Chromium Code Reviews Chromium Code Reviews
Issue 760513003:
Only allow insecure object-src directives for whitelisted mime types (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@extensions-csp3| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/manifest_handlers/csp_info.h" | 5 #include "extensions/common/manifest_handlers/csp_info.h" |
| 6 | 6 |
| 7 #include "base/memory/scoped_ptr.h" | 7 #include "base/memory/scoped_ptr.h" |
| 8 #include "base/strings/string_util.h" | 8 #include "base/strings/string_util.h" |
| 9 #include "base/strings/utf_string_conversions.h" | 9 #include "base/strings/utf_string_conversions.h" |
| 10 #include "base/values.h" | 10 #include "base/values.h" |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 37 "img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 37 "img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" |
| 38 "frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 38 "frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" |
| 39 "font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | 39 "font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" |
| 40 // Media can be loaded from remote resources since: | 40 // Media can be loaded from remote resources since: |
| 41 // 1. <video> and <audio> have good fallback behavior when offline or under | 41 // 1. <video> and <audio> have good fallback behavior when offline or under |
| 42 // spotty connectivity. | 42 // spotty connectivity. |
| 43 // 2. Fetching via XHR and serving via blob: URLs currently does not allow | 43 // 2. Fetching via XHR and serving via blob: URLs currently does not allow |
| 44 // streaming or partial buffering. | 44 // streaming or partial buffering. |
| 45 "media-src *;"; | 45 "media-src *;"; |
| 46 | 46 |
| 47 int GetValidatorOptions(Extension* extension) { | |
| 48 int options = csp_validator::OPTIONS_NONE; | |
| 49 | |
| 50 // crbug.com/146487 | |
| 51 if (extension->GetType() == Manifest::TYPE_EXTENSION || | |
| 52 extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) { | |
| 53 options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL; | |
| 54 } | |
| 55 | |
| 56 // Component extensions can specify an insecure object-src directive. This | |
| 57 // should be safe because non-NPAPI plugins should load in a sandboxed process | |
| 58 // and only allow communication via postMessage. Flash is an exception since | |
| 59 // it allows scripting into the embedder page, but even then it should | |
| 60 // disallow cross-origin scripting. At some point we may want to consider | |
| 61 // allowing this publicly. | |
|
Mike West
2014/11/25 13:42:36
What conditions will have to be met to allow this
raymes
2014/11/25 13:51:05
From my understanding of things, this would be rea
| |
| 62 if (extensions::Manifest::IsComponentLocation(extension->location())) | |
| 63 options |= csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC; | |
| 64 | |
| 65 return options; | |
| 66 } | |
| 67 | |
| 47 } // namespace | 68 } // namespace |
| 48 | 69 |
| 49 CSPInfo::CSPInfo(const std::string& security_policy) | 70 CSPInfo::CSPInfo(const std::string& security_policy) |
| 50 : content_security_policy(security_policy) { | 71 : content_security_policy(security_policy) { |
| 51 } | 72 } |
| 52 | 73 |
| 53 CSPInfo::~CSPInfo() { | 74 CSPInfo::~CSPInfo() { |
| 54 } | 75 } |
| 55 | 76 |
| 56 // static | 77 // static |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 81 const std::string key = Keys()[0]; | 102 const std::string key = Keys()[0]; |
| 82 if (!extension->manifest()->HasPath(key)) { | 103 if (!extension->manifest()->HasPath(key)) { |
| 83 if (extension->manifest_version() >= 2) { | 104 if (extension->manifest_version() >= 2) { |
| 84 // TODO(abarth): Should we continue to let extensions override the | 105 // TODO(abarth): Should we continue to let extensions override the |
| 85 // default Content-Security-Policy? | 106 // default Content-Security-Policy? |
| 86 std::string content_security_policy = is_platform_app_ ? | 107 std::string content_security_policy = is_platform_app_ ? |
| 87 kDefaultPlatformAppContentSecurityPolicy : | 108 kDefaultPlatformAppContentSecurityPolicy : |
| 88 kDefaultContentSecurityPolicy; | 109 kDefaultContentSecurityPolicy; |
| 89 | 110 |
| 90 CHECK(ContentSecurityPolicyIsSecure(content_security_policy, | 111 CHECK(ContentSecurityPolicyIsSecure(content_security_policy, |
| 91 extension->GetType())); | 112 GetValidatorOptions(extension))); |
| 92 extension->SetManifestData(keys::kContentSecurityPolicy, | 113 extension->SetManifestData(keys::kContentSecurityPolicy, |
| 93 new CSPInfo(content_security_policy)); | 114 new CSPInfo(content_security_policy)); |
| 94 } | 115 } |
| 95 return true; | 116 return true; |
| 96 } | 117 } |
| 97 | 118 |
| 98 std::string content_security_policy; | 119 std::string content_security_policy; |
| 99 if (!extension->manifest()->GetString(key, &content_security_policy)) { | 120 if (!extension->manifest()->GetString(key, &content_security_policy)) { |
| 100 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); | 121 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); |
| 101 return false; | 122 return false; |
| 102 } | 123 } |
| 103 if (!ContentSecurityPolicyIsLegal(content_security_policy)) { | 124 if (!ContentSecurityPolicyIsLegal(content_security_policy)) { |
| 104 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); | 125 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy); |
| 105 return false; | 126 return false; |
| 106 } | 127 } |
| 107 if (extension->manifest_version() >= 2 && | 128 if (extension->manifest_version() >= 2 && |
| 108 !ContentSecurityPolicyIsSecure(content_security_policy, | 129 !ContentSecurityPolicyIsSecure(content_security_policy, |
| 109 extension->GetType())) { | 130 GetValidatorOptions(extension))) { |
| 110 *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy); | 131 *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy); |
| 111 return false; | 132 return false; |
| 112 } | 133 } |
| 113 | 134 |
| 114 extension->SetManifestData(keys::kContentSecurityPolicy, | 135 extension->SetManifestData(keys::kContentSecurityPolicy, |
| 115 new CSPInfo(content_security_policy)); | 136 new CSPInfo(content_security_policy)); |
| 116 return true; | 137 return true; |
| 117 } | 138 } |
| 118 | 139 |
| 119 bool CSPHandler::AlwaysParseForType(Manifest::Type type) const { | 140 bool CSPHandler::AlwaysParseForType(Manifest::Type type) const { |
| 120 if (is_platform_app_) | 141 if (is_platform_app_) |
| 121 return type == Manifest::TYPE_PLATFORM_APP; | 142 return type == Manifest::TYPE_PLATFORM_APP; |
| 122 else | 143 else |
| 123 return type == Manifest::TYPE_EXTENSION || | 144 return type == Manifest::TYPE_EXTENSION || |
| 124 type == Manifest::TYPE_LEGACY_PACKAGED_APP; | 145 type == Manifest::TYPE_LEGACY_PACKAGED_APP; |
| 125 } | 146 } |
| 126 | 147 |
| 127 const std::vector<std::string> CSPHandler::Keys() const { | 148 const std::vector<std::string> CSPHandler::Keys() const { |
| 128 const std::string& key = is_platform_app_ ? | 149 const std::string& key = is_platform_app_ ? |
| 129 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; | 150 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy; |
| 130 return SingleKey(key); | 151 return SingleKey(key); |
| 131 } | 152 } |
| 132 | 153 |
| 133 } // namespace extensions | 154 } // namespace extensions |
| OLD | NEW |
