Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(364)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html

Issue 673183003: Allow *.googleapis.com to be used in CSP (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: update docs (googleapis.com -> cloudfront.net) Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | extensions/common/csp_validator.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <h1>Content Security Policy (CSP)</h1> 1 <h1>Content Security Policy (CSP)</h1>
2 2
3 3
4 <p> 4 <p>
5 In order to mitigate a large class of potential cross-site scripting issues, 5 In order to mitigate a large class of potential cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of 6 Chrome's extension system has incorporated the general concept of
7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html">
8 <strong>Content Security Policy (CSP)</strong> 8 <strong>Content Security Policy (CSP)</strong>
9 </a>. This introduces some fairly strict policies that will make extensions 9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and 10 more secure by default, and provides you with the ability to create and
(...skipping 270 matching lines...) Expand 10 before | Expand all | Expand 10 after
281 <code>blob</code>, <code>filesystem</code>, <code>https</code>, 281 <code>blob</code>, <code>filesystem</code>, <code>https</code>,
282 <code>chrome-extension</code>, and <code>chrome-extension-resource</code>. 282 <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
283 The host part of the origin must explicitly be specified for the 283 The host part of the origin must explicitly be specified for the
284 <code>https</code> and <code>chrome-extension</code> schemes. 284 <code>https</code> and <code>chrome-extension</code> schemes.
285 Generic wildcards such as <code>https:</code>, <code>https://*</code> and 285 Generic wildcards such as <code>https:</code>, <code>https://*</code> and
286 <code>https://*.com</code> are not allowed; subdomain wildcards such as 286 <code>https://*.com</code> are not allowed; subdomain wildcards such as
287 <code>https://*.example.com</code> are allowed. 287 <code>https://*.example.com</code> are allowed.
288 Domains in the <a href="https://publicsuffix.org/list/">Public Suffix list</a> 288 Domains in the <a href="https://publicsuffix.org/list/">Public Suffix list</a>
289 are also viewed as generic top-level domains. To load a resource from these 289 are also viewed as generic top-level domains. To load a resource from these
290 domains, the subdomain must explicitly be listed. For example, 290 domains, the subdomain must explicitly be listed. For example,
291 <code>https://*.googleapis.com</code> is invalid, but 291 <code>https://*.cloudfront.net</code> is invalid, but
292 <code>https://ajax.googleapis.com</code> and 292 <code>https://XXXX.cloudfront.net</code> and
293 <code>https://*.ajax.googleapis.com</code> can be whitelisted. 293 <code>https://*.XXXX.cloudfront.net</code> can be whitelisted.
294 </p> 294 </p>
295 295
296 <p> 296 <p>
297 To ease development, we're also allowing the whitelisting of resources loaded 297 To ease development, we're also allowing the whitelisting of resources loaded
298 over HTTP from servers on your local machine. You may whitelist script and 298 over HTTP from servers on your local machine. You may whitelist script and
299 object sources on any port of either <code>http://127.0.0.1</code> or 299 object sources on any port of either <code>http://127.0.0.1</code> or
300 <code>http://localhost</code>. 300 <code>http://localhost</code>.
301 </p> 301 </p>
302 302
303 <p class="note"> 303 <p class="note">
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
443 within the script will be regulated by the page's CSP. 443 within the script will be regulated by the page's CSP.
444 </p> 444 </p>
445 445
446 <p> 446 <p>
447 Thus, depending on how you write DOM injected scripts in your extension, 447 Thus, depending on how you write DOM injected scripts in your extension,
448 changes to the page's CSP may affect the behavior of your extension. Since 448 changes to the page's CSP may affect the behavior of your extension. Since
449 content scripts are <em>not</em> affected by the page's CSP, this a great 449 content scripts are <em>not</em> affected by the page's CSP, this a great
450 reason to put as much behavior as possible of your extension into the content 450 reason to put as much behavior as possible of your extension into the content
451 script rather than DOM injected scripts. 451 script rather than DOM injected scripts.
452 </p> 452 </p>
OLDNEW
« no previous file with comments | « no previous file | extensions/common/csp_validator.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698