diff options
| author | rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-26 22:59:28 +0000 |
|---|---|---|
| committer | rdevlin.cronin@chromium.org <rdevlin.cronin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-26 22:59:28 +0000 |
| commit | 70c39bbb4b24c7e3c1cfbd044f862ee561f3e1bd (patch) | |
| tree | 4f21f5c4c4ef358f2708f1a53a5820ce1ad7eb58 /extensions/common/csp_validator.h | |
| parent | 1cfeb5674e5ff5df1ba2223515ab7a575d0c8285 (diff) | |
| download | chromium_src-70c39bbb4b24c7e3c1cfbd044f862ee561f3e1bd.zip chromium_src-70c39bbb4b24c7e3c1cfbd044f862ee561f3e1bd.tar.gz chromium_src-70c39bbb4b24c7e3c1cfbd044f862ee561f3e1bd.tar.bz2 | |
Move ManifestHandlers to extensions/
Move ManifestHandlers for:
- CSP
- Kiosk Mode
- Offline Enabled
- Requirements
- Sandboxed Page
to top-level extensions/common/manifest_handlers.
Rename all handlers to be foo_info.h/cc, if necessary.
TBR=davemoore@chromium.org (c/b/chromeos/app_mode/startup_app_launcher.cc)
TBR=finnur@chromium.org (c/b/ui/webui/extensions/extension_basic_info.cc)
BUG=159265
Review URL: https://codereview.chromium.org/83843002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237426 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'extensions/common/csp_validator.h')
| -rw-r--r-- | extensions/common/csp_validator.h | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/extensions/common/csp_validator.h b/extensions/common/csp_validator.h new file mode 100644 index 0000000..e7446f6d --- /dev/null +++ b/extensions/common/csp_validator.h @@ -0,0 +1,47 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ +#define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ + +#include <string> + +#include "extensions/common/manifest.h" + +namespace extensions { + +namespace csp_validator { + +// Checks whether the given |policy| is legal for use in the extension system. +// This check just ensures that the policy doesn't contain any characters that +// will cause problems when we transmit the policy in an HTTP header. +bool ContentSecurityPolicyIsLegal(const std::string& policy); + +// Checks whether the given |policy| meets the minimum security requirements +// for use in the extension system. +// +// Ideally, we would like to say that an XSS vulnerability in the extension +// should not be able to execute script, even in the precense of an active +// network attacker. +// +// However, we found that it broke too many deployed extensions to limit +// 'unsafe-eval' in the script-src directive, so that is allowed as a special +// case for extensions. Platform apps disallow it. +bool ContentSecurityPolicyIsSecure( + const std::string& policy, Manifest::Type type); + +// Checks whether the given |policy| enforces a unique origin sandbox as +// defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ +// the-iframe-element.html#attr-iframe-sandbox. The policy must have the +// "sandbox" directive, and the sandbox tokens must not include +// "allow-same-origin". Additional restrictions may be imposed depending on +// |type|. +bool ContentSecurityPolicyIsSandboxed( + const std::string& policy, Manifest::Type type); + +} // namespace csp_validator + +} // namespace extensions + +#endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ |