Adding `chrome-extension` resources to the CSP relaxation documentation.

BUG=139443 Review URL: https://chromiumcodereview.appspot.com/10823074 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@148934 0039d316-1c4b-4281-b951-d872f2087c98

Adding `chrome-extension` resources to the CSP relaxation documentation.
BUG=139443 Review URL: https://chromiumcodereview.appspot.com/10823074 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@148934 0039d316-1c4b-4281-b951-d872f2087c98
af42b4cc · mkwst@chromium.org · e9219583 · af42b4cc · af42b4cc
Commit af42b4cc authored Jul 30, 2012 by mkwst@chromium.org
2 changed files
--- a/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html
+++ b/chrome/common/extensions/docs/extensions/contentSecurityPolicy.html
@@ -405,13 +405,14 @@ popup.html:
 <p>
  If, on the other hand, you have a need for some external JavaScript or object
  resources, you can relax the policy to a limited extent by whitelisting
-  specific HTTPS origins from which scripts should be accepted. Whitelisting
-  insecure HTTP resources will have no effect. This is intentional, because
-  we want to ensure that executable resources loaded with an extension's
-  elevated permissions is exactly the resource you expect, and hasn't been
-  replaced by an active network attacker. As <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
-  attacks</a> are both trivial and undetectable over HTTP, only HTTPS origins
-  will be accepted.
+  secure origins from which scripts should be accepted. We want to ensure that
+  executable resources loaded with an extension's elevated permissions are
+  exactly the resources you expect, and haven't been replaced by an active
+  network attacker. As <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
+  attacks</a> are both trivial and undetectable over HTTP, those origins will
+  not be accepted. Currently, we allow whitelisting origins with the following
+  schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
+  <code>chrome-extension-resource</code>.
 </p>
 <p>
  A relaxed policy definition which allows script resources to be loaded from

--- a/chrome/common/extensions/docs/static/contentSecurityPolicy.html
+++ b/chrome/common/extensions/docs/static/contentSecurityPolicy.html
@@ -225,14 +225,15 @@ popup.html:
 <p>
  If, on the other hand, you have a need for some external JavaScript or object
  resources, you can relax the policy to a limited extent by whitelisting
-  specific HTTPS origins from which scripts should be accepted. Whitelisting
-  insecure HTTP resources will have no effect. This is intentional, because
-  we want to ensure that executable resources loaded with an extension's
-  elevated permissions is exactly the resource you expect, and hasn't been
-  replaced by an active network attacker. As <a
+  secure origins from which scripts should be accepted. We want to ensure that
+  executable resources loaded with an extension's elevated permissions are
+  exactly the resources you expect, and haven't been replaced by an active
+  network attacker. As <a
  href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
-  attacks</a> are both trivial and undetectable over HTTP, only HTTPS origins
-  will be accepted.
+  attacks</a> are both trivial and undetectable over HTTP, those origins will
+  not be accepted. Currently, we allow whitelisting origins with the following
+  schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
+  <code>chrome-extension-resource</code>.
 </p>

 <p>