`chrome-extension` resources should bypass Content Security Policy.

The Content Security Policy specification[1] notes that "Enforcing a CSP
policy should not interfere with the operation of user-supplied scripts
such as third-party user-agent add-ons and JavaScript bookmarklets."
To that end, this CL allows `chrome-extension` resources to bypass
their containing document's policy, meaning that (for example)
`chrome-extension://[ID]/image.png` can be injected into a page, even
if that page has an `img-src 'none';` CSP directive.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model

BUG=133223
TBR=thakis@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10792008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149627 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/extensions/extension_resource_request_policy_apitest.cc

@@ -217,6 +217,26 @@ IN_PROC_BROWSER_TEST_F(ExtensionResourceRequestPolicyTest,
   EXPECT_EQ("Loading CER:// failed.", result);
 }
 
+IN_PROC_BROWSER_TEST_F(ExtensionResourceRequestPolicyTest,
+                       WebAccessibleResourcesWithCSP) {
+  std::string result;
+  ASSERT_TRUE(test_server()->Start());
+  ASSERT_TRUE(LoadExtension(test_data_dir_
+      .AppendASCII("extension_resource_request_policy")
+      .AppendASCII("web_accessible")));
+
+  GURL accessible_resource_with_csp(
+      test_server()->GetURL(
+          "files/extensions/api_test/extension_resource_request_policy/"
+          "web_accessible/accessible_resource_with_csp.html"));
+  ui_test_utils::NavigateToURL(browser(), accessible_resource_with_csp);
+  ASSERT_TRUE(content::ExecuteJavaScriptAndExtractString(
+    chrome::GetActiveWebContents(browser())->GetRenderViewHost(), L"",
+      L"window.domAutomationController.send(document.title)",
+    &result));
+  EXPECT_EQ("Loaded", result);
+}
+
 IN_PROC_BROWSER_TEST_F(ExtensionResourceRequestPolicyTest, Iframe) {
   // Load another extension, which the test one shouldn't be able to get
   // resources from.

chrome/renderer/chrome_content_renderer_client.cc

@@ -240,6 +240,13 @@ void ChromeContentRendererClient::RenderThreadStarted() {
   // chrome-extension-resource: resources should be allowed to receive CORS
   // requests.
   WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);
+
+  // chrome-extension: resources should bypass Content Security Policy checks
+  // when included in protected resources.
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      extension_scheme);
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      extension_resource_scheme);
 }
 
 void ChromeContentRendererClient::RenderViewCreated(

chrome/test/data/extensions/api_test/extension_resource_request_policy/web_accessible/accessible_resource_with_csp.html

+<meta http-equiv="X-WebKit-CSP" content="img-src 'none';">
+<img onload="document.title='Loaded'" onerror="document.title='Image failed to load'" src="chrome-extension://ggmldgjhdenlnjjjmehkomheglpmijnf/test.png">