[chromium-blink-merge.git] / chrome / common / extensions / docs / templates / articles / contentSecurityPolicy.html
| blob | daf3f7170f4d323a8cb6258c46dda1ca05f5d48d |
4 <p>
5 In order to mitigate a large class of potential cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of
9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and
11 enforce rules governing the types of content that can be loaded and executed
12 by your extensions and applications.
13 </p>
15 <p>
16 In general, CSP works as a black/whitelisting mechanism for resources loaded
17 or executed by your extensions. Defining a reasonable policy for your
18 extension enables you to carefully consider the resources that your extension
19 requires, and to ask the browser to ensure that those are the only resources
20 your extension has access to. These policies provide security over and above
22 requests; they're an additional layer of protection, not a replacement.
23 </p>
25 <p>
27 element. Inside Chrome's extension system, neither is an appropriate
28 mechanism. Instead, an extension's policy is defined via the extension's
30 </p>
33 {
34 ...,
36 ...
37 }
38 </pre>
41 For full details regarding CSP's syntax, please take a look at
42 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax">
43 the Content Security Policy specification
44 </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">
45 "An Introduction to Content Security Policy"
46 </a> article on HTML5Rocks.
47 </p>
51 <p>
54 </a> have no default content security policy. Those that select
56 of:
57 </p>
61 <p>
62 This policy adds security by limiting extensions and applications in three
63 ways:
64 </p>
70 <pre>
71 alert(eval("foo.bar.baz"));
74 new Function("return foo.bar.baz");
75 </pre>
77 <p>Evaluating strings of JavaScript like this is a common XSS attack vector.
78 Instead, you should write code like:
80 <pre>
81 alert(foo && foo.bar && foo.bar.baz);
82 window.setTimeout(function() { alert('hi'); }, 10);
83 window.setInterval(function() { alert('hi'); }, 10);
84 function() { return foo && foo.bar && foo.bar.baz };
85 </pre>
89 <p>
90 Inline JavaScript will not be executed. This restriction bans both inline
93 </p>
95 <p>
96 The first restriction wipes out a huge class of cross-site scripting attacks
97 by making it impossible for you to accidentally execute script provided by a
98 malicious third-party. It does, however, require you to write your code with a
99 clean separation between content and behavior (which you should of course do
100 anyway, right?). An example might make this clearer. You might try to write a
103 </p>
111 function awesome() {
112 // do something awesome!
113 }
115 function totallyAwesome() {
116 // do something TOTALLY awesome!
117 }
119 function clickHandler(element) {
121 }
123 function main() {
124 // Initialization work goes here.
125 }
130 Click for awesomeness!
135 <p>
136 Three things will need to change in order to make this work the way you expect
137 it to:
138 </p>
140 <ul>
141 <li>
144 </li>
145 <li>
146 <p>The inline event handler definitions must be rewritten in terms of
148 <p>If you're currently kicking off your program's execution via code like
152 former, as it generally triggers more quickly.</p>
153 </li>
154 <li>
157 JavaScript for execution.
158 </li>
159 </ul>
161 <p>
162 Those changes might look something like the following:
163 </p>
166 function awesome() {
167 // Do something awesome!
168 }
170 function totallyAwesome() {
171 // do something TOTALLY awesome!
172 }
174 <strong>function awesomeTask() {
175 awesome();
176 totallyAwesome();
177 }</strong>
179 function clickHandler(e) {
181 }
183 function main() {
184 // Initialization work goes here.
185 }
187 // Add event listeners once the DOM has fully loaded by listening for the
188 // `DOMContentLoaded` event on the document, and adding your listeners to
189 // specific elements when it triggers.
191 document.querySelector('button').addEventListener('click', clickHandler);
192 main();
193 });
194 </pre>
206 </pre>
208 <p>
213 <p>
214 Script and object resources can only be loaded from the extension's
215 package, not from the web at large. This ensures that your extension only
216 executes the code you've specifically approved, preventing an active network
217 attacker from maliciously redirecting your request for a resource.
218 </p>
220 <p>
221 Instead of writing code that depends on jQuery (or any other library) loading
222 from an external CDN, consider including the specific version of jQuery in
223 your extension package. That is, instead of:
224 </p>
231 <script src="<strong>http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js</strong>"></script>
237 </pre>
239 <p>
240 Download the file, include it in your package, and write:
241 <p>
259 <p>
260 Up until Chrome 45, there was no mechanism for relaxing the restriction
261 against executing inline JavaScript. In particular, setting a script policy
263 </p>
265 <p>
266 As of Chrome 46, inline scripts can be whitelisted by specifying the
267 base64-encoded hash of the source code in the policy. This hash must be
268 prefixed by the used hash algorithm (sha256, sha384 or sha512).
269 See
272 </p>
276 <p>
277 If you have a need for some external JavaScript or object
278 resources, you can relax the policy to a limited extent by whitelisting
279 secure origins from which scripts should be accepted. We want to ensure that
280 executable resources loaded with an extension's elevated permissions are
281 exactly the resources you expect, and haven't been replaced by an active
282 network attacker. As <a
284 attacks</a> are both trivial and undetectable over HTTP, those origins will
285 not be accepted.
286 </p>
288 <p>
289 Currently, we allow whitelisting origins with the following schemes:
292 The host part of the origin must explicitly be specified for the
298 are also viewed as generic top-level domains. To load a resource from these
299 domains, the subdomain must explicitly be listed. For example,
303 </p>
305 <p>
306 To ease development, we're also allowing the whitelisting of resources loaded
307 over HTTP from servers on your local machine. You may whitelist script and
310 </p>
313 The restriction against resources loaded over HTTP applies only to those
314 resources which are directly executed. You're still free, for example, to
315 make XMLHTTPRequest connections to any origin you like; the default policy
317 in any way.
318 </p>
320 <p>
321 A relaxed policy definition which allows script resources to be loaded from
323 </p>
327 </pre>
331 by the policy. Chrome will not accept a policy that doesn't limit each of
333 </p>
335 <p>
336 Making use of Google Analytics is the canonical example for this sort of
337 policy definition. It's common enough that we've provided an Analytics
338 boilerplate of sorts in the <a href="samples#event-tracking-with-google-analytics">Event Tracking
339 with Google Analytics</a> sample extension, and a
341 </p>
345 <p>
350 </p>
354 </pre>
356 <p>
357 However, we strongly recommend against doing this. These functions are
358 notorious XSS attack vectors.
359 </p>
363 <p>
364 You may, of course, tighten this policy to whatever extent your extension
365 allows in order to increase security at the expense of convenience. To specify
369 extension is a good example of an extension that's been locked down above and
370 beyond the defaults.
371 </p>
376 <p>
377 The policy that we have been discussing applies to the <a
380 content scripts</a> of the extension is more complicated.
381 </p>
383 <p>
384 Content scripts are generally not subject to the CSP of the extension. Since
385 content scripts are not HTML, the main impact of this is that they may use
390 the DOM of the page they are running on. We will refer to these as DOM
391 injected scripts going forward.
392 </p>
394 <p>
395 DOM injected scripts that would be executed immediately upon injection into
396 the page will execute as you might expect. Imagine a content script with the
397 following code as a simple example:
399 document.write("<script>alert(1);</script>");
400 </pre>
403 policy a page may specify.
404 </p>
406 <p>
407 However, the behavior becomes more complicated both inside that DOM injected
408 script and for any script that does not immediately execute upon injection.
409 Imagine that our extension is running on a page that provides its own CSP
411 executes the following code:
413 document.write("<button onclick='alert(1);'>click me</button>'");
414 </pre>
417 and code not interpreted until the click event occurs is not considered part
419 restricts its behavior. And since that CSP does not specify
421 </p>
423 <p>
424 The correct way to implement the desired behavior in this case would be to add
426 follows:
428 document.write("<button id='mybutton'>click me</button>'");
429 var button = document.getElementById('mybutton');
430 button.onclick = function() {
431 alert(1);
432 };
433 </pre>
434 </p>
436 <p>
437 Another similar issue arises if the content script executes the following:
439 var script = document.createElement('script');
440 script.innerHTML = 'alert(1);'
441 document.getElementById('body').appendChild(script);
442 </pre>
444 However, take this case:
446 var script = document.createElement('script');
447 script.innerHTML = 'eval("alert(1);")';
448 document.getElementById('body').appendChild(script);
449 </pre>
451 blocked. That is, while the initial script execution is allowed, the behavior
452 within the script will be regulated by the page's CSP.
453 </p>
455 <p>
456 Thus, depending on how you write DOM injected scripts in your extension,
457 changes to the page's CSP may affect the behavior of your extension. Since
459 reason to put as much behavior as possible of your extension into the content
460 script rather than DOM injected scripts.
461 </p>