diff options
| author | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-14 05:33:35 +0000 |
|---|---|---|
| committer | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-14 05:33:35 +0000 |
| commit | 9ae0bc01c3d8a09b6b2e1c11d0343a0caf2e2293 (patch) | |
| tree | 16643c7491471e350ee5d6ea8b7b36fa31f048a8 /tools/grit | |
| parent | 58cc16c510f175258668e682794b4cb5b6b1e6a2 (diff) | |
| download | chromium_src-9ae0bc01c3d8a09b6b2e1c11d0343a0caf2e2293.zip chromium_src-9ae0bc01c3d8a09b6b2e1c11d0343a0caf2e2293.tar.gz chromium_src-9ae0bc01c3d8a09b6b2e1c11d0343a0caf2e2293.tar.bz2 | |
Mitigate XSS in the bookmark manager using Content-Security-Policy.
We're adding support for Content-Security-Policy (CSP) support to WebKit, which helps prevent XSS by letting sites whitelist where they can load scripts from. This patch adds a CSP policy to the bookmark manager that only allows script loads from extensions and from "chrome" URLs.
Adding the policy required only a tiny change the bookmark manager (moving the main script block to be external), but required changing some of the infrastructure for packing component extensions (to avoid inlining external scripts). CSP forbids inline script (and inline event handlers) because it can't tell whether those scripts are a result of XSS.
Review URL: http://codereview.chromium.org/6831008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81535 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'tools/grit')
| -rwxr-xr-x | tools/grit/grit/format/html_inline.py | 26 | ||||
| -rw-r--r-- | tools/grit/grit/node/include.py | 11 |
2 files changed, 22 insertions, 15 deletions
diff --git a/tools/grit/grit/format/html_inline.py b/tools/grit/grit/format/html_inline.py index fc40eb0bf..0ba3254 100755 --- a/tools/grit/grit/format/html_inline.py +++ b/tools/grit/grit/format/html_inline.py @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +# Copyright (c) 2011 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -86,7 +86,7 @@ class InlinedData: self.inlined_data = inlined_data self.inlined_files = inlined_files -def DoInline(input_filename, grd_node): +def DoInline(input_filename, grd_node, allow_external_script=False): """Helper function that inlines the resources in a specified file. Reads input_filename, finds all the src attributes and attempts to @@ -213,11 +213,14 @@ def DoInline(input_filename, grd_node): lambda m: SrcReplace(m, filepath), text) - # We need to inline css and js before we inline images so that image - # references gets inlined in the css and js - flat_text = re.sub('<script .*?src="(?P<filename>[^"\']*)".*?></script>', - InlineScript, - ReadFile(input_filename)) + flat_text = ReadFile(input_filename) + + if not allow_external_script: + # We need to inline css and js before we inline images so that image + # references gets inlined in the css and js + flat_text = re.sub('<script .*?src="(?P<filename>[^"\']*)".*?></script>', + InlineScript, + flat_text) flat_text = re.sub( '<link rel="stylesheet".+?href="(?P<filename>[^"]*)".*?>', @@ -232,8 +235,7 @@ def DoInline(input_filename, grd_node): # Check conditional elements, remove unsatisfied ones from the file. flat_text = CheckConditionalElements(flat_text) - # TODO(glen): Make this regex not match src="" text that is not inside a tag - flat_text = re.sub('src="(?P<filename>[^"\']*)"', + flat_text = re.sub('<(?!script)[^>]+?src="(?P<filename>[^"\']*)"', SrcReplace, flat_text) @@ -247,7 +249,7 @@ def DoInline(input_filename, grd_node): return InlinedData(flat_text, inlined_files) -def InlineToString(input_filename, grd_node): +def InlineToString(input_filename, grd_node, allow_external_script=False): """Inlines the resources in a specified file and returns it as a string. Args: @@ -257,7 +259,9 @@ def InlineToString(input_filename, grd_node): the inlined data as a string """ try: - return DoInline(input_filename, grd_node).inlined_data + return DoInline(input_filename, + grd_node, + allow_external_script=allow_external_script).inlined_data except IOError, e: raise Exception("Failed to open %s while trying to flatten %s. (%s)" % (e.filename, input_filename, e.strerror)) diff --git a/tools/grit/grit/node/include.py b/tools/grit/grit/node/include.py index cb64866..7cfa45e 100644 --- a/tools/grit/grit/node/include.py +++ b/tools/grit/grit/node/include.py @@ -1,5 +1,5 @@ #!/usr/bin/python2.4 -# Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +# Copyright (c) 2011 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -30,11 +30,12 @@ class IncludeNode(base.Node): def _IsValidChild(self, child): return False - def _GetFlattenedData(self): + def _GetFlattenedData(self, allow_external_script=False): if not self._flattened_data: filename = self.FilenameToOpen() self._flattened_data = ( - grit.format.html_inline.InlineToString(filename, self)) + grit.format.html_inline.InlineToString(filename, self, + allow_external_script=allow_external_script)) return self._flattened_data def MandatoryAttributes(self): @@ -45,6 +46,7 @@ class IncludeNode(base.Node): 'generateid': 'true', 'filenameonly': 'false', 'flattenhtml': 'false', + 'allowexternalscript': 'false', 'relativepath': 'false', } @@ -80,7 +82,8 @@ class IncludeNode(base.Node): id_map = rc_header.Item.tids_ id = id_map[self.GetTextualIds()[0]] if self.attrs['flattenhtml'] == 'true': - data = self._GetFlattenedData() + allow_external_script = self.attrs['allowexternalscript'] == 'true' + data = self._GetFlattenedData(allow_external_script=allow_external_script) else: filename = self.FilenameToOpen() infile = open(filename, 'rb') |