Accept invalid chrome-extension:// and chrome:// CSP tokens

Do not refuse to load the extension when the CSP contains
"chrome-extension://", because there are some extensions in the wild
that contains this token in the CSP. It is safe to accept this token
because the invalid CSP token is ignored by Blink (together with an
error message in the console, so the developer can fix the problem if
they bother to look at the console).

BUG=432227
TBR=kalman@chromium.org

Review URL: https://codereview.chromium.org/722233004

Cr-Commit-Position: refs/heads/master@{#304799}

1 files changed, 5 insertions, 0 deletions

diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
index 65edd0a..6221367 100644
--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -54,6 +54,11 @@ bool isNonWildcardTLD(const std::string& url,
   if (end_of_host == std::string::npos)
     end_of_host = url.size();
 
+  // A missing host such as "chrome-extension://" is invalid, but for backwards-
+  // compatibility, accept such CSP parts. They will be ignored by Blink anyway.
+  if (start_of_host == end_of_host)
+    return true;
+
   // Note: It is sufficient to only compare the first character against '*'
   // because the CSP only allows wildcards at the start of a directive, see
   // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax