Accept invalid chrome-extension:// and chrome:// CSP tokens

Do not refuse to load the extension when the CSP contains
"chrome-extension://", because there are some extensions in the wild
that contains this token in the CSP. It is safe to accept this token
because the invalid CSP token is ignored by Blink (together with an
error message in the console, so the developer can fix the problem if
they bother to look at the console).

BUG=432227
TBR=kalman@chromium.org

Review URL: https://codereview.chromium.org/722233004

Cr-Commit-Position: refs/heads/master@{#304799}

1 files changed, 3 insertions, 1 deletions

diff --git a/extensions/common/csp_validator_unittest.cc b/extensions/common/csp_validator_unittest.cc
index 9778a5a..741007fd 100644
--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -98,7 +98,7 @@ TEST(ExtensionCSPValidator, IsSecure) {
       "default-src 'self' *:*/", Manifest::TYPE_EXTENSION));
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' *:*/path", Manifest::TYPE_EXTENSION));
-  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://", Manifest::TYPE_EXTENSION));
   EXPECT_FALSE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*:*", Manifest::TYPE_EXTENSION));
@@ -167,6 +167,8 @@ TEST(ExtensionCSPValidator, IsSecure) {
       "default-src 'self' https://*.googleapis.com", Manifest::TYPE_EXTENSION));
   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://x.googleapis.com", Manifest::TYPE_EXTENSION));
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+     "default-src 'self' chrome-extension://", Manifest::TYPE_EXTENSION));
 }
 
 TEST(ExtensionCSPValidator, IsSandboxed) {