Allow extenions to override the default content_security_policy, but require

chrome/common/extensions/csp_validator.h

Index: chrome/common/extensions/csp_validator.h
===================================================================
--- chrome/common/extensions/csp_validator.h	(revision 0)
+++ chrome/common/extensions/csp_validator.h	(revision 0)
@@ -0,0 +1,33 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
+#define CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_
+#pragma once
+
+#include <string>
+
+namespace extensions {
+
+namespace csp_validator {
+
+// Checks whether the given |policy| is legal for use in the extension system.
+// This check just ensures that the policy doesn't contain any characters that
+// will cause problems when we transmit the policy in an HTTP header.
+bool ContentSecurityPolicyIsLegal(const std::string& policy);
+
+// Checks whether the given |policy| meets the minimum security requirements
+// for use in the extension system. The philosophy behind our minimum
+// requirements is that an XSS vulnerability in the extension should not be
+// able to execute script, even in the precense of an active network attacker.
+// Specifically, 'unsafe-inline' and 'unsafe-eval' are forbidden, as is
+// script or object inclusion from insecure schemes. Also, the use of * is
+// forbidden for scripts and objects.
+bool ContentSecurityPolicyIsSecure(const std::string& policy);
+
+}  // namespace csp_validator
+
+}  // namespace extensions
+
+#endif  // CHROME_COMMON_EXTENSIONS_CSP_VALIDATOR_H_