1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 6 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 7 8 #include <string> 9 10 #include "extensions/common/manifest.h" 11 12 namespace extensions { 13 14 namespace csp_validator { 15 16 // Checks whether the given |policy| is legal for use in the extension system. 17 // This check just ensures that the policy doesn't contain any characters that 18 // will cause problems when we transmit the policy in an HTTP header. 19 bool ContentSecurityPolicyIsLegal(const std::string& policy); 20 21 // Checks whether the given |policy| meets the minimum security requirements 22 // for use in the extension system. 23 // 24 // Ideally, we would like to say that an XSS vulnerability in the extension 25 // should not be able to execute script, even in the precense of an active 26 // network attacker. 27 // 28 // However, we found that it broke too many deployed extensions to limit 29 // 'unsafe-eval' in the script-src directive, so that is allowed as a special 30 // case for extensions. Platform apps disallow it. 31 bool ContentSecurityPolicyIsSecure( 32 const std::string& policy, Manifest::Type type); 33 34 // Checks whether the given |policy| enforces a unique origin sandbox as 35 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/ 36 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the 37 // "sandbox" directive, and the sandbox tokens must not include 38 // "allow-same-origin". Additional restrictions may be imposed depending on 39 // |type|. 40 bool ContentSecurityPolicyIsSandboxed( 41 const std::string& policy, Manifest::Type type); 42 43 } // namespace csp_validator 44 45 } // namespace extensions 46 47 #endif // EXTENSIONS_COMMON_CSP_VALIDATOR_H_ 48
