| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
BUG=138542
TBR=benwells@chromium.org
Review URL: https://codereview.chromium.org/1543053002
Cr-Commit-Position: refs/heads/master@{#366716}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support CSP hashes (http://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage).
The validation is strict and follows the standard by the letter.
Blink also accepts sha1 and URL-encoded base64, but the extension's CSP
validator only accepts the syntax as specified by the CSP2 standard.
This allows the Blink implementation to become standard-compliant in the
future without breaking extensions.
Also, the CSP validator will now preserve the case of the CSP tokens,
mainly because base64 is case-sensitive. And base::StringToLowerASCII
is deprecated, which is another reason to change to base::ToLowerASCII.
BUG=446036
Review URL: https://codereview.chromium.org/1285523002
Cr-Commit-Position: refs/heads/master@{#342737}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, insecure CSP directive values caused refusal of Chrome to
load the Chrome extension. Now, insecure values are stripped from the
CSP, and a list of detailed warnings is printed at the extensions page.
Renamed ContentSecurityPolicyIsSecure to SanitizeContentSecurityPolicy
and let it return a string (the sanitized CSP) instead of a boolean
that tells whether the CSP was considered secure.
BUG=434773
R=kalman@chromium.org
R=mkwst@chromium.org
TEST=extensions_unittests=ExtensionCSPValidator.*
unit_tests=ContentSecurityPolicyManifestTest.*:PlatformAppsManifestTest:PlatformAppContentSecurityPolicy
Review URL: https://codereview.chromium.org/747403002
Cr-Commit-Position: refs/heads/master@{#310191}
|
|
|
|
|
|
|
|
|
|
| |
This CL only allows insecure object-src directives in the CSP of an extension if a set of whitelisted mime types are also specified in the CSP. This is to prevent plugins that aren't fully sandboxed from loading up arbitrary URLs in an extension and maliciously gaining control of the extension.
The set of plugins that are whitelisted should be those that are fully sandboxed.
Review URL: https://codereview.chromium.org/760513003
Cr-Commit-Position: refs/heads/master@{#305761}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL allows component extensions to specify arbitrary object-src CSP
directives. This should be safe because non-NPAPI plugins should load in a
sandboxed process and only allow communication via postMessage. Flash is
an exception since it allows scripting into the embedder page, but even then
it should disallow cross-origin scripting. At some point we may want to consider
allowing this publicly.
The CL refactors the CSP validator slightly to provide an options int to configure
how CSP will be parsed. Tests are added for the changes above.
BUG=416328
Review URL: https://codereview.chromium.org/754713002
Cr-Commit-Position: refs/heads/master@{#305725}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not refuse to load the extension when the CSP contains
"chrome-extension://", because there are some extensions in the wild
that contains this token in the CSP. It is safe to accept this token
because the invalid CSP token is ignored by Blink (together with an
error message in the console, so the developer can fix the problem if
they bother to look at the console).
BUG=432227
R=kalman@chromium.org
Review URL: https://codereview.chromium.org/722233004
Cr-Commit-Position: refs/heads/master@{#304922}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(patchset #3 id:80001 of https://codereview.chromium.org/722233004/)
Reason for revert:
Need some extra comments before relanding
Original issue's description:
> Accept invalid chrome-extension:// and chrome:// CSP tokens
>
> Do not refuse to load the extension when the CSP contains
> "chrome-extension://", because there are some extensions in the wild
> that contains this token in the CSP. It is safe to accept this token
> because the invalid CSP token is ignored by Blink (together with an
> error message in the console, so the developer can fix the problem if
> they bother to look at the console).
>
> BUG=432227
> TBR=kalman@chromium.org
>
> Committed: https://crrev.com/67244e678279741947c09ba2ab18fbfec1707a97
> Cr-Commit-Position: refs/heads/master@{#304799}
TBR=kalman@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=432227
Review URL: https://codereview.chromium.org/739133003
Cr-Commit-Position: refs/heads/master@{#304832}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not refuse to load the extension when the CSP contains
"chrome-extension://", because there are some extensions in the wild
that contains this token in the CSP. It is safe to accept this token
because the invalid CSP token is ignored by Blink (together with an
error message in the console, so the developer can fix the problem if
they bother to look at the console).
BUG=432227
TBR=kalman@chromium.org
Review URL: https://codereview.chromium.org/722233004
Cr-Commit-Position: refs/heads/master@{#304799}
|
|
|
|
|
|
|
|
|
| |
BUG=409952,410045 (comment 8 and onwards)
R=kalman@chromium.org
Review URL: https://codereview.chromium.org/673183003
Cr-Commit-Position: refs/heads/master@{#301280}
|
|
|
|
|
|
|
|
|
|
|
|
| |
patterns in the extension's Content Security policy and update the documentation
to clarify the constraints of the CSP.
BUG=404295
Review URL: https://codereview.chromium.org/481643002
Cr-Commit-Position: refs/heads/master@{#290699}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@290699 0039d316-1c4b-4281-b951-d872f2087c98
|
|
Move ManifestHandlers for:
- CSP
- Kiosk Mode
- Offline Enabled
- Requirements
- Sandboxed Page
to top-level extensions/common/manifest_handlers.
Rename all handlers to be foo_info.h/cc, if necessary.
TBR=davemoore@chromium.org (c/b/chromeos/app_mode/startup_app_launcher.cc)
TBR=finnur@chromium.org (c/b/ui/webui/extensions/extension_basic_info.cc)
BUG=159265
Review URL: https://codereview.chromium.org/83843002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237426 0039d316-1c4b-4281-b951-d872f2087c98
|