Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(95)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html

Issue 10855122: Whitelisting `127.0.0.1` and `localhost` for HTTP in extensions' CSP. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Second pass. Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « chrome/common/extensions/docs/extensions/contentSecurityPolicy.html ('k') | chrome/common/extensions/docs/static/contentSecurityPolicy.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <h1>Content Security Policy (CSP)</h1> 1 <h1>Content Security Policy (CSP)</h1>
2 2
3 3
4 <p> 4 <p>
5 In order to mitigate a large class of potental cross-site scripting issues, 5 In order to mitigate a large class of potental cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of 6 Chrome's extension system has incorporated the general concept of
7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html"> 7 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specif ication.dev.html">
8 <strong>Content Security Policy (CSP)</strong> 8 <strong>Content Security Policy (CSP)</strong>
9 </a>. This introduces some fairly strict policies that will make extensions 9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and 10 more secure by default, and provides you with the ability to create and
(...skipping 219 matching lines...) Expand 10 before | Expand all | Expand 10 after
230 exactly the resources you expect, and haven't been replaced by an active 230 exactly the resources you expect, and haven't been replaced by an active
231 network attacker. As <a 231 network attacker. As <a
232 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle 232 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
233 attacks</a> are both trivial and undetectable over HTTP, those origins will 233 attacks</a> are both trivial and undetectable over HTTP, those origins will
234 not be accepted. Currently, we allow whitelisting origins with the following 234 not be accepted. Currently, we allow whitelisting origins with the following
235 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and 235 schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
236 <code>chrome-extension-resource</code>. 236 <code>chrome-extension-resource</code>.
237 </p> 237 </p>
238 238
239 <p> 239 <p>
240 To ease development, we're also allowing the whitelisting of resources loaded
241 over HTTP from servers on your local machine. You may whitelist script and
242 object sources on any port of either <code>http://127.0.0.1</code> or
243 <code>http://localhost</code>.
244 </p>
245
246 <p>
240 A relaxed policy definition which allows script resources to be loaded from 247 A relaxed policy definition which allows script resources to be loaded from
241 <code>example.com</code> over HTTPS might look like: 248 <code>example.com</code> over HTTPS might look like:
242 </p> 249 </p>
243 250
244 <pre>{ 251 <pre>{
245 ..., 252 ...,
246 "content_security_policy": "script-src 'self' https://example.com; object-src 'self'", 253 "content_security_policy": "script-src 'self' https://example.com; object-src 'self'",
247 ... 254 ...
248 }</pre> 255 }</pre>
249 256
(...skipping 15 matching lines...) Expand all
265 272
266 <p> 273 <p>
267 You may, of course, tighten this policy to whatever extent your extension 274 You may, of course, tighten this policy to whatever extent your extension
268 allows in order to increase security at the expense of convenience. To specify 275 allows in order to increase security at the expense of convenience. To specify
269 that your extension can only load resources of <em>any</em> type (images, etc) 276 that your extension can only load resources of <em>any</em> type (images, etc)
270 from its own package, for example, a policy of <code>default-src 'self'</code> 277 from its own package, for example, a policy of <code>default-src 'self'</code>
271 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample 278 would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample
272 extension is a good example of an extension that's been locked down above and 279 extension is a good example of an extension that's been locked down above and
273 beyond the defaults. 280 beyond the defaults.
274 </p> 281 </p>
OLDNEW
« no previous file with comments | « chrome/common/extensions/docs/extensions/contentSecurityPolicy.html ('k') | chrome/common/extensions/docs/static/contentSecurityPolicy.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698