diff options
| author | aa@chromium.org <aa@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-15 01:44:35 +0000 |
|---|---|---|
| committer | aa@chromium.org <aa@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-15 01:44:35 +0000 |
| commit | b95ecb979ab69655260a1d97212d9fb0be733d58 (patch) | |
| tree | 8d6ef8453ec1d034a3a59203878ffc6986a20fd7 | |
| parent | c6d743c892b5b13b532059123ca36c63295a6921 (diff) | |
| download | chromium_src-b95ecb979ab69655260a1d97212d9fb0be733d58.zip chromium_src-b95ecb979ab69655260a1d97212d9fb0be733d58.tar.gz chromium_src-b95ecb979ab69655260a1d97212d9fb0be733d58.tar.bz2 | |
Merge 156781 - Tweaking the "insecure CSP" error message to clarify that both 'script-src' and 'object-src' must be set.
As a drive-by, it also updates the documentation to correct a typo in one of the examples, ensuring that both directives are properly set.
BUG=148919
R=aa@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10905258
TBR=mkwst@chromium.org
Review URL: https://codereview.chromium.org/10919310
git-svn-id: svn://svn.chromium.org/chrome/branches/1229/src@156957 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html | 2 | ||||
| -rw-r--r-- | chrome/common/extensions/extension_manifest_constants.cc | 13 |
2 files changed, 8 insertions, 7 deletions
diff --git a/chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html b/chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html index e8e8502..443c5cc 100644 --- a/chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html +++ b/chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html @@ -306,7 +306,7 @@ popup.html: <code>'unsafe-eval'</code> to your policy: </p> -<pre>"content_security_policy": "script-src 'self' 'unsafe-eval'"</pre> +<pre>"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"</pre> <p> However, we strongly recommend against doing this. These functions are diff --git a/chrome/common/extensions/extension_manifest_constants.cc b/chrome/common/extensions/extension_manifest_constants.cc index beeae9b..ddb5804 100644 --- a/chrome/common/extensions/extension_manifest_constants.cc +++ b/chrome/common/extensions/extension_manifest_constants.cc @@ -453,12 +453,13 @@ const char kInvalidWebURLs[] = const char kInvalidZipHash[] = "Required key 'zip_hash' is missing or invalid."; const char kInsecureContentSecurityPolicy[] = - "Invalid value for 'content_security_policy': The 'script-src' and" - " 'object-src' directives can only whitelist secure resources. You may" - " include any of the following sources: \"'self'\", \"http://127.0.0.1\"," - " \"http://localhost\", or any \"https://\" or \"chrome-extension://\"" - " origin. For more information, see" - " http://developer.chrome.com/extensions/contentSecurityPolicy.html"; + "Invalid value for 'content_security_policy': Both 'script-src' and" + " 'object-src' directives must be specified (either explicitly, or" + " implicitly via 'default-src'), and both must whitelist only secure" + " resources. You may include any of the following sources: \"'self'\"," + " \"'unsafe-eval'\", \"http://127.0.0.1\", \"http://localhost\", or any" + " \"https://\" or \"chrome-extension://\" origin. For more information," + " see http://developer.chrome.com/extensions/contentSecurityPolicy.html"; const char kLaunchPathAndExtentAreExclusive[] = "The 'app.launch.local_path' and 'app.urls' keys cannot both be set."; const char kLaunchPathAndURLAreExclusive[] = |