Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(428)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/manifest_handlers/csp_info.cc

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix test expectations Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « extensions/common/manifest_constants.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "extensions/common/manifest_handlers/csp_info.h" 5 #include "extensions/common/manifest_handlers/csp_info.h"
6 6
7 #include "base/memory/scoped_ptr.h" 7 #include "base/memory/scoped_ptr.h"
8 #include "base/strings/string_util.h" 8 #include "base/strings/string_util.h"
9 #include "base/strings/utf_string_conversions.h" 9 #include "base/strings/utf_string_conversions.h"
10 #include "base/values.h" 10 #include "base/values.h"
11 #include "extensions/common/csp_validator.h" 11 #include "extensions/common/csp_validator.h"
12 #include "extensions/common/install_warning.h"
12 #include "extensions/common/manifest_constants.h" 13 #include "extensions/common/manifest_constants.h"
13 #include "extensions/common/manifest_handlers/sandboxed_page_info.h" 14 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
14 15
15 namespace extensions { 16 namespace extensions {
16 17
17 namespace keys = manifest_keys; 18 namespace keys = manifest_keys;
18 namespace errors = manifest_errors; 19 namespace errors = manifest_errors;
19 20
20 using csp_validator::ContentSecurityPolicyIsLegal; 21 using csp_validator::ContentSecurityPolicyIsLegal;
21 using csp_validator::ContentSecurityPolicyIsSecure; 22 using csp_validator::SanitizeContentSecurityPolicy;
22 23
23 namespace { 24 namespace {
24 25
25 const char kDefaultContentSecurityPolicy[] = 26 const char kDefaultContentSecurityPolicy[] =
26 "script-src 'self' chrome-extension-resource:; object-src 'self'"; 27 "script-src 'self' chrome-extension-resource:; object-src 'self';";
27 28
28 #define PLATFORM_APP_LOCAL_CSP_SOURCES \ 29 #define PLATFORM_APP_LOCAL_CSP_SOURCES \
29 "'self' data: chrome-extension-resource:" 30 "'self' data: chrome-extension-resource:"
30 const char kDefaultPlatformAppContentSecurityPolicy[] = 31 const char kDefaultPlatformAppContentSecurityPolicy[] =
31 // Platform apps can only use local resources by default. 32 // Platform apps can only use local resources by default.
32 "default-src 'self' chrome-extension-resource:;" 33 "default-src 'self' chrome-extension-resource:;"
33 // For remote resources, they can fetch them via XMLHttpRequest. 34 // For remote resources, they can fetch them via XMLHttpRequest.
34 "connect-src *;" 35 " connect-src *;"
35 // And serve them via data: or same-origin (blob:, filesystem:) URLs 36 // And serve them via data: or same-origin (blob:, filesystem:) URLs
36 "style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';" 37 " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
37 "img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 38 " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
38 "frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 39 " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
39 "font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" 40 " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
40 // Media can be loaded from remote resources since: 41 // Media can be loaded from remote resources since:
41 // 1. <video> and <audio> have good fallback behavior when offline or under 42 // 1. <video> and <audio> have good fallback behavior when offline or under
42 // spotty connectivity. 43 // spotty connectivity.
43 // 2. Fetching via XHR and serving via blob: URLs currently does not allow 44 // 2. Fetching via XHR and serving via blob: URLs currently does not allow
44 // streaming or partial buffering. 45 // streaming or partial buffering.
45 "media-src *;"; 46 " media-src *;";
46 47
47 int GetValidatorOptions(Extension* extension) { 48 int GetValidatorOptions(Extension* extension) {
48 int options = csp_validator::OPTIONS_NONE; 49 int options = csp_validator::OPTIONS_NONE;
49 50
50 // crbug.com/146487 51 // crbug.com/146487
51 if (extension->GetType() == Manifest::TYPE_EXTENSION || 52 if (extension->GetType() == Manifest::TYPE_EXTENSION ||
52 extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) { 53 extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) {
53 options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; 54 options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
54 } 55 }
55 56
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
101 bool CSPHandler::Parse(Extension* extension, base::string16* error) { 102 bool CSPHandler::Parse(Extension* extension, base::string16* error) {
102 const std::string key = Keys()[0]; 103 const std::string key = Keys()[0];
103 if (!extension->manifest()->HasPath(key)) { 104 if (!extension->manifest()->HasPath(key)) {
104 if (extension->manifest_version() >= 2) { 105 if (extension->manifest_version() >= 2) {
105 // TODO(abarth): Should we continue to let extensions override the 106 // TODO(abarth): Should we continue to let extensions override the
106 // default Content-Security-Policy? 107 // default Content-Security-Policy?
107 std::string content_security_policy = is_platform_app_ ? 108 std::string content_security_policy = is_platform_app_ ?
108 kDefaultPlatformAppContentSecurityPolicy : 109 kDefaultPlatformAppContentSecurityPolicy :
109 kDefaultContentSecurityPolicy; 110 kDefaultContentSecurityPolicy;
110 111
111 CHECK(ContentSecurityPolicyIsSecure(content_security_policy, 112 CHECK_EQ(content_security_policy,
112 GetValidatorOptions(extension))); 113 SanitizeContentSecurityPolicy(content_security_policy,
114 GetValidatorOptions(extension),
115 NULL));
113 extension->SetManifestData(keys::kContentSecurityPolicy, 116 extension->SetManifestData(keys::kContentSecurityPolicy,
114 new CSPInfo(content_security_policy)); 117 new CSPInfo(content_security_policy));
115 } 118 }
116 return true; 119 return true;
117 } 120 }
118 121
119 std::string content_security_policy; 122 std::string content_security_policy;
120 if (!extension->manifest()->GetString(key, &content_security_policy)) { 123 if (!extension->manifest()->GetString(key, &content_security_policy)) {
121 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); 124 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
122 return false; 125 return false;
123 } 126 }
124 if (!ContentSecurityPolicyIsLegal(content_security_policy)) { 127 if (!ContentSecurityPolicyIsLegal(content_security_policy)) {
125 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); 128 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
126 return false; 129 return false;
127 } 130 }
128 if (extension->manifest_version() >= 2 && 131 std::string sanitized_csp;
129 !ContentSecurityPolicyIsSecure(content_security_policy, 132 if (extension->manifest_version() >= 2) {
130 GetValidatorOptions(extension))) { 133 std::vector<InstallWarning> warnings;
131 *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy); 134 content_security_policy =
132 return false; 135 SanitizeContentSecurityPolicy(content_security_policy,
136 GetValidatorOptions(extension),
137 &warnings);
138 extension->AddInstallWarnings(warnings);
133 } 139 }
134 140
135 extension->SetManifestData(keys::kContentSecurityPolicy, 141 extension->SetManifestData(keys::kContentSecurityPolicy,
136 new CSPInfo(content_security_policy)); 142 new CSPInfo(content_security_policy));
137 return true; 143 return true;
138 } 144 }
139 145
140 bool CSPHandler::AlwaysParseForType(Manifest::Type type) const { 146 bool CSPHandler::AlwaysParseForType(Manifest::Type type) const {
141 if (is_platform_app_) 147 if (is_platform_app_)
142 return type == Manifest::TYPE_PLATFORM_APP; 148 return type == Manifest::TYPE_PLATFORM_APP;
143 else 149 else
144 return type == Manifest::TYPE_EXTENSION || 150 return type == Manifest::TYPE_EXTENSION ||
145 type == Manifest::TYPE_LEGACY_PACKAGED_APP; 151 type == Manifest::TYPE_LEGACY_PACKAGED_APP;
146 } 152 }
147 153
148 const std::vector<std::string> CSPHandler::Keys() const { 154 const std::vector<std::string> CSPHandler::Keys() const {
149 const std::string& key = is_platform_app_ ? 155 const std::string& key = is_platform_app_ ?
150 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; 156 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
151 return SingleKey(key); 157 return SingleKey(key);
152 } 158 }
153 159
154 } // namespace extensions 160 } // namespace extensions
OLDNEW
« no previous file with comments | « extensions/common/manifest_constants.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698