| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "extensions/common/manifest.h" | 10 #include "extensions/common/manifest.h" |
| (...skipping 10 matching lines...) Expand all Loading... |
| 21 // Checks whether the given |policy| meets the minimum security requirements | 21 // Checks whether the given |policy| meets the minimum security requirements |
| 22 // for use in the extension system. | 22 // for use in the extension system. |
| 23 // | 23 // |
| 24 // Ideally, we would like to say that an XSS vulnerability in the extension | 24 // Ideally, we would like to say that an XSS vulnerability in the extension |
| 25 // should not be able to execute script, even in the precense of an active | 25 // should not be able to execute script, even in the precense of an active |
| 26 // network attacker. | 26 // network attacker. |
| 27 // | 27 // |
| 28 // However, we found that it broke too many deployed extensions to limit | 28 // However, we found that it broke too many deployed extensions to limit |
| 29 // 'unsafe-eval' in the script-src directive, so that is allowed as a special | 29 // 'unsafe-eval' in the script-src directive, so that is allowed as a special |
| 30 // case for extensions. Platform apps disallow it. | 30 // case for extensions. Platform apps disallow it. |
| 31 bool ContentSecurityPolicyIsSecure( | 31 // |
| 32 const std::string& policy, Manifest::Type type); | 32 // If |sanitized_csp| is not NULL, |policy| minus the insecure values is stored |
| 33 // in |sanitized_csp|. |
| 34 // If |warnings| is not NULL, any validation errors are appended to |warnings|. |
| 35 // Returns whether |policy| meets the minimum security requirements. |
| 36 bool ContentSecurityPolicyIsSecure(const std::string& policy, |
| 37 Manifest::Type type, |
| 38 std::string* sanitized_csp, |
| 39 std::vector<InstallWarning>* warnings); |
| 33 | 40 |
| 34 // Checks whether the given |policy| enforces a unique origin sandbox as | 41 // Checks whether the given |policy| enforces a unique origin sandbox as |
| 35 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ | 42 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ |
| 36 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the | 43 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the |
| 37 // "sandbox" directive, and the sandbox tokens must not include | 44 // "sandbox" directive, and the sandbox tokens must not include |
| 38 // "allow-same-origin". Additional restrictions may be imposed depending on | 45 // "allow-same-origin". Additional restrictions may be imposed depending on |
| 39 // |type|. | 46 // |type|. |
| 40 bool ContentSecurityPolicyIsSandboxed( | 47 bool ContentSecurityPolicyIsSandboxed( |
| 41 const std::string& policy, Manifest::Type type); | 48 const std::string& policy, Manifest::Type type); |
| 42 | 49 |
| 43 } // namespace csp_validator | 50 } // namespace csp_validator |
| 44 | 51 |
| 45 } // namespace extensions | 52 } // namespace extensions |
| 46 | 53 |
| 47 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 54 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master