Extensions: Remove all references to chrome-extension-resource scheme.

The chrome-extension-resource scheme was added in https://chromiumcodereview.appspot.com/9909019/ but was never used. The code for it was eventually removed in https://codereview.chromium.org/2574763003. This CL removes any remaining references to it. Behavior changes: - Any extensions using the scheme in their CSP will get an install warning as the token will be recognised as an unsafe token. Note we don't show install warnings for packaged extensions. - The default CSP for apps and extensions now excludes the scheme. However this should not be an issue since the scheme isn't a valid scheme and can't be used. BUG=674272 Change-Id: I4494e901d147627adebc62c59ce0e021876786a1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1719333Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Karan Bhatia <karandeepb@chromium.org> Cr-Commit-Position: refs/heads/master@{#686197}

Extensions: Remove all references to chrome-extension-resource scheme.
The chrome-extension-resource scheme was added in https://chromiumcodereview.appspot.com/9909019/ but was never used. The code for it was eventually removed in https://codereview.chromium.org/2574763003. This CL removes any remaining references to it. Behavior changes: - Any extensions using the scheme in their CSP will get an install warning as the token will be recognised as an unsafe token. Note we don't show install warnings for packaged extensions. - The default CSP for apps and extensions now excludes the scheme. However this should not be an issue since the scheme isn't a valid scheme and can't be used. BUG=674272 Change-Id: I4494e901d147627adebc62c59ce0e021876786a1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1719333Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Karan Bhatia <karandeepb@chromium.org> Cr-Commit-Position: refs/heads/master@{#686197}
5aa20e27 · Karan Bhatia · Commit Bot · 43e1e4d1 · 5aa20e27 · 5aa20e27
Commit 5aa20e27 authored Aug 12, 2019 by Karan Bhatia Committed by Commit Bot Aug 12, 2019
8 changed files
--- a/chrome/common/extensions/docs/templates/articles/app_csp.html
+++ b/chrome/common/extensions/docs/templates/articles/app_csp.html
@@ -52,10 +52,10 @@ you from doing the following:</p>
 <pre>
 default-src 'self';
 connect-src * data: blob: filesystem:;
-style-src 'self' data: chrome-extension-resource: 'unsafe-inline';
+style-src 'self' data: 'unsafe-inline';
-img-src 'self' data: chrome-extension-resource:;
+img-src 'self' data:;
-frame-src 'self' data: chrome-extension-resource:;
+frame-src 'self' data:;
-font-src 'self' data: chrome-extension-resource:;
+font-src 'self' data:;
 media-src * data: blob: filesystem:;
 </pre>

--- a/chrome/common/extensions/docs/templates/articles/manifestVersion.html
+++ b/chrome/common/extensions/docs/templates/articles/manifestVersion.html
@@ -90,8 +90,8 @@
 <ul>
  <li>
    <p>
-      A content security policy is set to <code>`script-src 'self'
+      A content security policy is set to <code>`script-src 'self';
-      chrome-extension-resource:; object-src 'self'</code> by default. This has
+      object-src 'self';</code> by default. This has
      a variety of impacts on developers, described at length in the
      <a href="../extensions/contentSecurityPolicy">
      <code>content_security_policy</code></a> documentation.

--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -261,13 +261,6 @@ std::string GetSecureDirectiveValues(
    } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) &&
               source_lower == "'unsafe-eval'") {
      is_secure_csp_token = true;
-    } else if (base::StartsWith(source_lower, "chrome-extension-resource:",
-                                base::CompareCase::SENSITIVE)) {
-      // The "chrome-extension-resource" scheme has been removed from the
-      // codebase, but it may still appear in existing CSPs. We continue to
-      // allow it here for compatibility. Requests on this scheme will not
-      // return any kind of network response.
-      is_secure_csp_token = true;
    }
    if (is_secure_csp_token) {

--- a/extensions/common/csp_validator_unittest.cc
+++ b/extensions/common/csp_validator_unittest.cc
@@ -248,9 +248,8 @@ TEST(ExtensionCSPValidator, IsSecure) {
  EXPECT_TRUE(CheckCSP(SanitizeCSP(
      "default-src 'self' chrome-extension://aabbcc;",
      OPTIONS_ALLOW_UNSAFE_EVAL)));
-  EXPECT_TRUE(CheckCSP(SanitizeCSP(
+  EXPECT_TRUE(
-      "default-src 'self' chrome-extension-resource://aabbcc;",
+      CheckCSP(SanitizeCSP("default-src 'self';", OPTIONS_ALLOW_UNSAFE_EVAL)));
-      OPTIONS_ALLOW_UNSAFE_EVAL)));
  EXPECT_TRUE(CheckCSP(
      SanitizeCSP("default-src 'self' https:", OPTIONS_ALLOW_UNSAFE_EVAL),
      "default-src 'self';", InsecureValueWarning("default-src", "https:")));

--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -29,7 +29,7 @@ using csp_validator::SanitizeContentSecurityPolicy;
 namespace {
 const char kDefaultContentSecurityPolicy[] =
-    "script-src 'self' blob: filesystem: chrome-extension-resource:; "
+    "script-src 'self' blob: filesystem:; "
    "object-src 'self' blob: filesystem:;";
 const char kDefaultIsolatedWorldCSP_BypassMainWorld[] = "";
@@ -40,13 +40,12 @@ const char kDefaultSandboxedPageContentSecurityPolicy[] =
    "sandbox allow-scripts allow-forms allow-popups allow-modals; "
    "script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';";
-#define PLATFORM_APP_LOCAL_CSP_SOURCES \
+#define PLATFORM_APP_LOCAL_CSP_SOURCES "'self' blob: filesystem: data:"
-    "'self' blob: filesystem: data: chrome-extension-resource:"
 // clang-format off
 const char kDefaultPlatformAppContentSecurityPolicy[] =
    // Platform apps can only use local resources by default.
-    "default-src 'self' blob: filesystem: chrome-extension-resource:;"
+    "default-src 'self' blob: filesystem:;"
    // For remote resources, they can fetch them via XMLHttpRequest.
    " connect-src * data: blob: filesystem:;"
    // And serve them via data: or same-origin (blob:, filesystem:) URLs
@@ -61,8 +60,7 @@ const char kDefaultPlatformAppContentSecurityPolicy[] =
    //    streaming or partial buffering.
    " media-src * data: blob: filesystem:;"
    // Scripts are allowed to use WebAssembly
-    " script-src 'self' blob: filesystem: chrome-extension-resource:"
+    " script-src 'self' blob: filesystem: 'wasm-eval';";
-    " 'wasm-eval';";
 // clang-format on
 int GetValidatorOptions(Extension* extension) {

--- a/extensions/common/manifest_handlers/csp_info_unittest.cc
+++ b/extensions/common/manifest_handlers/csp_info_unittest.cc
@@ -26,7 +26,7 @@ const char kDefaultSandboxedPageCSP[] =
    "sandbox allow-scripts allow-forms allow-popups allow-modals; "
    "script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';";
 const char kDefaultExtensionPagesCSP[] =
-    "script-src 'self' blob: filesystem: chrome-extension-resource:; "
+    "script-src 'self' blob: filesystem:; "
    "object-src 'self' blob: filesystem:;";
 const char kDefaultIsolatedWorldCSP_BypassMainWorld[] = "";
 const char kDefaultIsolatedWorldCSP_Secure[] =

--- a/third_party/blink/renderer/devtools/front_end/sdk/sdk_strings.grdp
+++ b/third_party/blink/renderer/devtools/front_end/sdk/sdk_strings.grdp
@@ -298,7 +298,7 @@
    DOM Mutation
  </message>
  <message name="IDS_DEVTOOLS_f99d691018d8f37dda14a9cd29c1d1ee" desc="Text in DOMDebugger Model">
-    Script blocked due to Content Security Policy directive: <ph name="AUXDATA__DIRECTIVETEXT__">$1s<ex>"script-src 'self' chrome-extension-resource:"</ex></ph>
+    Script blocked due to Content Security Policy directive: <ph name="AUXDATA__DIRECTIVETEXT__">$1s<ex>"script-src 'self'"</ex></ph>
  </message>
  <message name="IDS_DEVTOOLS_fa79cdac06c8d2166fd5cda17ccbc0ce" desc="Text in Server Timing">
    Extraneous trailing characters.

--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/source-list-parsing-02.html
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/source-list-parsing-02.html
@@ -7,7 +7,7 @@ var tests = [
    ['yes', 'script-src\thttp://127.0.0.1:8000', 'resources/script.js'],
    ['yes', 'script-src http://127.0.0.1:8000   \t ', 'resources/script.js'],
    ['yes', 'script-src http://127.0.0.1:* ', 'resources/script.js'],
-    ['yes', 'script-src \'self\' chrome-extension-resource: ;', 'resources/script.js'],
+    ['yes', 'script-src \'self\' ;', 'resources/script.js'],
 ];
 </script>
 </head>