Disallow apps with the wrong content type header.

chrome/browser/extensions/crx_installer.cc

Index: chrome/browser/extensions/crx_installer.cc
diff --git a/chrome/browser/extensions/crx_installer.cc b/chrome/browser/extensions/crx_installer.cc
index 70f81469dca17b549081f1517cf4ee3ddc307e6f..79a8571116ccb6842f4a9423555cbc4b07923e56 100644
--- a/chrome/browser/extensions/crx_installer.cc
+++ b/chrome/browser/extensions/crx_installer.cc
@@ -46,7 +46,8 @@ CrxInstaller::CrxInstaller(const FilePath& install_directory,
       limit_web_extent_to_download_host_(false),
       create_app_shortcut_(false),
       frontend_(frontend),
-      client_(client) {
+      client_(client),
+      apps_require_extension_mime_type_(false) {
   extensions_enabled_ = frontend_->extensions_enabled();
 }
 
@@ -128,6 +129,20 @@ void CrxInstaller::OnUnpackSuccess(const FilePath& temp_dir,
   extension_.reset(extension);
   temp_dir_ = temp_dir;
 
+  // If the extension was downloaded, apps_require_extension_mime_type_
+  // will be set.  In this case, check that if the extension is an app,
+  // it was served with the right mime type.  Make an exception for file
+  // URLs, which come from the users computer and have no headers.
+  if (extension->is_app() &&
+      !original_url_.SchemeIsFile() &&
+      apps_require_extension_mime_type_ &&
+      original_mime_type_ != Extension::kMimeType) {
+    ReportFailureFromFileThread(StringPrintf(
+        "Applications must be served with content type %s.",
+        Extension::kMimeType));
+    return;
+  }
+
   // The unpack dir we don't have to delete explicity since it is a child of
   // the temp dir.
   unpacked_extension_root_ = extension_dir;