extensions/common/manifest_handlers/csp_info.h - chromium/src - Git at Google

 // Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_
 #define EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_

 #include <string>
 #include <string_view>

 #include "extensions/common/extension.h"
 #include "extensions/common/manifest_handler.h"

 namespace extensions {

 // A structure to hold the Content-Security-Policy information.
 struct CSPInfo : public Extension::ManifestData {
   explicit CSPInfo(std::string extension_pages_csp);
   ~CSPInfo() override;

   // The Content-Security-Policy for an extension. This is applied to an
   // extension's background contexts i.e. its background page, event page and
   // service worker. Extensions can use Content-Security-Policies to mitigate
   // cross-site scripting and other vulnerabilities.
   std::string extension_pages_csp;

   // Content Security Policy that should be used to enforce the sandbox used
   // by sandboxed pages (guaranteed to have the "sandbox" directive without the
   // "allow-same-origin" token).
   std::string sandbox_csp;

   // Returns the CSP to be used for the extension frames (tabs, popups, iframes)
   // and background contexts, or an empty string if there is no defined CSP.
   // Note that for extensions, platform apps and legacy packaged apps, a default
   // CSP is used even if the manifest didn't specify one, so an empty string
   // shouldn't be returned for those cases.
   static const std::string& GetExtensionPagesCSP(const Extension* extension);

   // Returns the minimum CSP (if any) to append for the `extension`'s resource
   // at the given `relative_path`.
   static const std::string* GetMinimumCSPToAppend(
       const Extension& extension,
       const std::string& relative_path);

   // Returns the Content Security Policy to be used for extension isolated
   // worlds or null if there is no defined CSP.
   static const std::string* GetIsolatedWorldCSP(const Extension& extension);

   // Returns the extension's Content Security Policy for the sandboxed pages.
   static const std::string& GetSandboxContentSecurityPolicy(
       const Extension* extension);

   // Returns the Content Security Policy that the specified resource should be
   // served with.
   static const std::string& GetResourceContentSecurityPolicy(
       const Extension* extension,
       const std::string& relative_path);
 };

 // Parses "content_security_policy", "app.content_security_policy" and
 // "sandbox.content_security_policy" manifest keys.
 class CSPHandler : public ManifestHandler {
  public:
   CSPHandler();

   CSPHandler(const CSPHandler&) = delete;
   CSPHandler& operator=(const CSPHandler&) = delete;

   ~CSPHandler() override;

   // ManifestHandler override:
   bool Parse(Extension* extension, std::u16string* error) override;

   // Returns the minimum CSP to use in MV3 extensions. Only exposed for testing.
   static const char* GetMinimumMV3CSPForTesting();
   static const char* GetMinimumUnpackedMV3CSPForTesting();

  private:
   // Parses the "content_security_policy" dictionary in the manifest.
   bool ParseCSPDictionary(Extension* extension, std::u16string* error);

   // Parses the content security policy specified in the manifest for extension
   // pages.
   bool ParseExtensionPagesCSP(Extension* extension,
                               std::u16string* error,
                               std::string_view manifest_key,
                               const base::Value* content_security_policy);

   // Parses the content security policy specified in the manifest for sandboxed
   // pages. This should be called after ParseExtensionPagesCSP. If
   // `allow_remote_sources` is true, this allows the extension to specify remote
   // sources in the sandbox CSP.
   bool ParseSandboxCSP(Extension* extension,
                        std::u16string* error,
                        std::string_view manifest_key,
                        const base::Value* sandbox_csp,
                        bool allow_remote_sources);

   // Helper to set the extension pages content security policy manifest data.
   bool SetExtensionPagesCSP(Extension* extension,
                             std::string_view manifest_key,
                             std::string content_security_policy);

   // Helper to set the sandbox content security policy manifest data.
   void SetSandboxCSP(Extension* extension, std::string sandbox_csp);

   // ManifestHandler overrides:
   bool AlwaysParseForType(Manifest::Type type) const override;
   base::span<const char* const> Keys() const override;
 };

 }  // namespace extensions

 #endif  // EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_
	// Copyright 2013 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_
	#define EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_

	#include <string>
	#include <string_view>

	#include "extensions/common/extension.h"
	#include "extensions/common/manifest_handler.h"

	namespace extensions {

	// A structure to hold the Content-Security-Policy information.
	struct CSPInfo : public Extension::ManifestData {
	explicit CSPInfo(std::string extension_pages_csp);
	~CSPInfo() override;

	// The Content-Security-Policy for an extension. This is applied to an
	// extension's background contexts i.e. its background page, event page and
	// service worker. Extensions can use Content-Security-Policies to mitigate
	// cross-site scripting and other vulnerabilities.
	std::string extension_pages_csp;

	// Content Security Policy that should be used to enforce the sandbox used
	// by sandboxed pages (guaranteed to have the "sandbox" directive without the
	// "allow-same-origin" token).
	std::string sandbox_csp;

	// Returns the CSP to be used for the extension frames (tabs, popups, iframes)
	// and background contexts, or an empty string if there is no defined CSP.
	// Note that for extensions, platform apps and legacy packaged apps, a default
	// CSP is used even if the manifest didn't specify one, so an empty string
	// shouldn't be returned for those cases.
	static const std::string& GetExtensionPagesCSP(const Extension* extension);

	// Returns the minimum CSP (if any) to append for the `extension`'s resource
	// at the given `relative_path`.
	static const std::string* GetMinimumCSPToAppend(
	const Extension& extension,
	const std::string& relative_path);

	// Returns the Content Security Policy to be used for extension isolated
	// worlds or null if there is no defined CSP.
	static const std::string* GetIsolatedWorldCSP(const Extension& extension);

	// Returns the extension's Content Security Policy for the sandboxed pages.
	static const std::string& GetSandboxContentSecurityPolicy(
	const Extension* extension);

	// Returns the Content Security Policy that the specified resource should be
	// served with.
	static const std::string& GetResourceContentSecurityPolicy(
	const Extension* extension,
	const std::string& relative_path);
	};

	// Parses "content_security_policy", "app.content_security_policy" and
	// "sandbox.content_security_policy" manifest keys.
	class CSPHandler : public ManifestHandler {
	public:
	CSPHandler();

	CSPHandler(const CSPHandler&) = delete;
	CSPHandler& operator=(const CSPHandler&) = delete;

	~CSPHandler() override;

	// ManifestHandler override:
	bool Parse(Extension* extension, std::u16string* error) override;

	// Returns the minimum CSP to use in MV3 extensions. Only exposed for testing.
	static const char* GetMinimumMV3CSPForTesting();
	static const char* GetMinimumUnpackedMV3CSPForTesting();

	private:
	// Parses the "content_security_policy" dictionary in the manifest.
	bool ParseCSPDictionary(Extension* extension, std::u16string* error);

	// Parses the content security policy specified in the manifest for extension
	// pages.
	bool ParseExtensionPagesCSP(Extension* extension,
	std::u16string* error,
	std::string_view manifest_key,
	const base::Value* content_security_policy);

	// Parses the content security policy specified in the manifest for sandboxed
	// pages. This should be called after ParseExtensionPagesCSP. If
	// `allow_remote_sources` is true, this allows the extension to specify remote
	// sources in the sandbox CSP.
	bool ParseSandboxCSP(Extension* extension,
	std::u16string* error,
	std::string_view manifest_key,
	const base::Value* sandbox_csp,
	bool allow_remote_sources);

	// Helper to set the extension pages content security policy manifest data.
	bool SetExtensionPagesCSP(Extension* extension,
	std::string_view manifest_key,
	std::string content_security_policy);

	// Helper to set the sandbox content security policy manifest data.
	void SetSandboxCSP(Extension* extension, std::string sandbox_csp);

	// ManifestHandler overrides:
	bool AlwaysParseForType(Manifest::Type type) const override;
	base::span<const char* const> Keys() const override;
	};

	} // namespace extensions

	#endif // EXTENSIONS_COMMON_MANIFEST_HANDLERS_CSP_INFO_H_