Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(8257)

Unified Diff: chrome/common/extensions/extension.cc

Issue 10458063: Add sanbdoxed_pages to allow extension/app pages to be served in a sandboxed, unique origin (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: CheckCurrentContextAccessToExtensionAPI Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/common/extensions/extension.cc
diff --git a/chrome/common/extensions/extension.cc b/chrome/common/extensions/extension.cc
index 54e056617ede1fb55352371f612050bdb4ffb5de..b6050b0daf10ef7fae6f9f7f05b488fd8df38d66 100644
--- a/chrome/common/extensions/extension.cc
+++ b/chrome/common/extensions/extension.cc
@@ -61,6 +61,7 @@ namespace info_keys = extension_info_keys;
namespace switch_utils = extensions::switch_utils;
using extensions::csp_validator::ContentSecurityPolicyIsLegal;
+using extensions::csp_validator::ContentSecurityPolicyIsSandboxed;
using extensions::csp_validator::ContentSecurityPolicyIsSecure;
namespace extensions {
@@ -102,6 +103,9 @@ const char kDefaultPlatformAppContentSecurityPolicy[] =
"frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
"font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";";
+const char kDefaultSandboxedPageContentSecurityPolicy[] =
+ "sandbox allow-scripts allow-forms";
+
// Converts a normal hexadecimal string into the alphabet used by extensions.
// We use the characters 'a'-'p' instead of '0'-'f' to avoid ever having a
// completely numeric host, since some software interprets that as an IP
@@ -526,6 +530,17 @@ bool Extension::HasWebAccessibleResources() const {
return false;
}
+bool Extension::IsSandboxedPage(const std::string& relative_path) const {
+ return sandboxed_pages_.find(relative_path) != sandboxed_pages_.end();
+}
+
+
+std::string Extension::GetResourceContentSecurityPolicy(
+ const std::string& relative_path) const {
+ return IsSandboxedPage(relative_path) ?
+ sandboxed_pages_content_security_policy_ : content_security_policy_;
+}
+
bool Extension::GenerateId(const std::string& input, std::string* output) {
DCHECK(output);
uint8 hash[Extension::kIdSize];
@@ -1280,6 +1295,7 @@ bool Extension::LoadSharedFeatures(
!LoadPlugins(error) ||
!LoadNaClModules(error) ||
!LoadWebAccessibleResources(error) ||
+ !LoadSandboxedPages(error) ||
!CheckRequirements(error) ||
!LoadDefaultLocale(error) ||
!LoadOfflineEnabled(error) ||
@@ -1551,7 +1567,7 @@ bool Extension::LoadNaClModules(string16* error) {
bool Extension::LoadWebAccessibleResources(string16* error) {
if (!manifest_->HasKey(keys::kWebAccessibleResources))
return true;
- ListValue* list_value;
+ ListValue* list_value = NULL;
if (!manifest_->GetList(keys::kWebAccessibleResources, &list_value)) {
*error = ASCIIToUTF16(errors::kInvalidWebAccessibleResourcesList);
return false;
@@ -1571,6 +1587,53 @@ bool Extension::LoadWebAccessibleResources(string16* error) {
return true;
}
+bool Extension::LoadSandboxedPages(string16* error) {
+ // Can't use HasKey, since it doesn't do path expansion.
+ Value* ignored = NULL;
+ if (!manifest_->Get(keys::kSandboxedPages, &ignored))
+ return true;
+
+ ListValue* list_value = NULL;
+ if (!manifest_->GetList(keys::kSandboxedPages, &list_value)) {
+ *error = ASCIIToUTF16(errors::kInvalidSandboxedPagesList);
+ return false;
+ }
+ for (size_t i = 0; i < list_value->GetSize(); ++i) {
+ std::string relative_path;
+ if (!list_value->GetString(i, &relative_path)) {
+ *error = ExtensionErrorUtils::FormatErrorMessageUTF16(
+ errors::kInvalidSandboxedPage, base::IntToString(i));
+ return false;
+ }
+ if (relative_path[0] != '/')
+ relative_path = '/' + relative_path;
+ sandboxed_pages_.insert(relative_path);
+ }
+
+ if (manifest_->Get(keys::kSandboxedPagesCSP, &ignored)) {
+ if (!manifest_->GetString(
+ keys::kSandboxedPagesCSP, &sandboxed_pages_content_security_policy_)) {
+ *error = ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
+ return false;
+ }
+
+ if (!ContentSecurityPolicyIsLegal(
+ sandboxed_pages_content_security_policy_) ||
+ !ContentSecurityPolicyIsSandboxed(
+ sandboxed_pages_content_security_policy_, GetType())) {
+ *error = ASCIIToUTF16(errors::kInvalidSandboxedPagesCSP);
+ return false;
+ }
+ } else {
+ sandboxed_pages_content_security_policy_ =
+ kDefaultSandboxedPageContentSecurityPolicy;
+ CHECK(ContentSecurityPolicyIsSandboxed(
+ sandboxed_pages_content_security_policy_, GetType()));
+ }
+
+ return true;
+}
+
// These are not actually persisted (they're only used by the store), but
// still validated.
bool Extension::CheckRequirements(string16* error) {

Powered by Google App Engine
This is Rietveld 408576698