Whitelisting `127.0.0.1` and `localhost` for HTTP in extensions' CSP.

BUG=140187


Review URL: https://chromiumcodereview.appspot.com/10855122

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151470 0039d316-1c4b-4281-b951-d872f2087c98

chrome/common/extensions/csp_validator.cc

@@ -46,6 +46,10 @@ bool HasOnlySecureTokens(StringTokenizer& tokenizer) {
     // We might need to relax this whitelist over time.
     if (source == "'self'" ||
         source == "'none'" ||
+        source == "http://127.0.0.1" ||
+        LowerCaseEqualsASCII(source, "http://localhost") ||
+        StartsWithASCII(source, "http://127.0.0.1:", false) ||
+        StartsWithASCII(source, "http://localhost:", false) ||
         StartsWithASCII(source, "https://", true) ||
         StartsWithASCII(source, "chrome://", true) ||
         StartsWithASCII(source, "chrome-extension://", true) ||

chrome/common/extensions/csp_validator_unittest.cc

@@ -76,6 +76,21 @@ TEST(ExtensionCSPValidator, IsSecure) {
       "default-src 'self' google.com"));
   EXPECT_TRUE(ContentSecurityPolicyIsSecure(
       "default-src 'self' https://*.google.com"));
+
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://127.0.0.1"));
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://localhost"));
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://lOcAlHoSt"));
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://127.0.0.1:9999"));
+  EXPECT_TRUE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://localhost:8888"));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://127.0.0.1.example.com"));
+  EXPECT_FALSE(ContentSecurityPolicyIsSecure(
+      "default-src 'self' http://localhost.example.com"));
 }
 
 TEST(ExtensionCSPValidator, IsSandboxed) {

chrome/common/extensions/docs/extensions/contentSecurityPolicy.html

@@ -416,6 +416,12 @@ popup.html:
   schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
   <code>chrome-extension-resource</code>.
 </p>
+<p>
+  To ease development, we're also allowing the whitelisting of resources loaded
+  over HTTP from servers on your local machine. You may whitelist script and
+  object sources on any port of either <code>http://127.0.0.1</code> or
+  <code>http://localhost</code>.
+</p>
 <p>
   A relaxed policy definition which allows script resources to be loaded from
   <code>example.com</code> over HTTPS might look like:

chrome/common/extensions/docs/server2/templates/articles/contentSecurityPolicy.html

@@ -236,6 +236,13 @@ popup.html:
   <code>chrome-extension-resource</code>.
 </p>
 
+<p>
+  To ease development, we're also allowing the whitelisting of resources loaded
+  over HTTP from servers on your local machine. You may whitelist script and
+  object sources on any port of either <code>http://127.0.0.1</code> or
+  <code>http://localhost</code>.
+</p>
+
 <p>
   A relaxed policy definition which allows script resources to be loaded from
   <code>example.com</code> over HTTPS might look like:

chrome/common/extensions/docs/static/contentSecurityPolicy.html

@@ -236,6 +236,13 @@ popup.html:
   <code>chrome-extension-resource</code>.
 </p>
 
+<p>
+  To ease development, we're also allowing the whitelisting of resources loaded
+  over HTTP from servers on your local machine. You may whitelist script and
+  object sources on any port of either <code>http://127.0.0.1</code> or
+  <code>http://localhost</code>.
+</p>
+
 <p>
   A relaxed policy definition which allows script resources to be loaded from
   <code>example.com</code> over HTTPS might look like: