Disallow CSP source * matching of data:, blob:, and filesystem: URLs

The CSP spec specifically excludes matching of data:, blob:, and
filesystem: URLs with the source '*' wildcard. This adds checks to make
sure that doesn't happen, along with tests.

BUG=534570
R=mkwst@chromium.org

Review URL: https://codereview.chromium.org/1361763005

Cr-Commit-Position: refs/heads/master@{#350950}

1 files changed, 2 insertions, 2 deletions

diff --git a/extensions/common/manifest_handlers/csp_info.cc b/extensions/common/manifest_handlers/csp_info.cc
index 5581d51..de98430 100644
--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -34,7 +34,7 @@ const char kDefaultPlatformAppContentSecurityPolicy[] =
     // Platform apps can only use local resources by default.
     "default-src 'self' blob: filesystem: chrome-extension-resource:;"
     // For remote resources, they can fetch them via XMLHttpRequest.
-    " connect-src *;"
+    " connect-src * data: blob: filesystem:;"
     // And serve them via data: or same-origin (blob:, filesystem:) URLs
     " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
     " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
@@ -45,7 +45,7 @@ const char kDefaultPlatformAppContentSecurityPolicy[] =
     //    spotty connectivity.
     // 2. Fetching via XHR and serving via blob: URLs currently does not allow
     //    streaming or partial buffering.
-    " media-src *;";
+    " media-src * data: blob: filesystem:;";
 
 int GetValidatorOptions(Extension* extension) {
   int options = csp_validator::OPTIONS_NONE;