chrome/common/extensions/docs/extensions/contentSecurityPolicy.html - Issue 10837255: Clarifying the CSP restrictions with regard to `connect-src` and `unsafe-eval`.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

Issue 10837255: Clarifying the CSP restrictions with regard to `connect-src` and `unsafe-eval`. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

diff --git a/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html b/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

index e55979bbbe9108d27fee8dcd5e2fe567d4e3f155..a71bbd0bfc407710b696cb6b93b062ec4174e715 100644

--- a/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

+++ b/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

@@ -253,7 +253,9 @@

For full details regarding CSP's syntax, please take a look at

the Content Security Policy specification

- </a>.

+ </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">

+ "An Introduction to Content Security Policy"

+ </a> article on HTML5Rocks.

</p>

<a name="H2-0"></a><h2>Default Policy Restrictions</h2>

<p>

@@ -402,7 +404,10 @@ popup.html:

<p>

There is no mechanism for relaxing the restriction against executing inline

JavaScript. In particular, setting a script policy that includes

- <code>unsafe-inline</code> will have no effect. This is intentional.

+ <code>unsafe-inline</code> will have no effect. Likewise, there is no

+ mechanism for enabling <code>eval</code>-like constructs. Setting a script

+ policy that includes <code>unsafe-eval</code> will have no effect. This is

+ intentional.

</p>

<p>

If, on the other hand, you have a need for some external JavaScript or object

@@ -422,6 +427,13 @@ popup.html:

object sources on any port of either <code>http://127.0.0.1</code> or

<code>http://localhost</code>.

</p>

+<p class="note">

+ The restriction against resources loaded over HTTP applies only to those

+ resources which are directly executed. You're still free, for example, to

+ make XMLHTTPRequest connections to any origin you like; the default policy

+ doesn't restrict <code>connect-src</code> or any of the other CSP directives

+ in any way.

+</p>

<p>

A relaxed policy definition which allows script resources to be loaded from

<code>example.com</code> over HTTPS might look like:

« no previous file with comments | « no previous file | chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html » ('j') | no next file with comments »