PSA: CSP '*' source no longer matches blob:, data:, or filesystem
63 views
Skip to first unread message
Joel Weinberger
Oct 5, 2015, 2:11:07 PM10/5/15
to extensi...@chromium.org
Hi extensions devs. For a while, it turns out, we had a mismatch between Chrome's implementation of Content Security Policy and the spec, where Chrome matched a CSP source of '*' to blob:, data:, and filesystem: URLs, even though the spec explicitly says that this should not happen.
As of Chrome 47, from https://codereview.chromium.org/1361763005, we fixed the bug, so you now have to explicitly list blob:, data:, and filesystem: URLs in a CSP to allow them, even if the wildcard is present. This applies to extensions, as well as regular websites. We modified the default Chrome App policies so that connect-src and media-src include blob:, data:, and filesystem explicitly, which should match the old behavior.
If you have an extension already, and you were relying on this matching, you'll need to update your extension so that you explicitly list whichever of those schemes you were using. We apologize for the inconvenience this may cause.
--Joel
Rob Wu
Oct 8, 2015, 4:48:30 PM10/8/15
to Joel Weinberger, extensi...@chromium.org
Hi Joel,
In the linked CL, you've added blob:, data: and filesystem: to the CSP for apps to retain backwards-compatibility in the default case.--
You received this message because you are subscribed to the Google Groups "extensions-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to extensions-de...@chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
Joel Weinberger
Oct 9, 2015, 5:13:29 AM10/9/15
to Rob Wu, extensi...@chromium.org, rdevlin...@chromium.org
The CSP for extensions did not have a wildcard, so as you'll note from the CL (https://codereview.chromium.org/1361763005), I didn't touch the default extension CSP at all.
I'll let Devlin give a definitive response as to why it has never had data:, but I'm guessing it's because it's equivalent to allowing unsafe-inline.
--Joel
Devlin Cronin
Oct 9, 2015, 12:14:20 PM10/9/15
to Joel Weinberger, Rob Wu, extensi...@chromium.org
I'm guessing it's because it's equivalent to allowing unsafe-inline
Yep. Allowing data: scheme is pretty dangerous in general, so allowing it by default for extensions would greatly reduce the benefit of having CSP.
Cheers,
- Devlin
Rob Wu
Oct 9, 2015, 12:51:23 PM10/9/15
to Devlin Cronin, Joel Weinberger, Rob Wu, extensi...@chromium.org
Thanks for your input Devlin.
I just looked again and noticed that the wildcard CSP only applies to connect-src and media-src in apps. In extensions, there is no default-src CSP, so there is no need to add data: to other directives since they're already allowed by default.
I just looked again and noticed that the wildcard CSP only applies to connect-src and media-src in apps. In extensions, there is no default-src CSP, so there is no need to add data: to other directives since they're already allowed by default.
Reply all
Reply to author
Forward
0 new messages