[filesapp] Add Metadata Shared Worker code CSP to files SWA

Add Content Security Policy (CSP) to file manager SWA frontend code to
allow the Metadata Shared Worker code to load without error. That code
loads from chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj, so add
'script-src' and 'worker-src' policy to allow code from that origin.

Once those policies are specified, one also has to include 'self', and
also 'chrome://resources' for scripts loaded from that source. Scripts

  chrome://resources/mojo/mojo/public/js/mojo_bindings_lite.js
  chrome://resources/polymer/v1_0/html-imports/html-imports.min.js

would be blocked by CSP if their origin is not present in 'script-src'
policy for example.

Bug: 1113981
Change-Id: I524aa0e3dba5c4c5b6252eb1330cb19f152dec26
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2602967
Commit-Queue: Noel Gordon <noel@chromium.org>
Reviewed-by: Alex Danilo <adanilo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#839555}

chromeos/components/file_manager/file_manager_ui.cc

@@ -73,9 +73,18 @@ content::WebUIDataSource* FileManagerUI::CreateTrustedAppDataSource() {
   delegate_->PopulateLoadTimeData(source);
   source->UseStringsJs();
 
-  // Shared worker security policy.
+  // Script security policy.
   source->OverrideContentSecurityPolicy(
-      network::mojom::CSPDirectiveName::WorkerSrc, "worker-src 'self' ;");
+      network::mojom::CSPDirectiveName::ScriptSrc,
+      "script-src chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj "
+      "chrome://resources "
+      "'self' ;");
+
+  // Metadata Shared Worker security policy.
+  source->OverrideContentSecurityPolicy(
+      network::mojom::CSPDirectiveName::WorkerSrc,
+      "worker-src chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj "
+      "'self' ;");
 
   // TODO(crbug.com/1098685): Trusted Type remaining WebUI.
   source->DisableTrustedTypesCSP();