable resources loaded with an extension's elevated permissions are
272 exactly the resources you expect, and haven't been replaced by an active 272 exactly the resources you expect, and haven't been replaced by an active
273 network attacker. As <a 273 network attacker. As <a
274 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle 274 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
275 attacks</a> are both trivial and undetectable over HTTP, those origins will 275 attacks</a> are both trivial and undetectable over HTTP, those origins will
276 not be accepted. Currently, we allow whitelisting origins with the following 276 not be accepted. Currently, we allow whitelisting origins with the following
not at google - send to devlin 2014/08/19 15:05:57 This paragraph is getting unwieldy, could you spli
robwu 2014/08/19 16:31:39 Done.
277 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and 277 schemes: <code>blob</code>, <code>filesystem</code>, <code>https</code>,
278 <code>chrome-extension-resource</code>. 278 <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
279 The host part of the origin must explicitly be specified for the
280 <code>https</code> and <code>chrome-extension</code> schemes. Wildcards are
281 not allowed, unless it is a subdomain wildcard.
282 For example, <code>https://*</code> is not allowed, but
283 <code>https://example.com</code> and <code>https://*.example.com</code> are.
279 </p> 284 </p>
280 285
281 <p> 286 <p>
282 To ease development, we're also allowing the whitelisting of resources loaded 287 To ease development, we're also allowing the whitelisting of resources loaded
283 over HTTP from servers on your local machine. You may whitelist script and 288 over HTTP from servers on your local machine. You may whitelist script and
284 object sources on any port of either <code>http://127.0.0.1</code> or 289 object sources on any port of either <code>http://127.0.0.1</code> or
285 <code>http://localhost</code>. 290 <code>http://localhost</code>.
286 </p> 291 </p>
287 292
288 <p class="note"> 293 <p class="note">
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
428 within the script will be regulated by the page's CSP. 433 within the script will be regulated by the page's CSP.
429 </p> 434 </p>
430 435
431 <p> 436 <p>
432 Thus, depending on how you write DOM injected scripts in your extension, 437 Thus, depending on how you write DOM injected scripts in your extension,
433 changes to the page's CSP may affect the behavior of your extension. Since 438 changes to the page's CSP may affect the behavior of your extension. Since
434 content scripts are <em>not</em> affected by the page's CSP, this a great 439 content scripts are <em>not</em> affected by the page's CSP, this a great
435 reason to put as much behavior as possible of your extension into the content 440 reason to put as much behavior as possible of your extension into the content
436 script rather than DOM injected scripts. 441 script rather than DOM injected scripts.
437 </p> 442 </p>
OLDNEW
« no previous file with comments | « no previous file | extensions/common/csp_validator.cc » ('j') | extensions/common/csp_validator.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698