extensions/common/csp_validator.h - Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: extensions/common/csp_validator.h

Issue 747403002: Ignore insecure parts of CSP in extensions and allow extension to load (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rebase Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « chrome/common/extensions/manifest_tests/extension_manifests_platformapp_unittest.cc ('k') | extensions/common/csp_validator.cc » ('j') | extensions/common/csp_validator.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: extensions/common/csp_validator.h

diff --git a/extensions/common/csp_validator.h b/extensions/common/csp_validator.h

index 192f898c8664c8a2db70158a5b38225ad9ab0d73..5d49cfe512ce9af088089262dae2426aaac41508 100644

--- a/extensions/common/csp_validator.h

+++ b/extensions/common/csp_validator.h

@@ -21,12 +21,12 @@ bool ContentSecurityPolicyIsLegal(const std::string& policy);

// This specifies options for configuring which CSP directives are permitted in

// extensions.

enum Options {

- OPTIONS_NONE = 0,

- // Allows 'unsafe-eval' to be specified as a source in a directive.

- OPTIONS_ALLOW_UNSAFE_EVAL = 1 << 0,

- // Allow an object-src to be specified with any sources (i.e. it may contain

- // wildcards or http sources).

- OPTIONS_ALLOW_INSECURE_OBJECT_SRC = 1 << 1,

+ OPTIONS_NONE = 0,

+ // Allows 'unsafe-eval' to be specified as a source in a directive.

+ OPTIONS_ALLOW_UNSAFE_EVAL = 1 << 0,

+ // Allow an object-src to be specified with any sources (i.e. it may contain

+ // wildcards or http sources).

+ OPTIONS_ALLOW_INSECURE_OBJECT_SRC = 1 << 1,

not at google - send to devlin 2014/12/01 19:19:31 This intentation change doesn't look necessary. cl

robwu 2014/12/02 23:42:09 Undone (I did the change because vim highlighted t

};

// Checks whether the given |policy| meets the minimum security requirements

@@ -41,8 +41,15 @@ enum Options {

// case for extensions. Platform apps disallow it.

// |options| is a bitmask of Options.

-bool ContentSecurityPolicyIsSecure(

- const std::string& policy, int options);

+//

+// If |sanitized_csp| is not NULL, |policy| minus the insecure values is stored

+// in |sanitized_csp|.

+// If |warnings| is not NULL, any validation errors are appended to |warnings|.

+// Returns whether |policy| meets the minimum security requirements.

+bool ContentSecurityPolicyIsSecure(const std::string& policy,

+ int options,

+ std::string* sanitized_csp,

+ std::vector<InstallWarning>* warnings);

// Checks whether the given |policy| enforces a unique origin sandbox as

// defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/