[chromium-blink-merge.git] / chrome / common / extensions / docs / templates / articles / contentSecurityPolicy.html
| blob | 47283ce316418f223e73b90b75cd2a4eaf2d4d5f |
4 <p>
5 In order to mitigate a large class of potential cross-site scripting issues,
6 Chrome's extension system has incorporated the general concept of
9 </a>. This introduces some fairly strict policies that will make extensions
10 more secure by default, and provides you with the ability to create and
11 enforce rules governing the types of content that can be loaded and executed
12 by your extensions and applications.
13 </p>
15 <p>
16 In general, CSP works as a black/whitelisting mechanism for resources loaded
17 or executed by your extensions. Defining a reasonable policy for your
18 extension enables you to carefully consider the resources that your extension
19 requires, and to ask the browser to ensure that those are the only resources
20 your extension has access to. These policies provide security over and above
22 requests; they're an additional layer of protection, not a replacement.
23 </p>
25 <p>
27 element. Inside Chrome's extension system, neither is an appropriate
28 mechanism. Instead, an extension's policy is defined via the extension's
30 </p>
33 {
34 ...,
36 ...
37 }
38 </pre>
41 For full details regarding CSP's syntax, please take a look at
42 <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#syntax">
43 the Content Security Policy specification
44 </a>, and the <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">
45 "An Introduction to Content Security Policy"
46 </a> article on HTML5Rocks.
47 </p>
51 <p>
54 </a> have no default content security policy. Those that select
56 of:
57 </p>
61 <p>
62 This policy adds security by limiting extensions and applications in three
63 ways:
64 </p>
70 <pre>
71 alert(eval("foo.bar.baz"));
74 new Function("return foo.bar.baz");
75 </pre>
77 <p>Evaluating strings of JavaScript like this is a common XSS attack vector.
78 Instead, you should write code like:
80 <pre>
81 alert(foo && foo.bar && foo.bar.baz);
82 window.setTimeout(function() { alert('hi'); }, 10);
83 window.setInterval(function() { alert('hi'); }, 10);
84 function() { return foo && foo.bar && foo.bar.baz };
85 </pre>
89 <p>
90 Inline JavaScript will not be executed. This restriction bans both inline
93 </p>
95 <p>
96 The first restriction wipes out a huge class of cross-site scripting attacks
97 by making it impossible for you to accidentally execute script provided by a
98 malicious third-party. It does, however, require you to write your code with a
99 clean separation between content and behavior (which you should of course do
100 anyway, right?). An example might make this clearer. You might try to write a
103 </p>
111 function awesome() {
112 // do something awesome!
113 }
115 function totallyAwesome() {
116 // do something TOTALLY awesome!
117 }
119 function clickHandler(element) {
121 }
123 function main() {
124 // Initialization work goes here.
125 }
130 Click for awesomeness!
135 <p>
136 Three things will need to change in order to make this work the way you expect
137 it to:
138 </p>
140 <ul>
141 <li>
144 </li>
145 <li>
146 <p>The inline event handler definitions must be rewritten in terms of
148 <p>If you're currently kicking off your program's execution via code like
152 former, as it generally triggers more quickly.</p>
153 </li>
154 <li>
157 JavaScript for execution.
158 </li>
159 </ul>
161 <p>
162 Those changes might look something like the following:
163 </p>
166 function awesome() {
167 // Do something awesome!
168 }
170 function totallyAwesome() {
171 // do something TOTALLY awesome!
172 }
174 <strong>function awesomeTask() {
175 awesome();
176 totallyAwesome();
177 }</strong>
179 function clickHandler(e) {
181 }
183 function main() {
184 // Initialization work goes here.
185 }
187 // Add event listeners once the DOM has fully loaded by listening for the
188 // `DOMContentLoaded` event on the document, and adding your listeners to
189 // specific elements when it triggers.
191 document.querySelector('button').addEventListener('click', clickHandler);
192 main();
193 });
194 </pre>
206 </pre>
208 <p>
213 <p>
214 Script and object resources can only be loaded from the extension's
215 package, not from the web at large. This ensures that your extension only
216 executes the code you've specifically approved, preventing an active network
217 attacker from maliciously redirecting your request for a resource.
218 </p>
220 <p>
221 Instead of writing code that depends on jQuery (or any other library) loading
222 from an external CDN, consider including the specific version of jQuery in
223 your extension package. That is, instead of:
224 </p>
231 <script src="<strong>http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js</strong>"></script>
237 </pre>
239 <p>
240 Download the file, include it in your package, and write:
241 <p>
259 <p>
260 There is no mechanism for relaxing the restriction against executing inline
261 JavaScript. In particular, setting a script policy that includes
263 </p>
267 <p>
268 If you have a need for some external JavaScript or object
269 resources, you can relax the policy to a limited extent by whitelisting
270 secure origins from which scripts should be accepted. We want to ensure that
271 executable resources loaded with an extension's elevated permissions are
272 exactly the resources you expect, and haven't been replaced by an active
273 network attacker. As <a
275 attacks</a> are both trivial and undetectable over HTTP, those origins will
276 not be accepted. Currently, we allow whitelisting origins with the following
279 </p>
281 <p>
282 To ease development, we're also allowing the whitelisting of resources loaded
283 over HTTP from servers on your local machine. You may whitelist script and
286 </p>
289 The restriction against resources loaded over HTTP applies only to those
290 resources which are directly executed. You're still free, for example, to
291 make XMLHTTPRequest connections to any origin you like; the default policy
293 in any way.
294 </p>
296 <p>
297 A relaxed policy definition which allows script resources to be loaded from
299 </p>
303 </pre>
307 by the policy. Chrome will not accept a policy that doesn't limit each of
309 </p>
311 <p>
312 Making use of Google Analytics is the canonical example for this sort of
313 policy definition. It's common enough that we've provided an Analytics
314 boilerplate of sorts in the <a href="samples.html#event-tracking-with-google-analytics">Event Tracking
315 with Google Analytics</a> sample extension, and a
317 </p>
321 <p>
326 </p>
330 </pre>
332 <p>
333 However, we strongly recommend against doing this. These functions are
334 notorious XSS attack vectors.
335 </p>
339 <p>
340 You may, of course, tighten this policy to whatever extent your extension
341 allows in order to increase security at the expense of convenience. To specify
345 extension is a good example of an extension that's been locked down above and
346 beyond the defaults.
347 </p>