`chrome-extension` resources should bypass Content Security Policy.

The Content Security Policy specification[1] notes that "Enforcing a CSP
policy should not interfere with the operation of user-supplied scripts
such as third-party user-agent add-ons and JavaScript bookmarklets."
To that end, this CL allows `chrome-extension` resources to bypass
their containing document's policy, meaning that (for example)
`chrome-extension://[ID]/image.png` can be injected into a page, even
if that page has an `img-src 'none';` CSP directive.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model

BUG=133223
TBR=thakis@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10792008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149627 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 0 deletions

diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc
index 3ca868a..a386ac0 100644
--- a/chrome/renderer/chrome_content_renderer_client.cc
+++ b/chrome/renderer/chrome_content_renderer_client.cc
@@ -240,6 +240,13 @@ void ChromeContentRendererClient::RenderThreadStarted() {
   // chrome-extension-resource: resources should be allowed to receive CORS
   // requests.
   WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);
+
+  // chrome-extension: resources should bypass Content Security Policy checks
+  // when included in protected resources.
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      extension_scheme);
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      extension_resource_scheme);
 }
 
 void ChromeContentRendererClient::RenderViewCreated(