From d6053133a8e4dc7b258a4ff801ba64d9d815ae7e Mon Sep 17 00:00:00 2001 From: Michael Hoffman Date: Fri, 30 Aug 2024 12:51:42 -0700 Subject: [PATCH 1/3] remove articles, define redirects --- .openpublishing.redirection.json | 17 +- .../publish/add-ons-store-curation.md | 6 +- .../publish/publish-extension.md | 6 +- .../store-policies/ada-addendum.md | 35 -- .../extensions-chromium/store-policies/csp.md | 315 ---------- .../store-policies/developer-policies.md | 551 ------------------ microsoft-edge/toc.yml | 6 +- 7 files changed, 25 insertions(+), 911 deletions(-) delete mode 100644 microsoft-edge/extensions-chromium/store-policies/ada-addendum.md delete mode 100644 microsoft-edge/extensions-chromium/store-policies/csp.md delete mode 100644 microsoft-edge/extensions-chromium/store-policies/developer-policies.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aa4da3b4c4..8f55563f90 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -790,7 +790,22 @@ Old redirects (to /archive/) /* Extensions: */ { "source_path": "microsoft-edge/extensions/microsoft-browser-extension-policy.md", - "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy", + "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/microsoft-browser-extension-policy", + "redirect_document_id": false + }, + { + "source_path": "microsoft-edge/extensions-chromium/store-policies/csp.md", + "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/csp", + "redirect_document_id": false + }, + { + "source_path": "microsoft-edge/extensions-chromium/store-policies/ada-addendum.md", + "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/ada-addendum", + "redirect_document_id": false + }, + { + "source_path": "microsoft-edge/extensions-chromium/store-policies/developer-policies.md", + "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/developer-policies", "redirect_document_id": false }, /* Privacy: */ diff --git a/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md b/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md index ad14ceb11b..5e1a27c790 100644 --- a/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md +++ b/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md @@ -40,7 +40,7 @@ The quality and compliance of the item that is displayed on the Edge Add-ons sto Items violating the policy guidelines are not allowed in the store. There is a standard review process for each new item submission and new versions of items, per the developer policies. See also: -* [Content Security Policy (CSP)](../store-policies/csp.md) +* [Content Security Policy (CSP)](/legal/microsoft-edge/extensions/csp) @@ -67,5 +67,5 @@ Items are ranked for popularity based on user ratings at the store. ## See also -* [Developer policies for the Microsoft Edge Add-ons store](../store-policies/developer-policies.md) -* [Content Security Policy (CSP)](../store-policies/csp.md) +* [Developer policies for the Microsoft Edge Add-ons store](/legal/microsoft-edge/extensions/developer-policies) +* [Content Security Policy (CSP)](/legal/microsoft-edge/extensions/csp) diff --git a/microsoft-edge/extensions-chromium/publish/publish-extension.md b/microsoft-edge/extensions-chromium/publish/publish-extension.md index f1ca5df521..a17986171c 100644 --- a/microsoft-edge/extensions-chromium/publish/publish-extension.md +++ b/microsoft-edge/extensions-chromium/publish/publish-extension.md @@ -122,10 +122,10 @@ On the **Properties** webpage, enter the following information to specify proper |:--- |:--- | | Category (required) | The category that best describes your extension. Listing your extension in the right category helps users find your extension easily and understand more about it. | | Privacy policy requirements (required) | Indicate if your extension accesses, collects, or transmits any personal information. Your extension might fail the certification step if you select **Yes** and you don't provide a `Privacy policy URL`. | -| Privacy policy URL | A valid privacy policy URL to communicate how your extension follows privacy laws and regulations. You're responsible for ensuring your extension follows privacy laws and regulations. You're also responsible for providing a privacy policy URL if any personal information is being accessed, transmitted, or collected by your extension. To determine if your extension requires a privacy policy, see [Microsoft Edge Developer Agreement](/legal/windows/agreements/app-developer-agreement) and [Developer policies for the Microsoft Edge Add-ons store](../store-policies/developer-policies.md). | +| Privacy policy URL | A valid privacy policy URL to communicate how your extension follows privacy laws and regulations. You're responsible for ensuring your extension follows privacy laws and regulations. You're also responsible for providing a privacy policy URL if any personal information is being accessed, transmitted, or collected by your extension. To determine if your extension requires a privacy policy, see [Microsoft Edge Developer Agreement](/legal/windows/agreements/app-developer-agreement) and [Developer policies for the Microsoft Edge Add-ons store](/legal/microsoft-edge/extensions/developer-policies). | | Website URL | A webpage that provides additional information about your extension. The `Website URL` must point to a webpage on your own website, not the web listing for your extension in the [Microsoft Edge Add-ons website](https://microsoftedge.microsoft.com/addons/Microsoft-Edge-Extensions-Home). The `Website URL` helps users learn more about your extension, its features, and any other relevant information. | | Support contact details | The URL to your support webpage, or the email address to contact your support team. | -| Mature content | Checkbox to specify if your extension includes mature content. Extension rating helps determine the appropriate age group of the target audience of your extension. To help determine if your extension has mature content, see [Developer policies for the Microsoft Edge Add-ons store](../store-policies/developer-policies.md). | +| Mature content | Checkbox to specify if your extension includes mature content. Extension rating helps determine the appropriate age group of the target audience of your extension. To help determine if your extension has mature content, see [Developer policies for the Microsoft Edge Add-ons store](/legal/microsoft-edge/extensions/developer-policies). | Select **Save & Continue** to continue to the **Store listings** section. @@ -161,7 +161,7 @@ The information provided in the following section is displayed to users who revi Make sure your video meets the following requirements. -* Verify that the content of the YouTube video follows the [Developer policies for the Microsoft Edge Add-ons store](../store-policies/developer-policies.md). +* Verify that the content of the YouTube video follows the [Developer policies for the Microsoft Edge Add-ons store](/legal/microsoft-edge/extensions/developer-policies). * Turn off advertisements on your video. For more information, see [Set your default ad formats](https://support.google.com/youtube/answer/2531367?ref_topic=7072227) and [Ads on embedded videos](https://support.google.com/youtube/answer/132596). diff --git a/microsoft-edge/extensions-chromium/store-policies/ada-addendum.md b/microsoft-edge/extensions-chromium/store-policies/ada-addendum.md deleted file mode 100644 index 8b9f388581..0000000000 --- a/microsoft-edge/extensions-chromium/store-policies/ada-addendum.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: App Developer Agreement Addendum for Microsoft Edge program users -description: Microsoft Edge developer ADA Addendum. -author: MSEdgeTeam -ms.author: msedgedevrel -ms.topic: conceptual -ms.service: microsoft-edge -ms.subservice: extensions -ms.date: 02/17/2021 ---- -# App Developer Agreement Addendum for Microsoft Edge program users - - - -## Exhibit G: Terms and Conditions for Microsoft Edge Extensions - -These Terms and Conditions for Microsoft Edge Extensions (the "Extensions Addendum") is a supplement to the terms and conditions of the [App Developer Agreement](https://go.microsoft.com/fwlink/p/?LinkID=221922). This Addendum applies if you have submitted or are making available Microsoft Edge Extensions (each, an "Extension") through Microsoft Edge Add-ons. Except as expressly modified by this Extensions Addendum, all of the terms and conditions in the App Developer Agreement, which is incorporated by reference herein, apply to the offering and distribution of your Microsoft Edge Extensions. Except where expressly modified by this Addendum, the terms and conditions that apply to an "Application" or "App" under the App Developer Agreement will apply to an Extension as defined in this Addendum and all references to "Store" or "Microsoft Store" under the App Developer Agreement will apply to Microsoft Edge Add-ons as defined in this Addendum. - -1. DEFINITIONS. Capitalized terms not defined herein will have the meanings provided in the App Developer Agreement. - - 1. "Certification Requirements" means the technical, functional, content, and other policy requirements provided by Microsoft (at [https://go.microsoft.com/fwlink/?linkid=2104222](developer-policies.md), or another location(s) specified by Microsoft) for Extensions offered through Microsoft Edge Add-ons. - - 1. "Microsoft Edge Add-ons" means a Microsoft owned or operated platform, however named, through which Microsoft Edge Extensions may be offered to or acquired by Customers. - -1. SUBMISSION, CERTIFICATION, AND DISTRIBUTION OF APPS. Section 3 of the App Developer Agreement is hereby deleted and replaced by the following: - - 1. Submission. You must submit to Microsoft each Extension that you wish to make available through Microsoft Edge Add-ons, including any updates to each Extension. You are solely responsible and liable for the Extensions you submit. You are responsible for supporting your extension. Microsoft will retain (or destroy) all copies of the Extension and other materials you submit. Microsoft will not return them, so you must maintain your own backup copies. - - 1. Updates to Extensions. You may submit updates to Extensions for Certification and distribution through Microsoft Edge Add-ons. Those updates are subject to all of the requirements of this Agreement. You understand that end users may receive updates automatically. You may not add any new functionality to your Extension via an update which requires written consent from the Customer without first providing notice to the Customer and obtaining any consents as may be required by law in the markets where you choose to distribute your Extension. - - 1. Initial Certification. Microsoft will test each Extension (including any updates) you submit for compliance with this Agreement (which includes the applicable Certification Requirements) and other policies made available to you (if any). Microsoft will not make any Extension available through Microsoft Edge Add-ons unless and until the Extension is Certified. - -1. AFFIRMATIVE DECLINE NOT REQUIRED. Notwithstanding Section 4(i) of the App Developer Agreement, you aren't required to affirmatively decline participation in Microsoft Store for Business and Microsoft Store for Education. Your Extension will only be available through the Microsoft Edge Add-ons. - -1. APP PRICING, PAYMENTS, TRANSACTIONS AND TAXES. Section 6 of the App Developer Agreement does not apply to Extensions and is hereby deleted in its entirety. diff --git a/microsoft-edge/extensions-chromium/store-policies/csp.md b/microsoft-edge/extensions-chromium/store-policies/csp.md deleted file mode 100644 index 494236f204..0000000000 --- a/microsoft-edge/extensions-chromium/store-policies/csp.md +++ /dev/null @@ -1,315 +0,0 @@ ---- -title: Content Security Policy (CSP) -description: Content Security Policy for Microsoft Edge extensions. -author: MSEdgeTeam -ms.author: msedgedevrel -ms.topic: conceptual -ms.service: microsoft-edge -ms.subservice: extensions -ms.date: 11/09/2022 ---- -# Content Security Policy (CSP) - -In order to mitigate a large class of potential cross-site scripting issues, the Microsoft Edge Extension system has incorporated [Content Security Policy (CSP)](https://w3c.github.io/webappsec-csp). This introduces some strict policies that make Extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and run by your Extensions and applications. - -In general, CSP works as a block/allowlisting mechanism for resources loaded or run by your Extensions. Defining a reasonable policy for your Extension enables you to carefully consider the resources that your Extension requires, and to ask the browser to ensure that those are the only resources your Extension has access to. The policies provide security over and above the host permissions your Extension requests; they are an additional layer of protection, not a replacement. - -On the web, such a policy is defined via an HTTP header or `meta` element. Inside the Microsoft Edge Extension system, neither is an appropriate mechanism. Instead, an Extension policy is defined using the `manifest.json` file for the Extension as follows: - -```javascript -{ - ..., - "content_security_policy": "[POLICY STRING GOES HERE]" - ... -} -``` - -> For full details regarding the CSP syntax, please take a look at the W3C [Content Security Policy specification](https://w3c.github.io/webappsec-csp) , and [An Introduction to Content Security Policy](https://www.html5rocks.com/en/tutorials/security/content-security-policy) at _HTML5Rocks_. - - - -## Default Policy Restrictions - -Packages that don't define a `manifest_version` don't have a default content security policy. - -Packages that use `manifest_version` have the following default content security policy: - -#### [Manifest V2](#tab/v2) - -```javascript -script-src 'self'; object-src 'self' -``` - -#### [Manifest V3](#tab/v3) - -```javascript -script-src 'self'; object-src 'self'; worker-src 'self' -``` - -The policy adds security by limiting Extensions and applications in three ways: - - -#### Eval and related functions are disabled - -Code like the following doesn't work: - -```javascript -alert(eval("foo.bar.baz")); -window.setTimeout("alert('hi')", 10); -window.setInterval("alert('hi')", 10); -new Function("return foo.bar.baz"); -``` - -Evaluating strings of JavaScript like this is a common XSS attack vector. Instead, you should write code like: - -```javascript -alert(foo && foo.bar && foo.bar.baz); -window.setTimeout(function() { alert('hi'); }, 10); -window.setInterval(function() { alert('hi'); }, 10); -function() { return foo && foo.bar && foo.bar.baz }; -``` - - -#### Inline JavaScript aren't run - -Inline JavaScript aren't run. This restriction bans both inline ` - - - - - -``` - -But three things must change in order to make this work the way you expect it to: - -* The `clickHandler` definition must be moved into an external JavaScript file (`popup.js` may be a good target). - -* The inline event handler definitions must be rewritten in terms of `addEventListener` and extracted into `popup.js`. If you're currently starting your program using code like ``, consider replacing it by hooking into the `DOMContentLoaded` event of the document, or the `load` event of the window, depending on your requirements. Use the former, since it generally triggers more quickly. - -* The `setTimeout` call must be rewritten to avoid converting the string `"awesome(); totallyAwesome()"` into JavaScript for running. - -Those changes could look something like the following: - -```javascript -function awesome() { - // Do something awesome! -} - -function totallyAwesome() { - // do something TOTALLY awesome! -} - -function awesomeTask() { - awesome(); - totallyAwesome(); -} - -function clickHandler(e) { - setTimeout(awesomeTask, 1000); -} - -function main() { - // Initialization work goes here. -} - -// Add event listeners once the DOM has fully loaded by listening for the -// `DOMContentLoaded` event on the document, and adding your listeners to -// specific elements when it triggers. -document.addEventListener('DOMContentLoaded', function () { - document.querySelector('button').addEventListener('click', clickHandler); - main(); -}); -``` - -```html - - - - My Awesome Pop-up! - - - - - - -``` - - -#### Only local script and object resources are loaded - -Script and object resources are only able to be loaded from the Extension package, not from the web at large. This ensures that your Extension only runs the code you specifically approved, preventing an active network attacker from maliciously redirecting your request for a resource. - -Instead of writing code that depends on jQuery (or any other library) loading from an external CDN, consider including the specific version of jQuery in your Extension package. That is, instead of: - -```html - - - - My Awesome Pop-up! - - - - - - -``` - -Use the following approach instead. Download the file, include it in your package, and write: - -```html - - - - My Awesome Pop-up! - - - - - - -``` - - - -## Relaxing the default policy - - -#### Inline Script - - - -Inline scripts can be allowed by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). For an example, see [W3C > Hash usage for \ elements](https://www.w3.org/TR/CSP2#script-src-hash-usage). - - -#### Remote Script - -If you require some external JavaScript or object resources, you can relax the policy to a limited extent by allowlisting secure origins from which scripts should be accepted. Verify that runtime resources loaded with with elevated permissions of an Extension are exactly the resources you expect, and aren't replaced by an active network attacker. As [man-in-the-middle attacks](https://wikipedia.org/wiki/Man-in-the-middle_attack) are both trivial and undetectable over HTTP, those origins aren't accepted. - -Currently, you can allowlist origins that have the following schemes: `blob`, `filesystem`, `https`, and `extension`. The host part of the origin must explicitly be specified for the `https` and `extension` schemes. Generic wildcards such as https:, `https://*` and `https://*.com` aren't allowed; subdomain wildcards such as `https://*.example.com` are allowed. Domains in the [Public Suffix list](https://publicsuffix.org/list) are also viewed as generic top-level domains. To load a resource from these domains, the subdomain must explicitly be listed. For example, `https://*.cloudfront.net` is not valid, but `https://XXXX.cloudfront.net` and `https://*.XXXX.cloudfront.net` can be `allowlisted`. - -For development ease, resources loaded over HTTP from servers on your local machine can be `allowlisted`. You can allowlist script and object sources on any port of either `http://127.0.0.1` or `http://localhost`. - -> [!NOTE] -> The restriction against resources loaded over HTTP applies only to those resources which are directly run. You are still free, for example, to make `XMLHTTPRequest` connections to any origin you like; the default policy doesn't restrict `connect-src` or any of the other CSP directives in any way. - -A relaxed policy definition which allows script resources to be loaded from `example.com` over HTTPS may look like: - -```javascript -"content_security_policy": "script-src 'self' https://example.com; object-src 'self'" -``` - -> [!NOTE] -> Both `script-src` and `object-src` are defined by the policy. Microsoft Edge doesn't accept a policy that doesn't limit each of these values to (at least) '`self`'. - - - - -#### Evaluated JavaScript - -The policy against `eval()` and related functions like `setTimeout(String)`, `setInterval(String)`, and `new Function(String)` can be relaxed by adding `unsafe-eval` to your policy: - -```javascript -"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" -``` - -However, you should avoid relaxing policies. These types of functions are notorious XSS attack vectors. - - - -## Tightening the default policy - -You can tighten this policy to whatever extent your Extension allows, in order to increase security, at the expense of convenience. To specify that your Extension can only load resources of any type (images, and so on) from the associated Extension package, for example, a policy of `default-src 'self'` might be appropriate. - - - - - -## Content Scripts - -The policy being discussing applies to the background pages and event pages of the Extension. How the content scripts apply to the content scripts of the Extension is more complicated. - -Content scripts are generally not subject to the CSP of the Extension. Since content scripts aren't HTML, the main impact of this is that they can use `eval` even if the CSP of the Extension doesn't specify `unsafe-eval`, although this is not recommended. Additionally, the CSP of the page doesn't apply to content scripts. More complicated are `"); - ``` - -This content script causes an `alert` immediately upon the `document.write()`. Note that this runs regardless of the policy a page specifies. However, the behavior becomes more complicated both inside that DOM injected script and for any script that doesn't immediately run upon injection. - -Imagine that your Extension is running on a page that provides an associated CSP that specifies `script-src 'self'`. Now imagine the content script runs the following code: - -```javascript -document.write("'"); -``` - -If a user clicks that button, the `onclick` script doesn't run. This is because the script didn't immediately run, and code that isn't interpreted until the `click` event occurs isn't considered part of the content script, so the CSP of the page (not of the Extension) restricts the behavior. And since that CSP doesn't specify `unsafe-inline`, the inline event handler is blocked. - -The correct way to implement the desired behavior in this case is to add the `onclick` handler as a function from the content script, as follows: - -```javascript -document.write("'"); -var button = document.getElementById('mybutton'); -button.onclick = function() { - alert(1); -}; -``` - -Another similar issue arises if the content script runs the following: - -```javascript -var script = document.createElement('script'); -script.innerHTML = 'alert(1);' -document.getElementById('body').appendChild(script); -``` - -In this case, the script runs, and the alert appears. However, consider this case: - -```javascript -var script = document.createElement('script'); -script.innerHTML = 'eval("alert(1);")'; -=document.getElementById('body').appendChild(script); -``` - -While the initial script runs, the call to `eval` is blocked. That is, while the initial script runtime is allowed, the behavior within the script is regulated by the CSP of the page. Thus, depending on how you write DOM injected scripts in your Extension, changes to the CSP of the page might affect the behavior of your Extension. - -Since content scripts aren't affected by the CSP of the page, this a great reason to put as much behavior as possible of your Extension into the content script, rather than DOM injected scripts. - - - -> [!NOTE] -> Portions of this page are modifications based on work created and [shared by Google](https://developers.google.com/terms/site-policies) and used according to terms described in the [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0). -> The original page is found [here](https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy). - -[![Creative Commons License](../../media/cc-logo/88x31.png)](https://creativecommons.org/licenses/by/4.0) -This work is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0). diff --git a/microsoft-edge/extensions-chromium/store-policies/developer-policies.md b/microsoft-edge/extensions-chromium/store-policies/developer-policies.md deleted file mode 100644 index 9fa071fe6d..0000000000 --- a/microsoft-edge/extensions-chromium/store-policies/developer-policies.md +++ /dev/null @@ -1,551 +0,0 @@ ---- -title: Developer policies for the Microsoft Edge Add-ons store -description: Developer policies for submitting extensions via Partner Center to be published at the Microsoft Edge Add-ons store website. -author: MSEdgeTeam -ms.author: msedgedevrel -ms.topic: conceptual -ms.service: microsoft-edge -ms.subservice: extensions -ms.date: 07/02/2024 ---- -# Developer policies for the Microsoft Edge Add-ons store - -To develop an extension to be published through the Microsoft Edge Add-ons store, follow these policies. These policies apply to submitting extensions through [Partner Center](https://partner.microsoft.com/dashboard/home) and publishing the extensions at the [Microsoft Edge Add-ons](https://microsoftedge.microsoft.com/addons/Microsoft-Edge-Extensions-Home) store. - -The _Microsoft Edge Add-ons store_ is also called the _Edge Add-ons store_, the _Microsoft Edge Add-ons website_, or the _Edge Add-ons website_. - - - -## Principles - -The following principles are reflected in these developer policies: - -* Offer unique and distinct value within your extension for Microsoft Edge. Provide a compelling reason to download your extension from the Microsoft Edge Add-ons store. - -* Do not mislead users about what your extension does, who is offering it, and so on. - -* Do not attempt to cheat users, the system, or the ecosystem. There is no place in Microsoft Edge Add-ons for any kind of fraud; be it ratings and review manipulation, credit card fraud, or other fraudulent activity. - -Adhering to these policies for the Microsoft Edge Add-ons store helps you make choices that enhance the appeal and audience of your extension. - - - -## Building quality products - -Microsoft is committed to delivering quality products to its customers. Therefore, extensions which don't follow the quality guidelines aren't allowed, such as: - -* Content deemed not family-friendly. - -* Bots: Any extension that automatically generates spam-like or unsolicited messages on the user's behalf, or that performs automated actions to manipulate a platform's features, such as artificially inflating engagement metrics. - -* Cryptocurrency: Crypto mining and any other illegitimate activities that involve crypto wallets and currency. - -* Non-production builds: For example, an extension that's still in an experimental stage, that's prone to crashes or instability, or that's designed for internal testing purposes only and not intended for public release. - -* Prohibited products: An extension that promotes or facilitates the sale of illegal drugs, firearms, or counterfeit goods would be considered a prohibited product, and any extension that violates intellectual property rights, such as offering pirated software or copyrighted content without authorization, would be restricted. - -* Gambling content. - - - -## 1. Product policies - - - -#### 1.1 Distinct function and value; accurate representation - -Your extension and associated metadata must accurately and clearly reflect the source, functionality, and features that you describe. - - -###### 1.1.1 Extensions must have a single purpose - -Your extension must have a single purpose with narrow functionality. For example, your extension cannot function as a simple calculator and as a code remote scanner simultaneously. - - -###### 1.1.2 Describe your extension - -All aspects of your extension should accurately describe the functions, features and any important limitations of your extension, including required or supported input devices. The value proposition of your extension must be clear during the first run experience. Your extension may not use a name or icon similar to that of other extensions, must not reference other browsers, and must not claim to represent a company, government body, or other entity if you don't have permission to make that representation. - -If screenshots are provided, they must: -- Be clear and informative. -- Render properly; for example, must not be stretched or blurry. - -All functionality of an extension should be clearly disclosed to the user. Any extension that attempts to deceive or mislead users will be removed from the store. - - -###### 1.1.3 Functionality - -Your extension must be fully functional, as in, there should not be any blockers, including but not limited to, broken URLs or blocked webpage links. - - -###### 1.1.4 Search and discovery - -Search terms may not exceed seven unique terms, and should be relevant to your extension. - - -###### 1.1.5 Provide appropriate details - -There should be distinct and informative details about your extension and its functionality in the listing (metadata) for your extension. - - -###### 1.1.6 Stability and performance - -You must ensure that your extension is stable and does not cause the browser to freeze or crash. - -In general, the extension cannot interfere with the normal functioning of the browser or operating system. - - -###### 1.1.7 Obfuscation - -Extensions with obfuscated code aren't allowed. This includes code within your extension package, as well as any external code or resource fetched from the web. You may be asked to refactor parts of your code, if it is not reviewable. - - -###### 1.1.8 Altering browser settings - -Your extension must not, without appropriate user consent, alter, or appear to alter, browser functionality or settings including, but not limited to: the address bar search provider and suggestions, the start or home page, the new tab page, and adding or removing favorites. - -Any changes made to the device settings must be done with the user's knowledge and consent, and must be easily reversible by the user. - -Any alteration of browser settings, such as new tabs and search engines, should be mentioned in the listing or description, and such alterations should use standard APIs to achieve that functionality. They must not override default settings without user permission. - - - -#### 1.2 Security - -Extensions must declare all permissions that are required for their functionality in the manifest. Your extension must only request those permissions that are essential for functioning. - -Any `declarativeNetRequest` rules must be clearly declared within the extension, and should not be imported remotely unless necessary for functionality. - -Extensions must not collect or track sensitive user information without clear consent, and must clearly state any user data handling in their privacy policy. User-sensitive data must be encrypted by using proper mechanisms such as SSL, and must not be transported via insecure channels. - -Extensions must not promote deceptive installation of other extensions. - -Bulk submissions of extensions with the same functionality and code are not allowed. - -Extensions should not exploit security vulnerabilities of other extensions or applications, and must keep authentication information secure. - -Extensions that function as crypto wallets can only be published by verified company accounts. - -In general, your extension must not jeopardize or compromise user security, or the security or functionality of the device, system, or related systems. - - -###### 1.2.1 Content security policies - -If you make any changes to your extension beyond the described functionality, any changes to code must be compliant with the Content Security Policy for Microsoft Edge extensions; see [Content Security Policy (CSP)](./csp.md). For example, your extension should not download a remote script and subsequently run that script in a manner that is not consistent with the described functionality. - - -###### 1.2.2 Unwanted and malicious software - -Your extension must not contain or enable malware that may harm the operation of the network, servers, and infrastructure of Microsoft or any third parties. Spyware, malicious scripts, and phishing scams are also prohibited. - -Your extension must comply with the Microsoft criteria for unwanted and malicious software, listed in [How Microsoft identifies malware and potentially unwanted applications](/windows/security/threat-protection/intelligence/criteria). - - -###### 1.2.3 Dependency on other software - -Your extension may depend on non-integrated software (such as another product, module, or service) to deliver the primary functionality. However, this information should be clearly disclosed in the description. - - -###### 1.2.4 Extension updates - -Unless otherwise permitted by Microsoft, your extension must be updated only through Partner Center and the Edge Add-ons store. - - - -#### 1.3 Product is testable - -Your extension must be fully testable, and all the steps required for testing the product must be provided at the time of submission. - - -###### 1.3.1 User credentials - -If your extension requires login credentials, then provide a test account and credentials or provide a clear and reasonable explanation as to why test credentials cannot be provided for the extension in the `Submission Options > Notes for certification`. - - -###### 1.3.2 Availability of services - -If your extension requires access to a server, the server must be functional, to verify that the extension works correctly. - - - -#### 1.4 Usability - -Your extension must meet Microsoft Edge Add-ons store standards for usability, including, but not limited to, those listed in the subsections below. - - -###### 1.4.1 Compatibility across platforms - -Your extension should be compatible with Microsoft Edge on all the devices and platforms on which it may be downloaded. If an extension is downloaded on a device with which it is not compatible, it should detect that at launch, and display a message to the user detailing the requirements that devices must meet in order to be compatible with the extension. - - -###### 1.4.2 User experience - -Your extension must start up promptly, and must stay responsive to user input. It must also shut down gracefully, and not close unexpectedly. - - - -#### 1.5 Personal information - -The following requirements apply to extensions that access personal information. _Personal information_ includes all information or data that identifies or could be used to identify a person, or that is associated with such information or data. - - -###### 1.5.1 Collect personal information only when necessary - -Your extension may collect, access, use, or transmit personal information (including web browsing activity) only if required by and only for use in a prominently disclosed, user-facing feature. - -You must clearly state the data handling practices of your extension at the time of installation, including any transfer or use of user data. - -You must obtain explicit prior consent from the user before any merger, acquisition, or sale of your assets that may involve the transfer of user data. - -You must obtain explicit prior consent from the user and have a clear policy before accessing and providing the user with re-access information when the user has lost their password for the product or service. - -You must have a clear and comprehensive privacy policy that outlines your data handling practices, including the use of any third-party services. - - -###### 1.5.2 Maintain a privacy policy - -Your privacy policy must describe the controls that users have over the use and sharing of their information, how they access their information, and it must comply with applicable laws and regulations. Your privacy policy must be kept up-to-date as you add new features and functionality to your extension. - -The privacy policy provided should be relevant to the product and should not use the Microsoft privacy statement unless the extension is an official Microsoft extension. Additionally, the privacy policy should primarily refer to the Microsoft Edge browser and not other browsers. Any data that's collected should be aggregated and anonymized, and must used in accordance with applicable privacy and other jurisdictional legal requirements. - -If you provide Microsoft with your privacy policy, then you agree to permit Microsoft to share such privacy policy with users of your extension. - - -###### 1.5.3 Sharing data with third parties - -You may publish the personal information of users of your extension to an outside service or third-party through your extension or associated metadata only after obtaining opt-in consent from those users. Opt-in consent means the users give their express permission in the user interface of your extension for the requested activity, after you: - -* Describe to your users how the information is accessed, used or shared and indicate the types of parties to whom it is disclosed. - -* Provide your users a mechanism in your extension user interface through which they have the option to later rescind the permission and opt-out. - - -###### 1.5.4 Sharing information of non-users - -If you publish a person's personal information to an outside service or third-party through your extension or the metadata, but the person whose information is being shared is not a user of your extension: - -1. You must obtain express written consent to publish that personal information. - -1. You must permit the person whose information is shared to withdraw that consent at any time. - -1. Your privacy policy must clearly disclose that you may collect personal information in this manner. - -1. If required by applicable law you must delete the personal information of any individual upon request, including individuals whose information you collect in this manner. - -1. If your extension provides users with access to another person's personal information, this requirement also applies. - - -###### 1.5.5 Transmit information securely - -Your extension must only use modern and secure cryptography methods to collect, store, or transmit personal information. - -You must not publicly disclose any financial or payment information related to your extension or its users. - -You must not publicly disclose any authentication information related to your extension or its users. - -In the event of a security breach involving financial or payment information or authentication information, you must immediately inform affected users and entities, including applicable authorities, and must also take necessary steps to address the breach. - - -###### 1.5.6 Highly sensitive information - -Your extension must not collect, store, or transmit highly sensitive personal information, such as health or financial data, unless the information is related to the functionality of your extension. Your extension must also obtain express user consent before collecting, storing, or transmitting such information. - - - -#### 1.6 Permissions - -Your extension must only request those permissions that are necessary for functioning and may not request permission for functionalities that go beyond the capabilities required to perform and function as declared. - -Requesting permissions or features solely for the purpose of "future proofing" is not allowed. - - - -#### 1.7 Localization - -You should localize your extension for all languages that your extension claims to support. The text of the description of your extension should be localized in each language that you declare. - -If your extension is localized such that some features aren't available in a localized version, you must clearly state or display the limits of localization in your extension description. The experience provided by an Extension must be reasonably similar in all languages that it supports. - - - -#### 1.8 Financial transactions - -If your product includes in-product purchase, subscriptions, virtual currency, billing functionality, or captures financial information; the requirements in the following sections apply. - - -###### 1.8.1 Paid features - -You must use a secure third-party purchase API for purchases of physical goods or services. - -You must use a secure third-party purchase API for payments made in connection with any other services including real-world gambling or charitable contributions. However, you must comply with any applicable laws or regulations regarding your services. - -You must clearly and honestly describe the type of products you sell and clearly and honestly post the terms of sale. - -If your extension is used to facilitate or collect charitable contributions or to conduct promotional sweepstakes or contests, then you must do so in compliance with any applicable laws and regulations. - -You must also state clearly and prominently that Microsoft is not the fundraiser or sponsor of the promotion. - -In-product offerings sold in your extension must not be converted to any legally valid currency (such as USD, Euro, and so on) or any physical goods or services. - - -###### 1.8.2 Disclosing paid features - -Your extension and associated metadata must clearly provide information about the types of in-product purchases offered and the range of prices. You must not mislead users and must be clear about the nature of your in-product promotions and offerings including the scope and terms of any trial experiences. - -If your extension restricts access to user-created content during or after a trial, then you must notify users in every step of the process. - -In addition, your extension must make it clear to users that they are initiating a purchase option in your extension. - - - -#### 1.9 Notifications - -Your extension must respect system settings for notifications. Any presentation of ads and notifications to users must be consistent with user preferences, regardless of whether the notifications are provided by the Microsoft Push Notification Service (MPNS), Windows Push Notification Service (WNS), or any other service. - -If the user disables notifications, either on a product-specific or system-wide basis, then your extension must adhere to the user's notification settings and remain functional even though notifications may be disabled. - -Also, you'll be receiving notifications related to your accounts, including but not limited to, login attempts, account changes, and security alerts. To ensure the security of your accounts and the add-ons you submit, verify your accounts through a secure and approved method. - - -###### 1.9.1 General guidance - -Notifications provided through WNS or MPNS are considered product content, and are subject to all developer policies for the Microsoft Edge Add-ons store. - - -###### 1.9.2 Ownership of notifications - -You must not obscure or try to disguise the source of any notification initiated from your extension. - - -###### 1.9.3 No confidential or sensitive information - -You must not include in a notification any information users may reasonably consider confidential or sensitive. - - -###### 1.9.4 Purpose of notifications - -Notifications sent from your extension must relate to that extension or to other extensions you publish in the Microsoft Edge Add-ons store, and must not include promotional messages of any kind that aren't related to your extension. - - - -#### 1.10 Advertising conduct and content - -For all advertising related activities, the following requirements apply: - - -###### 1.10.1 Purpose - -The primary content of your extension must not be advertising, and your extension should not bundle other extension offers within the same flow. - -Users should not be misled to click on advertisements to fully use the extension. - - -###### 1.10.2 Policies and agreements - -Any ad content that's displayed by your extension must conform to the following: -* The [Microsoft Advertising Network policies](https://about.ads.microsoft.com/policies/home). -* The advertising requirements of the [App Developer Agreement](/legal/windows/agreements/app-developer-agreement). -* The advertising requirements of the developer policies for the Microsoft Edge Add-ons store. - - -###### 1.10.3 Quality of advertising - -* The primary purpose of your extension must not be to get users to click ads. - -* Your extension must not do anything that interferes with or diminishes the visibility, value, or quality of any ads that it does display. - - -###### 1.10.4 Promotions - -If you purchase or create promotional ad campaigns to promote your extension through the ad campaign functionality in Partner Center, all ad materials you provide to Microsoft, including any associated landing pages, must comply with [Microsoft Creative Specifications Policy](https://about.ads.microsoft.com/policies/creative-specs) and [Microsoft Advertising Network policies](https://about.ads.microsoft.com/policies/home). - - -###### 1.10.5 Notifying users of opt-out for interest-based advertising - -Your privacy statement or terms of use must let users know you plan to send personal information to the ad service provider and must tell users how they may opt-out of interest-based advertising. - - -###### 1.10.6 Other guidelines - -If your extension is directed at children under the age of 13, as defined in the [Children's Online Privacy Protection Act](https://www.ftc.gov/tips-advice/business-center/privacy-and-security/children%27s-privacy); you must notify Microsoft of this fact in Partner Center and ensure that all ad content displayed in your extension is appropriate for children under the age of 13. - - - -## 2. Content policies - -The following policies apply to content and metadata offered for distribution in [Microsoft Edge Add-ons](https://microsoftedge.microsoft.com/addons/Microsoft-Edge-Extensions-Home). - -_Content_ means the images, sounds, videos, and text contained in your extension; the tiles, notifications, error messages, or ads exposed through your extension; and anything delivered from a server, or anything to which your extension connects. - -_Metadata_ includes publisher name, extension name, extension icon, extension description, extension screenshots, extension trailers and trailer thumbnails, and any other extension metadata. - -Because extensions and Microsoft Edge Add-ons are used around the world, these requirements are interpreted and applied in the context of regional and cultural norms. - - - -#### 2.1 Content requirements - -For your extension to be listed in the Microsoft Edge Add-ons store, your extension and metadata you submit should not contain mature, explicit, or otherwise inappropriate content. - -This includes content that is: -* Discriminatory, hateful, or offensive. -* Harmful or dangerous. -* Misleading or fraudulent. -* Spam or malware. - -Examples of specific types of content that would be considered inappropriate for Edge Add-ons include: -* Pornography or nudity. -* Hate speech or symbols. -* Violence or gore. -* Drugs or alcohol. -* Gambling. -* Illegal activities. -* Misleading or fraudulent claims. -* Spam or malware. - -The above list of inappropriate content is not exhaustive. The Microsoft Edge Add-ons store may reject or remove any extension that they deem to be inappropriate, even if it does not violate any specific policy. - -An extension that doesn't meet the requirements for Microsoft Edge Add-ons store listings may be rejected or promptly removed. - - - -#### 2.2 Content including names, logos, and original and third-party content - -All content in your extension and associated metadata must be originally created by you or appropriately licensed from a rights holder and must be used only as permitted by the rights holder or as otherwise permitted by law. - -The content must reference Microsoft trademarks only to the extent necessary, and should not modify or alter the trademarks in any way. - -If not created or appropriately licensed, a disclaimer should be added stating the same. - - - -#### 2.3 Risk of harm - - -###### 2.3.1 Requirements - -Your extension must not contain any content that facilitates or glamorizes the following real world activities: (a) extreme or gratuitous violence; (b) human rights violations; (c) the creation of illegal weapons; or (d) the use of weapons against a person, animal, or real or personal property. - - -###### 2.3.2 Responsibility - -Your extension must not: (a) pose a safety risk to, nor result in discomfort, injury or any other harm to end users or to any other person or animal; or (b) pose a risk of or result in damage to real or personal property. You are solely responsible for all extension safety testing, certificate acquisition, and implementation of any appropriate feature safeguards. - -You must not disable any platform safety or comfort features and you must include all applicable legally required and industry-standard warnings, notices, and disclaimers in your extension. - - - -#### 2.4 Defamatory, libelous, slanderous, or threatening - -Your extension must not contain content that is defamatory, libellous, slanderous, threatening, or that promotes extremism such as the use of violence. - - - -#### 2.5 Offensive content - -Your extension and associated metadata must not contain potentially sensitive or offensive content. - -Content may be considered sensitive or offensive in certain countries/regions because of local laws, regulations, or cultural norms. - -In addition, your extension and associated metadata must not contain content that advocates discrimination, hatred, or violence based on sensitive circumstances, such considerations of race, ethnicity, national origin, language, gender, age, disability, religion, sexual orientation, status as a veteran, or membership in any other social group. - - - -#### 2.6 Alcohol, tobacco, and drugs - -Your extension and associated data must not contain any content that facilitates or glamorizes excessive or irresponsible use of alcohol or tobacco products or drugs. - - - -#### 2.7 Adult content - -Your extension and associated data must not contain or display content that a reasonable person would consider pornographic or sexually explicit. - -For example, content is not allowed that contains nudity, graphic sex acts, or sexually explicit material, or that drives traffic to a pornography site. - - - -#### 2.8 Prohibited content, services, and activity - -Your extension must adhere to the following conditions: - -* Your extension must not contain content or provide services that facilitate online gambling. - -* Online gambling includes but is not limited to online casinos, sports betting, lotteries, or games of skill that offer prizes of cash or other value. - -* Your extension must not provide unauthorized access to website content, such as by circumventing paywalls or login restrictions. - -* Your extension must not provide, encourage, or enable the unauthorized access, download, or streaming of copyrighted content or media. - -* Your extension must not mine cryptocurrency. - -Extensions manipulating, cheating, or exploiting Microsoft systems, causing revenue loss, or extensions engaging in fraudulent activities, are strictly prohibited. - -This prohibition applies to all developers, partners, and third parties. Non-compliance may result in extension removal and account suspension or termination. - -Your extension must adhere to applicable laws and regulations, Microsoft's terms of service, and applicable privacy policies. Microsoft reserves the right to review extensions for compliance and to promptly remove any noncompliant extension. - - - -#### 2.9 Illegal activity - -Your extension and the associated data must not contain content or functionality that encourages, facilitates, or glamorizes illegal activity in the real world. - - - -#### 2.10 Excessive profanity and inappropriate content - -* Your extension must not contain excessive or gratuitous profanity. - -* Your extension must not contain or display content that a reasonable person considers obscene. - - - -#### 2.11 Country- or region-specific requirements - -Content that is offensive in any country or region to which your extension is targeted is not allowed. Content may be considered offensive in certain countries or regions because of local laws or cultural norms. - - - -#### 2.12 Age ratings - - -###### 2.12.1 Mature content - -When you submit your extension to Partner Center, you must indicate whether your extension displays content that should be marked "Mature". When determining the rating for your extension, consider all the content in your app, including user generated content and ads, and to the content that your extension links. If you indicate that your extension doesn't contain any "Mature" content, you are responsible for maintaining the accuracy of this rating. - -Regardless of the rating given to your extension, it must still adhere to all the content requirements of the Microsoft Edge Add-ons store developer policies. - - -###### 2.12.2 Ratings change - -If your extension provides content (such as user-generated, retail, or other web-based content) that might be appropriate for a higher age rating than the assigned rating, you must require users to opt into receiving such content by using a content filter or by signing in with a pre-existing account. - - - -#### 2.13 Videos - -If you submit a promotional video in the listing, it should strictly adhere to these [content policies](/microsoft-edge/extensions-chromium/store-policies/developer-policies#2-content-policies). - - - -## Complaint and appeal process for Microsoft Edge Add-ons certification - -All extensions must adhere to the store policies listed above. If your extension failed in the review process, review the store policies to understand the reason for failure. After submitting your extension using Partner Center, to ask a question about the review or certification status of it, go to [New Support Request](https://support.microsoft.com/supportrequestform/e7a381be-9c9a-fafb-ed76-262bc93fd9e4) and complete the form. - - - -#### Appeal statistics for Microsoft Edge Add-ons for FY2024 - -| Statistic | Count | -|-----------------------------------------------------------------------|-----------| -| App and/or account enforcement action appeals | 50 | -| Complaints about technological issues | 17 | -| Regulatory compliance complaints | 0 | -| Questions about certification, policy, submission, and technical help | 173 | -| Miscellaneous | 358 | -| Total issues | 261 | -| Overturned decisions | 52 | -| Average processing time | 1.88 days | - -These numbers were reported on July 2, 2024. diff --git a/microsoft-edge/toc.yml b/microsoft-edge/toc.yml index 077094711b..fcb8c7e489 100644 --- a/microsoft-edge/toc.yml +++ b/microsoft-edge/toc.yml @@ -1097,13 +1097,13 @@ - name: Policies for Microsoft Edge Add-ons items: - name: Content Security Policy (CSP) - href: extensions-chromium/store-policies/csp.md + href: /legal/microsoft-edge/extensions/csp - name: App Developer Agreement Addendum for Microsoft Edge program users - href: extensions-chromium/store-policies/ada-addendum.md + href: /legal/microsoft-edge/extensions/ada-addendum - name: Developer policies for the Microsoft Edge Add-ons store - href: extensions-chromium/store-policies/developer-policies.md + href: /legal/microsoft-edge/extensions/developer-policies - name: Microsoft Edge Add-ons API items: From 0607225fb299ce318ea21d6a8e23c74b371c0b47 Mon Sep 17 00:00:00 2001 From: Michael Hoffman Date: Wed, 4 Sep 2024 09:38:31 -0700 Subject: [PATCH 2/3] restore csp.md --- .../extensions-chromium/store-policies/csp.md | 315 ++++++++++++++++++ microsoft-edge/toc.yml | 2 +- 2 files changed, 316 insertions(+), 1 deletion(-) create mode 100644 microsoft-edge/extensions-chromium/store-policies/csp.md diff --git a/microsoft-edge/extensions-chromium/store-policies/csp.md b/microsoft-edge/extensions-chromium/store-policies/csp.md new file mode 100644 index 0000000000..494236f204 --- /dev/null +++ b/microsoft-edge/extensions-chromium/store-policies/csp.md @@ -0,0 +1,315 @@ +--- +title: Content Security Policy (CSP) +description: Content Security Policy for Microsoft Edge extensions. +author: MSEdgeTeam +ms.author: msedgedevrel +ms.topic: conceptual +ms.service: microsoft-edge +ms.subservice: extensions +ms.date: 11/09/2022 +--- +# Content Security Policy (CSP) + +In order to mitigate a large class of potential cross-site scripting issues, the Microsoft Edge Extension system has incorporated [Content Security Policy (CSP)](https://w3c.github.io/webappsec-csp). This introduces some strict policies that make Extensions more secure by default, and provides you with the ability to create and enforce rules governing the types of content that can be loaded and run by your Extensions and applications. + +In general, CSP works as a block/allowlisting mechanism for resources loaded or run by your Extensions. Defining a reasonable policy for your Extension enables you to carefully consider the resources that your Extension requires, and to ask the browser to ensure that those are the only resources your Extension has access to. The policies provide security over and above the host permissions your Extension requests; they are an additional layer of protection, not a replacement. + +On the web, such a policy is defined via an HTTP header or `meta` element. Inside the Microsoft Edge Extension system, neither is an appropriate mechanism. Instead, an Extension policy is defined using the `manifest.json` file for the Extension as follows: + +```javascript +{ + ..., + "content_security_policy": "[POLICY STRING GOES HERE]" + ... +} +``` + +> For full details regarding the CSP syntax, please take a look at the W3C [Content Security Policy specification](https://w3c.github.io/webappsec-csp) , and [An Introduction to Content Security Policy](https://www.html5rocks.com/en/tutorials/security/content-security-policy) at _HTML5Rocks_. + + + +## Default Policy Restrictions + +Packages that don't define a `manifest_version` don't have a default content security policy. + +Packages that use `manifest_version` have the following default content security policy: + +#### [Manifest V2](#tab/v2) + +```javascript +script-src 'self'; object-src 'self' +``` + +#### [Manifest V3](#tab/v3) + +```javascript +script-src 'self'; object-src 'self'; worker-src 'self' +``` + +The policy adds security by limiting Extensions and applications in three ways: + + +#### Eval and related functions are disabled + +Code like the following doesn't work: + +```javascript +alert(eval("foo.bar.baz")); +window.setTimeout("alert('hi')", 10); +window.setInterval("alert('hi')", 10); +new Function("return foo.bar.baz"); +``` + +Evaluating strings of JavaScript like this is a common XSS attack vector. Instead, you should write code like: + +```javascript +alert(foo && foo.bar && foo.bar.baz); +window.setTimeout(function() { alert('hi'); }, 10); +window.setInterval(function() { alert('hi'); }, 10); +function() { return foo && foo.bar && foo.bar.baz }; +``` + + +#### Inline JavaScript aren't run + +Inline JavaScript aren't run. This restriction bans both inline ` + + + + + +``` + +But three things must change in order to make this work the way you expect it to: + +* The `clickHandler` definition must be moved into an external JavaScript file (`popup.js` may be a good target). + +* The inline event handler definitions must be rewritten in terms of `addEventListener` and extracted into `popup.js`. If you're currently starting your program using code like ``, consider replacing it by hooking into the `DOMContentLoaded` event of the document, or the `load` event of the window, depending on your requirements. Use the former, since it generally triggers more quickly. + +* The `setTimeout` call must be rewritten to avoid converting the string `"awesome(); totallyAwesome()"` into JavaScript for running. + +Those changes could look something like the following: + +```javascript +function awesome() { + // Do something awesome! +} + +function totallyAwesome() { + // do something TOTALLY awesome! +} + +function awesomeTask() { + awesome(); + totallyAwesome(); +} + +function clickHandler(e) { + setTimeout(awesomeTask, 1000); +} + +function main() { + // Initialization work goes here. +} + +// Add event listeners once the DOM has fully loaded by listening for the +// `DOMContentLoaded` event on the document, and adding your listeners to +// specific elements when it triggers. +document.addEventListener('DOMContentLoaded', function () { + document.querySelector('button').addEventListener('click', clickHandler); + main(); +}); +``` + +```html + + + + My Awesome Pop-up! + + + + + + +``` + + +#### Only local script and object resources are loaded + +Script and object resources are only able to be loaded from the Extension package, not from the web at large. This ensures that your Extension only runs the code you specifically approved, preventing an active network attacker from maliciously redirecting your request for a resource. + +Instead of writing code that depends on jQuery (or any other library) loading from an external CDN, consider including the specific version of jQuery in your Extension package. That is, instead of: + +```html + + + + My Awesome Pop-up! + + + + + + +``` + +Use the following approach instead. Download the file, include it in your package, and write: + +```html + + + + My Awesome Pop-up! + + + + + + +``` + + + +## Relaxing the default policy + + +#### Inline Script + + + +Inline scripts can be allowed by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). For an example, see [W3C > Hash usage for \ elements](https://www.w3.org/TR/CSP2#script-src-hash-usage). + + +#### Remote Script + +If you require some external JavaScript or object resources, you can relax the policy to a limited extent by allowlisting secure origins from which scripts should be accepted. Verify that runtime resources loaded with with elevated permissions of an Extension are exactly the resources you expect, and aren't replaced by an active network attacker. As [man-in-the-middle attacks](https://wikipedia.org/wiki/Man-in-the-middle_attack) are both trivial and undetectable over HTTP, those origins aren't accepted. + +Currently, you can allowlist origins that have the following schemes: `blob`, `filesystem`, `https`, and `extension`. The host part of the origin must explicitly be specified for the `https` and `extension` schemes. Generic wildcards such as https:, `https://*` and `https://*.com` aren't allowed; subdomain wildcards such as `https://*.example.com` are allowed. Domains in the [Public Suffix list](https://publicsuffix.org/list) are also viewed as generic top-level domains. To load a resource from these domains, the subdomain must explicitly be listed. For example, `https://*.cloudfront.net` is not valid, but `https://XXXX.cloudfront.net` and `https://*.XXXX.cloudfront.net` can be `allowlisted`. + +For development ease, resources loaded over HTTP from servers on your local machine can be `allowlisted`. You can allowlist script and object sources on any port of either `http://127.0.0.1` or `http://localhost`. + +> [!NOTE] +> The restriction against resources loaded over HTTP applies only to those resources which are directly run. You are still free, for example, to make `XMLHTTPRequest` connections to any origin you like; the default policy doesn't restrict `connect-src` or any of the other CSP directives in any way. + +A relaxed policy definition which allows script resources to be loaded from `example.com` over HTTPS may look like: + +```javascript +"content_security_policy": "script-src 'self' https://example.com; object-src 'self'" +``` + +> [!NOTE] +> Both `script-src` and `object-src` are defined by the policy. Microsoft Edge doesn't accept a policy that doesn't limit each of these values to (at least) '`self`'. + + + + +#### Evaluated JavaScript + +The policy against `eval()` and related functions like `setTimeout(String)`, `setInterval(String)`, and `new Function(String)` can be relaxed by adding `unsafe-eval` to your policy: + +```javascript +"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'" +``` + +However, you should avoid relaxing policies. These types of functions are notorious XSS attack vectors. + + + +## Tightening the default policy + +You can tighten this policy to whatever extent your Extension allows, in order to increase security, at the expense of convenience. To specify that your Extension can only load resources of any type (images, and so on) from the associated Extension package, for example, a policy of `default-src 'self'` might be appropriate. + + + + + +## Content Scripts + +The policy being discussing applies to the background pages and event pages of the Extension. How the content scripts apply to the content scripts of the Extension is more complicated. + +Content scripts are generally not subject to the CSP of the Extension. Since content scripts aren't HTML, the main impact of this is that they can use `eval` even if the CSP of the Extension doesn't specify `unsafe-eval`, although this is not recommended. Additionally, the CSP of the page doesn't apply to content scripts. More complicated are `"); + ``` + +This content script causes an `alert` immediately upon the `document.write()`. Note that this runs regardless of the policy a page specifies. However, the behavior becomes more complicated both inside that DOM injected script and for any script that doesn't immediately run upon injection. + +Imagine that your Extension is running on a page that provides an associated CSP that specifies `script-src 'self'`. Now imagine the content script runs the following code: + +```javascript +document.write("'"); +``` + +If a user clicks that button, the `onclick` script doesn't run. This is because the script didn't immediately run, and code that isn't interpreted until the `click` event occurs isn't considered part of the content script, so the CSP of the page (not of the Extension) restricts the behavior. And since that CSP doesn't specify `unsafe-inline`, the inline event handler is blocked. + +The correct way to implement the desired behavior in this case is to add the `onclick` handler as a function from the content script, as follows: + +```javascript +document.write("'"); +var button = document.getElementById('mybutton'); +button.onclick = function() { + alert(1); +}; +``` + +Another similar issue arises if the content script runs the following: + +```javascript +var script = document.createElement('script'); +script.innerHTML = 'alert(1);' +document.getElementById('body').appendChild(script); +``` + +In this case, the script runs, and the alert appears. However, consider this case: + +```javascript +var script = document.createElement('script'); +script.innerHTML = 'eval("alert(1);")'; +=document.getElementById('body').appendChild(script); +``` + +While the initial script runs, the call to `eval` is blocked. That is, while the initial script runtime is allowed, the behavior within the script is regulated by the CSP of the page. Thus, depending on how you write DOM injected scripts in your Extension, changes to the CSP of the page might affect the behavior of your Extension. + +Since content scripts aren't affected by the CSP of the page, this a great reason to put as much behavior as possible of your Extension into the content script, rather than DOM injected scripts. + + + +> [!NOTE] +> Portions of this page are modifications based on work created and [shared by Google](https://developers.google.com/terms/site-policies) and used according to terms described in the [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0). +> The original page is found [here](https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy). + +[![Creative Commons License](../../media/cc-logo/88x31.png)](https://creativecommons.org/licenses/by/4.0) +This work is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0). diff --git a/microsoft-edge/toc.yml b/microsoft-edge/toc.yml index fcb8c7e489..807ccc292e 100644 --- a/microsoft-edge/toc.yml +++ b/microsoft-edge/toc.yml @@ -1097,7 +1097,7 @@ - name: Policies for Microsoft Edge Add-ons items: - name: Content Security Policy (CSP) - href: /legal/microsoft-edge/extensions/csp + href: extensions-chromium/store-policies/csp.md - name: App Developer Agreement Addendum for Microsoft Edge program users href: /legal/microsoft-edge/extensions/ada-addendum From d2ab866da4daf80ae892cfd3bf666d3911a2e8fc Mon Sep 17 00:00:00 2001 From: Michael Hoffman Date: Wed, 4 Sep 2024 09:59:20 -0700 Subject: [PATCH 3/3] remove redir for csp.md, restore local link --- .openpublishing.redirection.json | 5 ----- .../extensions-chromium/publish/add-ons-store-curation.md | 4 ++-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8f55563f90..8af65d28ad 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -793,11 +793,6 @@ Old redirects (to /archive/) "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/microsoft-browser-extension-policy", "redirect_document_id": false }, - { - "source_path": "microsoft-edge/extensions-chromium/store-policies/csp.md", - "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/csp", - "redirect_document_id": false - }, { "source_path": "microsoft-edge/extensions-chromium/store-policies/ada-addendum.md", "redirect_url": "https://learn.microsoft.com/legal/microsoft-edge/extensions/ada-addendum", diff --git a/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md b/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md index 5e1a27c790..8c2c899208 100644 --- a/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md +++ b/microsoft-edge/extensions-chromium/publish/add-ons-store-curation.md @@ -40,7 +40,7 @@ The quality and compliance of the item that is displayed on the Edge Add-ons sto Items violating the policy guidelines are not allowed in the store. There is a standard review process for each new item submission and new versions of items, per the developer policies. See also: -* [Content Security Policy (CSP)](/legal/microsoft-edge/extensions/csp) +* [Content Security Policy (CSP)](../store-policies/csp.md) @@ -68,4 +68,4 @@ Items are ranked for popularity based on user ratings at the store. ## See also * [Developer policies for the Microsoft Edge Add-ons store](/legal/microsoft-edge/extensions/developer-policies) -* [Content Security Policy (CSP)](/legal/microsoft-edge/extensions/csp) +* [Content Security Policy (CSP)](../store-policies/csp.md)