Tweaking the "insecure CSP" error message to clarify that both 'script-src' and 'object-src' must b…

chrome/common/extensions/extension_manifest_constants.cc

Index: chrome/common/extensions/extension_manifest_constants.cc
diff --git a/chrome/common/extensions/extension_manifest_constants.cc b/chrome/common/extensions/extension_manifest_constants.cc
index de33389949657752fa343541e83b90572a681dc2..aedc3b1ae5d11b31682fd86383f09305f00ba74a 100644
--- a/chrome/common/extensions/extension_manifest_constants.cc
+++ b/chrome/common/extensions/extension_manifest_constants.cc
@@ -457,11 +457,12 @@ const char kInvalidWebURLs[] =
 const char kInvalidZipHash[] =
     "Required key 'zip_hash' is missing or invalid.";
 const char kInsecureContentSecurityPolicy[] =
-    "Invalid value for 'content_security_policy': The 'script-src' and"
-    " 'object-src' directives can only whitelist secure resources. You may"
-    " include any of the following sources: \"'self'\", \"http://127.0.0.1\","
-    " \"http://localhost\", or any \"https://\" or \"chrome-extension://\""
-    " origin. For more information, see"
+    "Invalid value for 'content_security_policy': Both 'script-src' and"
+    " 'object-src' directives must be specified (either explicitly, or"
+    " implicitly via 'default-src'), and both must whitelist only secure"
+    " resources. You may include any of the following sources: \"'self'\","
+    " \"http://127.0.0.1\", \"http://localhost\", or any \"https://\" or"
+    " \"chrome-extension://\" origin. For more information, see"

[Aaron Boodman, 2012/09/13 15:53:36]

You can whitelist unsafe-eval too, right?

     " http://developer.chrome.com/extensions/contentSecurityPolicy.html";
 const char kLaunchPathAndExtentAreExclusive[] =
     "The 'app.launch.local_path' and 'app.urls' keys cannot both be set.";