csp_info.cc | Explore in Territory

// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "extensions/common/manifest_handlers/csp_info.h"

#include <memory>
#include <string_view>
#include <utility>

#include "base/feature_list.h"
#include "base/no_destructor.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/values.h"
#include "extensions/common/csp_validator.h"
#include "extensions/common/error_utils.h"
#include "extensions/common/extension_features.h"
#include "extensions/common/install_warning.h"
#include "extensions/common/manifest_constants.h"
#include "extensions/common/manifest_handlers/sandboxed_page_info.h"

namespace extensions {

keys;
errors;

ContentSecurityPolicyIsLegal;
SanitizeContentSecurityPolicy;

namespace {

const char kDefaultContentSecurityPolicy[] = …;

const char kDefaultSandboxedPageContentSecurityPolicy[] = …;

// The default CSP to be used if no CSP provided.
static const char kDefaultMV3CSP[] = …;

// The minimum CSP to be used in order to prevent remote scripts.
static const char kMinimumMV3CSP[] = …;
// For unpacked extensions, we additionally allow the use of localhost files to
// aid in rapid local development.
static const char kMinimumUnpackedMV3CSP[] = …;

#define PLATFORM_APP_LOCAL_CSP_SOURCES …

// clang-format off
const char kDefaultPlatformAppContentSecurityPolicy[] = …// Platform apps can only use local resources by default.
    "default-src 'self' blob: filesystem:;"
    // For remote resources, they can fetch them via XMLHttpRequest.
    " connect-src * data: blob: filesystem:;"
    // And serve them via data: or same-origin (blob:, filesystem:) URLs
    " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
    " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
    " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
    " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
    // Media can be loaded from remote resources since:
    // 1. <video> and <audio> have good fallback behavior when offline or under
    //    spotty connectivity.
    // 2. Fetching via XHR and serving via blob: URLs currently does not allow
    //    streaming or partial buffering.
    " media-src * data: blob: filesystem:;"
    // Scripts are allowed to use WebAssembly
    " script-src 'self' blob: filesystem: 'wasm-unsafe-eval';";
// clang-format on

int GetValidatorOptions(Extension* extension) { … }

std::u16string GetInvalidManifestKeyError(std::string_view key) { … }

// Returns null if the manifest type can't access the path. Else returns the
// corresponding Value.
const base::Value* GetManifestPath(const Extension* extension,
                                   const char* path) { … }

const char* GetDefaultExtensionPagesCSP(Extension* extension) { … }

// Returns the minimum CSP to apply for the given MV3 extension.
const std::string* GetMinimumMV3CSPForExtension(const Extension& extension) { … }

}  // namespace

CSPInfo::CSPInfo(std::string extension_pages_csp)
    : … { … }

CSPInfo::~CSPInfo() { … }

// static
const std::string& CSPInfo::GetExtensionPagesCSP(const Extension* extension) { … }

// static
const std::string* CSPInfo::GetMinimumCSPToAppend(
    const Extension& extension,
    const std::string& relative_path) { … }

// static
const std::string* CSPInfo::GetIsolatedWorldCSP(const Extension& extension) { … }

// static
const std::string& CSPInfo::GetSandboxContentSecurityPolicy(
    const Extension* extension) { … }

// static
const std::string& CSPInfo::GetResourceContentSecurityPolicy(
    const Extension* extension,
    const std::string& relative_path) { … }

CSPHandler::CSPHandler() = default;

CSPHandler::~CSPHandler() = default;

// static
const char* CSPHandler::GetMinimumMV3CSPForTesting() { … }

// static
const char* CSPHandler::GetMinimumUnpackedMV3CSPForTesting() { … }

bool CSPHandler::Parse(Extension* extension, std::u16string* error) { … }

bool CSPHandler::ParseCSPDictionary(Extension* extension,
                                    std::u16string* error) { … }

bool CSPHandler::ParseExtensionPagesCSP(
    Extension* extension,
    std::u16string* error,
    std::string_view manifest_key,
    const base::Value* content_security_policy) { … }

bool CSPHandler::ParseSandboxCSP(Extension* extension,
                                 std::u16string* error,
                                 std::string_view manifest_key,
                                 const base::Value* sandbox_csp,
                                 bool allow_remote_sources) { … }

bool CSPHandler::SetExtensionPagesCSP(Extension* extension,
                                      std::string_view manifest_key,
                                      std::string content_security_policy) { … }

void CSPHandler::SetSandboxCSP(Extension* extension, std::string sandbox_csp) { … }

bool CSPHandler::AlwaysParseForType(Manifest::Type type) const { … }

base::span<const char* const> CSPHandler::Keys() const { … }

}  // namespace extensions
chromium/extensions/common/manifest_handlers/csp_info.cc
