Add schema chrome-extension-resource:// for extension resources

chrome/common/extensions/csp_validator.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/extensions/csp_validator.h"
 
 #include "base/string_split.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 
@@ skipping 25 matching lines @@
     StringToLowerASCII(&source);
 
     if (EndsWith(source, "*", true))
       return false;
 
     // We might need to relax this whitelist over time.
     if (source == "'self'" ||
         source == "'none'" ||
         StartsWithASCII(source, "https://", true) ||
         StartsWithASCII(source, "chrome://", true) ||
-        StartsWithASCII(source, "chrome-extension://", true)) {
+        StartsWithASCII(source, "chrome-extension://", true) ||
+        StartsWithASCII(source, "chrome-extension-resource://", true)) {

[abarth-chromium, 2012/04/11 20:15:33]

I can haz unit test?

[abarth-chromium, 2012/04/11 20:18:16]

Note: If an extension uses chrome-extension-resource in its CSP policy, older
versions of Chrome will reject the extension because it won't validate.

[Peng, 2012/04/11 20:23:51]

I will test it.

[Peng, 2012/04/11 20:23:51]

That could be a problem. Any idea?

Maybe make the new scheme in the default CSP policy? Because  those libraries
are for extensions, it is not very necessary to limit it.

       continue;
     }
 
     return false;
   }
 
   return true;  // Empty values default to 'none', which is secure.
 }
 
 // Returns true if |directive_name| matches |status.directive_name|.
@@ skipping 57 matching lines @@
            object_src_status.seen_in_policy;
   }
 
   return default_src_status.seen_in_policy ||
       (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
 }
 
 }  // csp_validator
 
 }  // extensions