Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(48)

Side by Side Diff: chrome/common/extensions/csp_validator.h

Issue 10458063: Add sanbdoxed_pages to allow extension/app pages to be served in a sandboxed, unique origin (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: CheckCurrentContextAccessToExtensionAPI Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ 5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ 6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
7 #pragma once 7 #pragma once
8 8
9 #include <string> 9 #include <string>
10 10
11 #include "chrome/common/extensions/extension.h"
12
11 namespace extensions { 13 namespace extensions {
12 14
13 namespace csp_validator { 15 namespace csp_validator {
14 16
15 // Checks whether the given |policy| is legal for use in the extension system. 17 // Checks whether the given |policy| is legal for use in the extension system.
16 // This check just ensures that the policy doesn't contain any characters that 18 // This check just ensures that the policy doesn't contain any characters that
17 // will cause problems when we transmit the policy in an HTTP header. 19 // will cause problems when we transmit the policy in an HTTP header.
18 bool ContentSecurityPolicyIsLegal(const std::string& policy); 20 bool ContentSecurityPolicyIsLegal(const std::string& policy);
19 21
20 // Checks whether the given |policy| meets the minimum security requirements 22 // Checks whether the given |policy| meets the minimum security requirements
21 // for use in the extension system. The philosophy behind our minimum 23 // for use in the extension system. The philosophy behind our minimum
22 // requirements is that an XSS vulnerability in the extension should not be 24 // requirements is that an XSS vulnerability in the extension should not be
23 // able to execute script, even in the precense of an active network attacker. 25 // able to execute script, even in the precense of an active network attacker.
24 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is 26 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is
25 // script or object inclusion from insecure schemes. Also, the use of * is 27 // script or object inclusion from insecure schemes. Also, the use of * is
26 // forbidden for scripts and objects. 28 // forbidden for scripts and objects.
27 bool ContentSecurityPolicyIsSecure(const std::string& policy); 29 bool ContentSecurityPolicyIsSecure(const std::string& policy);
28 30
31 // Checks whether the given |policy| enforces a unique origin sandbox as
32 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/
33 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the
34 // "sandbox" directive, and the sandbox tokens must not include
35 // "allow-same-origin". Additional restrictions may be imposed depending on
36 // |type|.
37 bool ContentSecurityPolicyIsSandboxed(
38 const std::string& policy, Extension::Type type);
39
29 } // namespace csp_validator 40 } // namespace csp_validator
30 41
31 } // namespace extensions 42 } // namespace extensions
32 43
33 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ 44 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698