Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(947)

Unified Diff: chrome/common/extensions/csp_validator.cc

Issue 10458063: Add sanbdoxed_pages to allow extension/app pages to be served in a sandboxed, unique origin (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: CheckCurrentContextAccessToExtensionAPI Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/common/extensions/csp_validator.cc
diff --git a/chrome/common/extensions/csp_validator.cc b/chrome/common/extensions/csp_validator.cc
index 7b28bdf9e54c17b986ec539503d93143f47963de..a57bdb0ce9bbb3288d744dcf2c7da383d015ea7b 100644
--- a/chrome/common/extensions/csp_validator.cc
+++ b/chrome/common/extensions/csp_validator.cc
@@ -18,6 +18,11 @@ const char kDefaultSrc[] = "default-src";
const char kScriptSrc[] = "script-src";
const char kObjectSrc[] = "object-src";
+const char kSandboxDirectiveName[] = "sandbox";
+const char kAllowSameOriginToken[] = "allow-same-origin";
+const char kAllowTopNavigation[] = "allow-top-navigation";
+const char kAllowPopups[] = "allow-popups";
+
struct DirectiveStatus {
explicit DirectiveStatus(const char* name)
: directive_name(name)
@@ -119,6 +124,48 @@ bool ContentSecurityPolicyIsSecure(const std::string& policy) {
(script_src_status.seen_in_policy && object_src_status.seen_in_policy);
}
+bool ContentSecurityPolicyIsSandboxed(
+ const std::string& policy, Extension::Type type) {
+ // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
+ std::vector<std::string> directives;
+ base::SplitString(policy, ';', &directives);
+
+ bool seen_sandbox = false;
+
+ for (size_t i = 0; i < directives.size(); ++i) {
+ std::string& input = directives[i];
+ StringTokenizer tokenizer(input, " \t\r\n");
+ if (!tokenizer.GetNext())
+ continue;
+
+ std::string directive_name = tokenizer.token();
+ StringToLowerASCII(&directive_name);
+
+ if (directive_name != kSandboxDirectiveName)
+ continue;
+
+ seen_sandbox = true;
+
+ while (tokenizer.GetNext()) {
+ std::string token = tokenizer.token();
+ StringToLowerASCII(&token);
+
+ // The same origin token negates the sandboxing.
+ if (token == kAllowSameOriginToken)
+ return false;
+
+ // Platform apps don't allow navigation (and have a separate windowing
+ // API that should be used for popups)
+ if (type == Extension::TYPE_PLATFORM_APP) {
+ if (token == kAllowTopNavigation || token == kAllowPopups)
+ return false;
+ }
+ }
+ }
+
+ return seen_sandbox;
+}
+
} // csp_validator
} // extensions

Powered by Google App Engine
This is Rietveld 408576698