| OLD | NEW |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | 5 #ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |
| 6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | 6 #define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 | 10 |
| 11 #include "chrome/common/extensions/extension.h" |
| 12 |
| 11 namespace extensions { | 13 namespace extensions { |
| 12 | 14 |
| 13 namespace csp_validator { | 15 namespace csp_validator { |
| 14 | 16 |
| 15 // Checks whether the given |policy| is legal for use in the extension system. | 17 // Checks whether the given |policy| is legal for use in the extension system. |
| 16 // This check just ensures that the policy doesn't contain any characters that | 18 // This check just ensures that the policy doesn't contain any characters that |
| 17 // will cause problems when we transmit the policy in an HTTP header. | 19 // will cause problems when we transmit the policy in an HTTP header. |
| 18 bool ContentSecurityPolicyIsLegal(const std::string& policy); | 20 bool ContentSecurityPolicyIsLegal(const std::string& policy); |
| 19 | 21 |
| 20 // Checks whether the given |policy| meets the minimum security requirements | 22 // Checks whether the given |policy| meets the minimum security requirements |
| 21 // for use in the extension system. The philosophy behind our minimum | 23 // for use in the extension system. The philosophy behind our minimum |
| 22 // requirements is that an XSS vulnerability in the extension should not be | 24 // requirements is that an XSS vulnerability in the extension should not be |
| 23 // able to execute script, even in the precense of an active network attacker. | 25 // able to execute script, even in the precense of an active network attacker. |
| 24 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is | 26 // Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is |
| 25 // script or object inclusion from insecure schemes. Also, the use of * is | 27 // script or object inclusion from insecure schemes. Also, the use of * is |
| 26 // forbidden for scripts and objects. | 28 // forbidden for scripts and objects. |
| 27 bool ContentSecurityPolicyIsSecure(const std::string& policy); | 29 bool ContentSecurityPolicyIsSecure(const std::string& policy); |
| 28 | 30 |
| 31 // Checks whether the given |policy| enforces a unique origin sandbox as |
| 32 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ |
| 33 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the |
| 34 // "sandbox" directive, and the sandbox tokens must not include |
| 35 // "allow-same-origin". Additional restrictions may be imposed depending on |
| 36 // |type|. |
| 37 bool ContentSecurityPolicyIsSandboxed( |
| 38 const std::string& policy, Extension::Type type); |
| 39 |
| 29 } // namespace csp_validator | 40 } // namespace csp_validator |
| 30 | 41 |
| 31 } // namespace extensions | 42 } // namespace extensions |
| 32 | 43 |
| 33 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ | 44 #endif // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_ |
| OLD | NEW |