| Index: extensions/common/csp_validator.cc
|
| diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
|
| index 23af91c75787c06964b62ea5ea1ee393e6deb19d..f8d1a655d787c66f50c9e4b810fcf469fa78c860 100644
|
| --- a/extensions/common/csp_validator.cc
|
| +++ b/extensions/common/csp_validator.cc
|
| @@ -11,6 +11,9 @@
|
| #include "base/strings/string_util.h"
|
| #include "content/public/common/url_constants.h"
|
| #include "extensions/common/constants.h"
|
| +#include "extensions/common/error_utils.h"
|
| +#include "extensions/common/install_warning.h"
|
| +#include "extensions/common/manifest_constants.h"
|
| #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
|
|
|
| namespace extensions {
|
| @@ -22,6 +25,9 @@ namespace {
|
| const char kDefaultSrc[] = "default-src";
|
| const char kScriptSrc[] = "script-src";
|
| const char kObjectSrc[] = "object-src";
|
| +const char kObjectSrcDefaultDirective[] = "object-src 'self';";
|
| +const char kScriptSrcDefaultDirective[] =
|
| + "script-src 'self' chrome-extension-resource:;";
|
|
|
| const char kSandboxDirectiveName[] = "sandbox";
|
| const char kAllowSameOriginToken[] = "allow-same-origin";
|
| @@ -29,14 +35,10 @@ const char kAllowTopNavigation[] = "allow-top-navigation";
|
|
|
| struct DirectiveStatus {
|
| explicit DirectiveStatus(const char* name)
|
| - : directive_name(name)
|
| - , seen_in_policy(false)
|
| - , is_secure(false) {
|
| - }
|
| + : directive_name(name), seen_in_policy(false) {}
|
|
|
| const char* directive_name;
|
| bool seen_in_policy;
|
| - bool is_secure;
|
| };
|
|
|
| // Returns whether |url| starts with |scheme_and_separator| and does not have a
|
| @@ -54,12 +56,6 @@ bool isNonWildcardTLD(const std::string& url,
|
| if (end_of_host == std::string::npos)
|
| end_of_host = url.size();
|
|
|
| - // A missing host such as "chrome-extension://" is invalid, but for backwards-
|
| - // compatibility, accept such CSP parts. They will be ignored by Blink anyway.
|
| - // TODO(robwu): Remove this special case once crbug.com/434773 is fixed.
|
| - if (start_of_host == end_of_host)
|
| - return true;
|
| -
|
| // Note: It is sufficient to only compare the first character against '*'
|
| // because the CSP only allows wildcards at the start of a directive, see
|
| // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax
|
| @@ -106,8 +102,12 @@ bool isNonWildcardTLD(const std::string& url,
|
| return registry_length != 0;
|
| }
|
|
|
| -bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
|
| - Manifest::Type type) {
|
| +void GetSecureDirectiveValues(const std::string& directive_name,
|
| + base::StringTokenizer& tokenizer,
|
| + Manifest::Type type,
|
| + std::vector<std::string>& csp_parts,
|
| + std::vector<std::string>* csp_warnings) {
|
| + csp_parts.push_back(directive_name);
|
| while (tokenizer.GetNext()) {
|
| std::string source = tokenizer.token();
|
| base::StringToLowerASCII(&source);
|
| @@ -128,33 +128,48 @@ bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
|
| url::kStandardSchemeSeparator,
|
| false) ||
|
| StartsWithASCII(source, "chrome-extension-resource:", true)) {
|
| + csp_parts.push_back(source);
|
| continue;
|
| }
|
|
|
| // crbug.com/146487
|
| if (type == Manifest::TYPE_EXTENSION ||
|
| type == Manifest::TYPE_LEGACY_PACKAGED_APP) {
|
| - if (source == "'unsafe-eval'")
|
| + if (source == "'unsafe-eval'") {
|
| + csp_parts.push_back(source);
|
| continue;
|
| + }
|
| + }
|
| + if (csp_warnings) {
|
| + csp_warnings->push_back(ErrorUtils::FormatErrorMessage(
|
| + manifest_errors::kInvalidCSPInsecureValue, source, directive_name));
|
| }
|
| -
|
| - return false;
|
| }
|
| -
|
| - return true; // Empty values default to 'none', which is secure.
|
| + // End of CSP directive that was started at the beginning of this method. If
|
| + // none of the values are secure, the policy will be empty and default to
|
| + // 'none', which is secure.
|
| + csp_parts.back().push_back(';');
|
| }
|
|
|
| // Returns true if |directive_name| matches |status.directive_name|.
|
| bool UpdateStatus(const std::string& directive_name,
|
| base::StringTokenizer& tokenizer,
|
| DirectiveStatus* status,
|
| - Manifest::Type type) {
|
| - if (status->seen_in_policy)
|
| - return false;
|
| + Manifest::Type type,
|
| + std::vector<std::string>& csp_parts,
|
| + std::vector<std::string>* csp_warnings) {
|
| if (directive_name != status->directive_name)
|
| return false;
|
| - status->seen_in_policy = true;
|
| - status->is_secure = HasOnlySecureTokens(tokenizer, type);
|
| +
|
| + if (!status->seen_in_policy) {
|
| + status->seen_in_policy = true;
|
| + GetSecureDirectiveValues(directive_name, tokenizer, type, csp_parts,
|
| + csp_warnings);
|
| + } else {
|
| + // Don't show any errors for duplicate CSP directives, because it will be
|
| + // ignored by the CSP parser (http://www.w3.org/TR/CSP2/#policy-parsing).
|
| + GetSecureDirectiveValues(directive_name, tokenizer, type, csp_parts, NULL);
|
| + }
|
| return true;
|
| }
|
|
|
| @@ -170,7 +185,9 @@ bool ContentSecurityPolicyIsLegal(const std::string& policy) {
|
| }
|
|
|
| bool ContentSecurityPolicyIsSecure(const std::string& policy,
|
| - Manifest::Type type) {
|
| + Manifest::Type type,
|
| + std::string* sanitized_csp,
|
| + std::vector<InstallWarning>* warnings) {
|
| // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
|
| std::vector<std::string> directives;
|
| base::SplitString(policy, ';', &directives);
|
| @@ -179,6 +196,9 @@ bool ContentSecurityPolicyIsSecure(const std::string& policy,
|
| DirectiveStatus script_src_status(kScriptSrc);
|
| DirectiveStatus object_src_status(kObjectSrc);
|
|
|
| + std::vector<std::string> csp_parts;
|
| + std::vector<std::string> csp_warnings;
|
| + std::vector<std::string> default_src_csp_warnings;
|
| for (size_t i = 0; i < directives.size(); ++i) {
|
| std::string& input = directives[i];
|
| base::StringTokenizer tokenizer(input, " \t\r\n");
|
| @@ -188,27 +208,54 @@ bool ContentSecurityPolicyIsSecure(const std::string& policy,
|
| std::string directive_name = tokenizer.token();
|
| base::StringToLowerASCII(&directive_name);
|
|
|
| - if (UpdateStatus(directive_name, tokenizer, &default_src_status, type))
|
| + if (UpdateStatus(directive_name, tokenizer, &default_src_status, type,
|
| + csp_parts, &default_src_csp_warnings))
|
| continue;
|
| - if (UpdateStatus(directive_name, tokenizer, &script_src_status, type))
|
| + if (UpdateStatus(directive_name, tokenizer, &script_src_status, type,
|
| + csp_parts, &csp_warnings))
|
| continue;
|
| - if (UpdateStatus(directive_name, tokenizer, &object_src_status, type))
|
| + if (UpdateStatus(directive_name, tokenizer, &object_src_status, type,
|
| + csp_parts, &csp_warnings))
|
| continue;
|
| +
|
| + // Pass the other CSP directives as-is without further validation.
|
| + csp_parts.push_back(input + ";");
|
| }
|
|
|
| - if (script_src_status.seen_in_policy && !script_src_status.is_secure)
|
| - return false;
|
| + if (default_src_status.seen_in_policy) {
|
| + if (!script_src_status.seen_in_policy ||
|
| + !object_src_status.seen_in_policy) {
|
| + // Insecure values in default-src are only relevant if either script-src
|
| + // or object-src is omitted.
|
| + csp_warnings.insert(csp_warnings.end(),
|
| + default_src_csp_warnings.begin(),
|
| + default_src_csp_warnings.end());
|
| + }
|
| + } else {
|
| + if (!script_src_status.seen_in_policy) {
|
| + csp_parts.push_back(kScriptSrcDefaultDirective);
|
| + csp_warnings.push_back(ErrorUtils::FormatErrorMessage(
|
| + manifest_errors::kInvalidCSPMissingSecureSrc, kScriptSrc));
|
| + }
|
| + if (!object_src_status.seen_in_policy) {
|
| + csp_parts.push_back(kObjectSrcDefaultDirective);
|
| + csp_warnings.push_back(ErrorUtils::FormatErrorMessage(
|
| + manifest_errors::kInvalidCSPMissingSecureSrc, kObjectSrc));
|
| + }
|
| + }
|
|
|
| - if (object_src_status.seen_in_policy && !object_src_status.is_secure)
|
| - return false;
|
| + if (sanitized_csp)
|
| + *sanitized_csp = JoinString(csp_parts, ' ');
|
| + if (csp_warnings.empty())
|
| + return true;
|
|
|
| - if (default_src_status.seen_in_policy && !default_src_status.is_secure) {
|
| - return script_src_status.seen_in_policy &&
|
| - object_src_status.seen_in_policy;
|
| + if (warnings) {
|
| + for (auto csp_warning : csp_warnings) {
|
| + warnings->push_back(
|
| + InstallWarning(csp_warning, manifest_keys::kContentSecurityPolicy));
|
| + }
|
| }
|
| -
|
| - return default_src_status.seen_in_policy ||
|
| - (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
|
| + return false;
|
| }
|
|
|
| bool ContentSecurityPolicyIsSandboxed(
|
|
|
Chromium Code Reviews
Issue 747403002:
Ignore insecure parts of CSP in extensions and allow extension to load (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master