Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(49)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: extensions/common/csp_validator.h

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: comments #7 Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/common/extensions/manifest_tests/extension_manifests_platformapp_unittest.cc ('k') | extensions/common/csp_validator.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_
6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_
7 7
8 #include <string> 8 #include <string>
9 9
10 #include "extensions/common/manifest.h" 10 #include "extensions/common/manifest.h"
(...skipping 10 matching lines...) Expand all
21 // Checks whether the given |policy| meets the minimum security requirements 21 // Checks whether the given |policy| meets the minimum security requirements
22 // for use in the extension system. 22 // for use in the extension system.
23 // 23 //
24 // Ideally, we would like to say that an XSS vulnerability in the extension 24 // Ideally, we would like to say that an XSS vulnerability in the extension
25 // should not be able to execute script, even in the precense of an active 25 // should not be able to execute script, even in the precense of an active
26 // network attacker. 26 // network attacker.
27 // 27 //
28 // However, we found that it broke too many deployed extensions to limit 28 // However, we found that it broke too many deployed extensions to limit
29 // 'unsafe-eval' in the script-src directive, so that is allowed as a special 29 // 'unsafe-eval' in the script-src directive, so that is allowed as a special
30 // case for extensions. Platform apps disallow it. 30 // case for extensions. Platform apps disallow it.
31 bool ContentSecurityPolicyIsSecure( 31 //
32 const std::string& policy, Manifest::Type type); 32 // If |sanitized_csp| is not NULL, |policy| minus the insecure values is stored
33 // in |sanitized_csp|.
not at google - send to devlin 2014/11/24 18:26:08 Concise is nice: If |sanitized_csp| is non-NULL it
34 // If |warnings| is not NULL, any validation errors are appended to |warnings|.
35 // Returns whether |policy| meets the minimum security requirements.
36 bool ContentSecurityPolicyIsSecure(const std::string& policy,
37 Manifest::Type type,
38 std::string* sanitized_csp,
39 std::vector<InstallWarning>* warnings);
33 40
34 // Checks whether the given |policy| enforces a unique origin sandbox as 41 // Checks whether the given |policy| enforces a unique origin sandbox as
35 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ 42 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/
36 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the 43 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the
37 // "sandbox" directive, and the sandbox tokens must not include 44 // "sandbox" directive, and the sandbox tokens must not include
38 // "allow-same-origin". Additional restrictions may be imposed depending on 45 // "allow-same-origin". Additional restrictions may be imposed depending on
39 // |type|. 46 // |type|.
40 bool ContentSecurityPolicyIsSandboxed( 47 bool ContentSecurityPolicyIsSandboxed(
41 const std::string& policy, Manifest::Type type); 48 const std::string& policy, Manifest::Type type);
42 49
43 } // namespace csp_validator 50 } // namespace csp_validator
44 51
45 } // namespace extensions 52 } // namespace extensions
46 53
47 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 54 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_
OLDNEW
« no previous file with comments | « chrome/common/extensions/manifest_tests/extension_manifests_platformapp_unittest.cc ('k') | extensions/common/csp_validator.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698