Explicitly whitelist 'blob:' and 'filesystem:' in extensions' default CSP.

'blob:' and 'filesystem:' should not match 'self' in CSP source
expressions, but they currently do. In order to avoid breakage, this
patch whitelists them explicitly (which is a no-op at the moment) so that
we can change Blink's behavior without breaking extensions.

Perhaps we can re-evaluate this in v3. :)

BUG=473904

Review URL: https://codereview.chromium.org/1184353002

Cr-Commit-Position: refs/heads/master@{#334599}

1 files changed, 5 insertions, 3 deletions

diff --git a/extensions/common/manifest_handlers/csp_info.cc b/extensions/common/manifest_handlers/csp_info.cc
index e756995..5581d51 100644
--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -24,13 +24,15 @@ using csp_validator::SanitizeContentSecurityPolicy;
 namespace {
 
 const char kDefaultContentSecurityPolicy[] =
-    "script-src 'self' chrome-extension-resource:; object-src 'self';";
+    "script-src 'self' blob: filesystem: chrome-extension-resource:; "
+    "object-src 'self' blob: filesystem:;";
 
 #define PLATFORM_APP_LOCAL_CSP_SOURCES \
-    "'self' data: chrome-extension-resource:"
+    "'self' blob: filesystem: data: chrome-extension-resource:"
+
 const char kDefaultPlatformAppContentSecurityPolicy[] =
     // Platform apps can only use local resources by default.
-    "default-src 'self' chrome-extension-resource:;"
+    "default-src 'self' blob: filesystem: chrome-extension-resource:;"
     // For remote resources, they can fetch them via XMLHttpRequest.
     " connect-src *;"
     // And serve them via data: or same-origin (blob:, filesystem:) URLs