OLD | NEW |
1 <h1>Content Security Policy (CSP)</h1> | 1 <h1>Content Security Policy (CSP)</h1> |
2 | 2 |
3 | 3 |
4 <p> | 4 <p> |
5 In order to mitigate a large class of potental cross-site scripting issues, | 5 In order to mitigate a large class of potental cross-site scripting issues, |
6 Chrome's extension system has incorporated the general concept of | 6 Chrome's extension system has incorporated the general concept of |
7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> | 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html"> |
8 <strong>Content Security Policy (CSP)</strong> | 8 <strong>Content Security Policy (CSP)</strong> |
9 </a>. This introduces some fairly strict policies that will make extensions | 9 </a>. This introduces some fairly strict policies that will make extensions |
10 more secure by default, and provides you with the ability to create and | 10 more secure by default, and provides you with the ability to create and |
(...skipping 21 matching lines...) Expand all Loading... |
32 <pre>{ | 32 <pre>{ |
33 ..., | 33 ..., |
34 "content_security_policy": "[POLICY STRING GOES HERE]" | 34 "content_security_policy": "[POLICY STRING GOES HERE]" |
35 ... | 35 ... |
36 }</pre> | 36 }</pre> |
37 | 37 |
38 <p class="note"> | 38 <p class="note"> |
39 For full details regarding CSP's syntax, please take a look at | 39 For full details regarding CSP's syntax, please take a look at |
40 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html#syntax"> | 40 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif
ication.dev.html#syntax"> |
41 the Content Security Policy specification | 41 the Content Security Policy specification |
42 </a>. | 42 </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content
-security-policy/"> |
| 43 "An Introduction to Content Security Policy" |
| 44 </a> article on HTML5Rocks. |
43 </p> | 45 </p> |
44 | 46 |
45 <h2>Default Policy Restrictions</h2> | 47 <h2>Default Policy Restrictions</h2> |
46 | 48 |
47 <p> | 49 <p> |
48 Packages that do not define a <a href="manifestVersion.html"> | 50 Packages that do not define a <a href="manifestVersion.html"> |
49 <code>manifest_version</code> | 51 <code>manifest_version</code> |
50 </a> have no default content security policy. Those that select | 52 </a> have no default content security policy. Those that select |
51 <code>manifest_version</code></a> 2, have a default content security policy | 53 <code>manifest_version</code></a> 2, have a default content security policy |
52 of: | 54 of: |
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
212 <body> | 214 <body> |
213 <button>Click for awesomeness!</button> | 215 <button>Click for awesomeness!</button> |
214 </body> | 216 </body> |
215 </html></pre> | 217 </html></pre> |
216 | 218 |
217 <h2>Relaxing the default policy</h2> | 219 <h2>Relaxing the default policy</h2> |
218 | 220 |
219 <p> | 221 <p> |
220 There is no mechanism for relaxing the restriction against executing inline | 222 There is no mechanism for relaxing the restriction against executing inline |
221 JavaScript. In particular, setting a script policy that includes | 223 JavaScript. In particular, setting a script policy that includes |
222 <code>unsafe-inline</code> will have no effect. This is intentional. | 224 <code>unsafe-inline</code> will have no effect. Likewise, there is no |
| 225 mechanism for enabling <code>eval</code>-like constructs. Setting a script |
| 226 policy that includes <code>unsafe-eval</code> will have no effect. This is |
| 227 intentional. |
223 </p> | 228 </p> |
224 | 229 |
225 <p> | 230 <p> |
226 If, on the other hand, you have a need for some external JavaScript or object | 231 If, on the other hand, you have a need for some external JavaScript or object |
227 resources, you can relax the policy to a limited extent by whitelisting | 232 resources, you can relax the policy to a limited extent by whitelisting |
228 secure origins from which scripts should be accepted. We want to ensure that | 233 secure origins from which scripts should be accepted. We want to ensure that |
229 executable resources loaded with an extension's elevated permissions are | 234 executable resources loaded with an extension's elevated permissions are |
230 exactly the resources you expect, and haven't been replaced by an active | 235 exactly the resources you expect, and haven't been replaced by an active |
231 network attacker. As <a | 236 network attacker. As <a |
232 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle | 237 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle |
233 attacks</a> are both trivial and undetectable over HTTP, those origins will | 238 attacks</a> are both trivial and undetectable over HTTP, those origins will |
234 not be accepted. Currently, we allow whitelisting origins with the following | 239 not be accepted. Currently, we allow whitelisting origins with the following |
235 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and | 240 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and |
236 <code>chrome-extension-resource</code>. | 241 <code>chrome-extension-resource</code>. |
237 </p> | 242 </p> |
238 | 243 |
239 <p> | 244 <p> |
240 To ease development, we're also allowing the whitelisting of resources loaded | 245 To ease development, we're also allowing the whitelisting of resources loaded |
241 over HTTP from servers on your local machine. You may whitelist script and | 246 over HTTP from servers on your local machine. You may whitelist script and |
242 object sources on any port of either <code>http://127.0.0.1</code> or | 247 object sources on any port of either <code>http://127.0.0.1</code> or |
243 <code>http://localhost</code>. | 248 <code>http://localhost</code>. |
244 </p> | 249 </p> |
245 | 250 |
| 251 <p class="note"> |
| 252 The restriction against resources loaded over HTTP applies only to those |
| 253 resources which are directly executed. You're still free, for example, to |
| 254 make XMLHTTPRequest connections to any origin you like; the default policy |
| 255 doesn't restrict <code>connect-src</code> or any of the other CSP directives |
| 256 in any way. |
| 257 </p> |
| 258 |
246 <p> | 259 <p> |
247 A relaxed policy definition which allows script resources to be loaded from | 260 A relaxed policy definition which allows script resources to be loaded from |
248 <code>example.com</code> over HTTPS might look like: | 261 <code>example.com</code> over HTTPS might look like: |
249 </p> | 262 </p> |
250 | 263 |
251 <pre>{ | 264 <pre>{ |
252 ..., | 265 ..., |
253 "content_security_policy": "script-src 'self' https://example.com; object-src
'self'", | 266 "content_security_policy": "script-src 'self' https://example.com; object-src
'self'", |
254 ... | 267 ... |
255 }</pre> | 268 }</pre> |
(...skipping 16 matching lines...) Expand all Loading... |
272 | 285 |
273 <p> | 286 <p> |
274 You may, of course, tighten this policy to whatever extent your extension | 287 You may, of course, tighten this policy to whatever extent your extension |
275 allows in order to increase security at the expense of convenience. To specify | 288 allows in order to increase security at the expense of convenience. To specify |
276 that your extension can only load resources of <em>any</em> type (images, etc) | 289 that your extension can only load resources of <em>any</em> type (images, etc) |
277 from its own package, for example, a policy of <code>default-src 'self'</code> | 290 from its own package, for example, a policy of <code>default-src 'self'</code> |
278 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample | 291 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample |
279 extension is a good example of an extension that's been locked down above and | 292 extension is a good example of an extension that's been locked down above and |
280 beyond the defaults. | 293 beyond the defaults. |
281 </p> | 294 </p> |
OLD | NEW |