blob: 2fd74fb76b272a096eae2e8f215861835955aeb6 [file] [log] [blame]
[email protected]70c39bb2013-11-26 22:59:281// Copyright 2013 The Chromium Authors. All rights reserved.
[email protected]f1d88d92013-02-16 01:54:472// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
[email protected]70c39bb2013-11-26 22:59:285#include "extensions/common/manifest_handlers/csp_info.h"
[email protected]f1d88d92013-02-16 01:54:476
7#include "base/memory/scoped_ptr.h"
[email protected]d2e754f2013-06-11 01:41:478#include "base/strings/string_util.h"
[email protected]12bfb612013-06-07 19:54:029#include "base/strings/utf_string_conversions.h"
[email protected]f1d88d92013-02-16 01:54:4710#include "base/values.h"
[email protected]70c39bb2013-11-26 22:59:2811#include "extensions/common/csp_validator.h"
[email protected]0c3c9732013-09-16 08:53:4112#include "extensions/common/manifest_constants.h"
[email protected]70c39bb2013-11-26 22:59:2813#include "extensions/common/manifest_handlers/sandboxed_page_info.h"
[email protected]f1d88d92013-02-16 01:54:4714
15namespace extensions {
16
[email protected]0c3c9732013-09-16 08:53:4117namespace keys = manifest_keys;
18namespace errors = manifest_errors;
19
20using csp_validator::ContentSecurityPolicyIsLegal;
21using csp_validator::ContentSecurityPolicyIsSecure;
22
[email protected]f1d88d92013-02-16 01:54:4723namespace {
24
25const char kDefaultContentSecurityPolicy[] =
26 "script-src 'self' chrome-extension-resource:; object-src 'self'";
27
28#define PLATFORM_APP_LOCAL_CSP_SOURCES \
29 "'self' data: chrome-extension-resource:"
30const char kDefaultPlatformAppContentSecurityPolicy[] =
31 // Platform apps can only use local resources by default.
32 "default-src 'self' chrome-extension-resource:;"
33 // For remote resources, they can fetch them via XMLHttpRequest.
34 "connect-src *;"
35 // And serve them via data: or same-origin (blob:, filesystem:) URLs
36 "style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
37 "img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
38 "frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
39 "font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
40 // Media can be loaded from remote resources since:
41 // 1. <video> and <audio> have good fallback behavior when offline or under
42 // spotty connectivity.
43 // 2. Fetching via XHR and serving via blob: URLs currently does not allow
44 // streaming or partial buffering.
45 "media-src *;";
46
47} // namespace
48
49CSPInfo::CSPInfo(const std::string& security_policy)
50 : content_security_policy(security_policy) {
51}
52
53CSPInfo::~CSPInfo() {
54}
55
56// static
57const std::string& CSPInfo::GetContentSecurityPolicy(
58 const Extension* extension) {
59 CSPInfo* csp_info = static_cast<CSPInfo*>(
60 extension->GetManifestData(keys::kContentSecurityPolicy));
[email protected]8790210c2013-12-02 05:29:5361 return csp_info ? csp_info->content_security_policy : base::EmptyString();
[email protected]f1d88d92013-02-16 01:54:4762}
63
[email protected]2702b79f2013-03-27 08:44:3364// static
65const std::string& CSPInfo::GetResourceContentSecurityPolicy(
66 const Extension* extension,
67 const std::string& relative_path) {
68 return SandboxedPageInfo::IsSandboxedPage(extension, relative_path) ?
69 SandboxedPageInfo::GetContentSecurityPolicy(extension) :
70 GetContentSecurityPolicy(extension);
71}
72
[email protected]f1d88d92013-02-16 01:54:4773CSPHandler::CSPHandler(bool is_platform_app)
74 : is_platform_app_(is_platform_app) {
75}
76
77CSPHandler::~CSPHandler() {
78}
79
[email protected]0d163dc2013-12-20 23:48:3680bool CSPHandler::Parse(Extension* extension, base::string16* error) {
[email protected]9367eabc2013-03-01 01:29:2981 const std::string key = Keys()[0];
[email protected]f1d88d92013-02-16 01:54:4782 if (!extension->manifest()->HasPath(key)) {
83 if (extension->manifest_version() >= 2) {
84 // TODO(abarth): Should we continue to let extensions override the
85 // default Content-Security-Policy?
86 std::string content_security_policy = is_platform_app_ ?
87 kDefaultPlatformAppContentSecurityPolicy :
88 kDefaultContentSecurityPolicy;
89
90 CHECK(ContentSecurityPolicyIsSecure(content_security_policy,
91 extension->GetType()));
92 extension->SetManifestData(keys::kContentSecurityPolicy,
93 new CSPInfo(content_security_policy));
94 }
95 return true;
96 }
97
98 std::string content_security_policy;
99 if (!extension->manifest()->GetString(key, &content_security_policy)) {
[email protected]ad65a3e2013-12-25 18:18:01100 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
[email protected]f1d88d92013-02-16 01:54:47101 return false;
102 }
103 if (!ContentSecurityPolicyIsLegal(content_security_policy)) {
[email protected]ad65a3e2013-12-25 18:18:01104 *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
[email protected]f1d88d92013-02-16 01:54:47105 return false;
106 }
107 if (extension->manifest_version() >= 2 &&
108 !ContentSecurityPolicyIsSecure(content_security_policy,
109 extension->GetType())) {
[email protected]ad65a3e2013-12-25 18:18:01110 *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy);
[email protected]f1d88d92013-02-16 01:54:47111 return false;
112 }
113
114 extension->SetManifestData(keys::kContentSecurityPolicy,
115 new CSPInfo(content_security_policy));
116 return true;
117}
118
[email protected]9367eabc2013-03-01 01:29:29119bool CSPHandler::AlwaysParseForType(Manifest::Type type) const {
[email protected]f1d88d92013-02-16 01:54:47120 if (is_platform_app_)
121 return type == Manifest::TYPE_PLATFORM_APP;
122 else
123 return type == Manifest::TYPE_EXTENSION ||
124 type == Manifest::TYPE_LEGACY_PACKAGED_APP;
125}
126
[email protected]9367eabc2013-03-01 01:29:29127const std::vector<std::string> CSPHandler::Keys() const {
128 const std::string& key = is_platform_app_ ?
129 keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
130 return SingleKey(key);
131}
132
[email protected]f1d88d92013-02-16 01:54:47133} // namespace extensions