Created
August 9, 2016 16:02
-
-
Save methyl/32ea162859edf51befaf3df5506fc242 to your computer and use it in GitHub Desktop.
Chrome CSP application patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- a/extensions/common/manifest_handlers/csp_info.cc | |
| +++ b/extensions/common/manifest_handlers/csp_info.cc | |
| @@ -32,21 +32,8 @@ const char kDefaultContentSecurityPolicy[] = | |
| "'self' blob: filesystem: data: chrome-extension-resource:" | |
| const char kDefaultPlatformAppContentSecurityPolicy[] = | |
| - // Platform apps can only use local resources by default. | |
| - "default-src 'self' blob: filesystem: chrome-extension-resource:;" | |
| - // For remote resources, they can fetch them via XMLHttpRequest. | |
| - " connect-src * data: blob: filesystem:;" | |
| - // And serve them via data: or same-origin (blob:, filesystem:) URLs | |
| - " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';" | |
| - " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | |
| - " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | |
| - " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";" | |
| - // Media can be loaded from remote resources since: | |
| - // 1. <video> and <audio> have good fallback behavior when offline or under | |
| - // spotty connectivity. | |
| - // 2. Fetching via XHR and serving via blob: URLs currently does not allow | |
| - // streaming or partial buffering. | |
| - " media-src * data: blob: filesystem:;"; | |
| + "script-src 'self' blob: filesystem: chrome-extension-resource:; " | |
| + "object-src 'self' blob: filesystem:;"; | |
| int GetValidatorOptions(Extension* extension) { | |
| int options = csp_validator::OPTIONS_NONE; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment