| Index: chrome/common/extensions/csp_validator.cc
|
| diff --git a/chrome/common/extensions/csp_validator.cc b/chrome/common/extensions/csp_validator.cc
|
| index 7b28bdf9e54c17b986ec539503d93143f47963de..a57bdb0ce9bbb3288d744dcf2c7da383d015ea7b 100644
|
| --- a/chrome/common/extensions/csp_validator.cc
|
| +++ b/chrome/common/extensions/csp_validator.cc
|
| @@ -18,6 +18,11 @@ const char kDefaultSrc[] = "default-src";
|
| const char kScriptSrc[] = "script-src";
|
| const char kObjectSrc[] = "object-src";
|
|
|
| +const char kSandboxDirectiveName[] = "sandbox";
|
| +const char kAllowSameOriginToken[] = "allow-same-origin";
|
| +const char kAllowTopNavigation[] = "allow-top-navigation";
|
| +const char kAllowPopups[] = "allow-popups";
|
| +
|
| struct DirectiveStatus {
|
| explicit DirectiveStatus(const char* name)
|
| : directive_name(name)
|
| @@ -119,6 +124,48 @@ bool ContentSecurityPolicyIsSecure(const std::string& policy) {
|
| (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
|
| }
|
|
|
| +bool ContentSecurityPolicyIsSandboxed(
|
| + const std::string& policy, Extension::Type type) {
|
| + // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
|
| + std::vector<std::string> directives;
|
| + base::SplitString(policy, ';', &directives);
|
| +
|
| + bool seen_sandbox = false;
|
| +
|
| + for (size_t i = 0; i < directives.size(); ++i) {
|
| + std::string& input = directives[i];
|
| + StringTokenizer tokenizer(input, " \t\r\n");
|
| + if (!tokenizer.GetNext())
|
| + continue;
|
| +
|
| + std::string directive_name = tokenizer.token();
|
| + StringToLowerASCII(&directive_name);
|
| +
|
| + if (directive_name != kSandboxDirectiveName)
|
| + continue;
|
| +
|
| + seen_sandbox = true;
|
| +
|
| + while (tokenizer.GetNext()) {
|
| + std::string token = tokenizer.token();
|
| + StringToLowerASCII(&token);
|
| +
|
| + // The same origin token negates the sandboxing.
|
| + if (token == kAllowSameOriginToken)
|
| + return false;
|
| +
|
| + // Platform apps don't allow navigation (and have a separate windowing
|
| + // API that should be used for popups)
|
| + if (type == Extension::TYPE_PLATFORM_APP) {
|
| + if (token == kAllowTopNavigation || token == kAllowPopups)
|
| + return false;
|
| + }
|
| + }
|
| + }
|
| +
|
| + return seen_sandbox;
|
| +}
|
| +
|
| } // csp_validator
|
|
|
| } // extensions
|
|
|