The idea is to block a number of attacks including XSS
One of Google Chrome's core values has been security, from the get go. It's been built with security in mind and that's proven a solid strategy as it remains one of the safest browsers around.So safe in fact that Google is offering up to $1 million, €744,000 to anyone that can break Chrome.
But resting on your laurels isn't good enough and Google is now tackling extension security by implementing "Content Security Policy," a number of features that have been already available to developers but which are now the default.
CSP is a mechanism for preventing several types of attacks, the most common being cross-site scripting (XSS) attacks by restricting the URIs that can be used by a web app to load resources.
This limitation makes it harder for an attacker to inject code into an app and have it run. But the policy also comes with some specific requirements, like the use of out-of-line scripts.
Chrome already supports CSP, albeit in an experimental form, but so does Firefox and the upcoming Internet Explorer 10.
When it comes to extensions, Chrome plans to gradually roll out the feature, so as not to disrupt third-party developers. While the feature is available to all extension developers now, it is not a requirement.
"Users can continue to install extensions that are available in the store regardless of whether they are secured with CSP or not. This means they will not lose any of the functionality they've added to Chrome," Google explained. "Developers will be able to choose when to enable the new behavior."
The problem is that enabling CSP for all extensions would break most of them, which is why Google is relying on developers to upgrade them. Already, they can use a new manifest_version 2 for their extensions, which would enable CSP for the extensions.
This will enforce several restrictions, extensions will only be able to use out-of-line scripts, i.e. external files rather than inserting the script inside the regular code. Extensions won't be able to use eval() anymore and won't be able to load plugins, such as Flash files, unless they've been included in the packaged extension or they're loaded from a set of whitelisted domains that use HTTPS.