| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "extensions/common/manifest.h" | 10 #include "extensions/common/manifest.h" |
| (...skipping 25 matching lines...) Expand all Loading... |
| 36 // | 36 // |
| 37 // Ideally, we would like to say that an XSS vulnerability in the extension | 37 // Ideally, we would like to say that an XSS vulnerability in the extension |
| 38 // should not be able to execute script, even in the precense of an active | 38 // should not be able to execute script, even in the precense of an active |
| 39 // network attacker. | 39 // network attacker. |
| 40 // | 40 // |
| 41 // However, we found that it broke too many deployed extensions to limit | 41 // However, we found that it broke too many deployed extensions to limit |
| 42 // 'unsafe-eval' in the script-src directive, so that is allowed as a special | 42 // 'unsafe-eval' in the script-src directive, so that is allowed as a special |
| 43 // case for extensions. Platform apps disallow it. | 43 // case for extensions. Platform apps disallow it. |
| 44 // | 44 // |
| 45 // |options| is a bitmask of Options. | 45 // |options| is a bitmask of Options. |
| 46 bool ContentSecurityPolicyIsSecure( | 46 // |
| 47 const std::string& policy, int options); | 47 // If |warnings| is not NULL, any validation errors are appended to |warnings|. |
| 48 // Returns the sanitized policy. |
| 49 std::string SanitizeContentSecurityPolicy( |
| 50 const std::string& policy, |
| 51 int options, |
| 52 std::vector<InstallWarning>* warnings); |
| 48 | 53 |
| 49 // Checks whether the given |policy| enforces a unique origin sandbox as | 54 // Checks whether the given |policy| enforces a unique origin sandbox as |
| 50 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ | 55 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ |
| 51 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the | 56 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the |
| 52 // "sandbox" directive, and the sandbox tokens must not include | 57 // "sandbox" directive, and the sandbox tokens must not include |
| 53 // "allow-same-origin". Additional restrictions may be imposed depending on | 58 // "allow-same-origin". Additional restrictions may be imposed depending on |
| 54 // |type|. | 59 // |type|. |
| 55 bool ContentSecurityPolicyIsSandboxed( | 60 bool ContentSecurityPolicyIsSandboxed( |
| 56 const std::string& policy, Manifest::Type type); | 61 const std::string& policy, Manifest::Type type); |
| 57 | 62 |
| 58 } // namespace csp_validator | 63 } // namespace csp_validator |
| 59 | 64 |
| 60 } // namespace extensions | 65 } // namespace extensions |
| 61 | 66 |
| 62 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ | 67 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master