Explicitly whitelist 'blob:' and 'filesystem:' in extensions' default CSP.

extensions/common/manifest_handlers/csp_info.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/manifest_handlers/csp_info.h"
 
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "extensions/common/csp_validator.h"
 #include "extensions/common/install_warning.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
 
 namespace extensions {
 
 namespace keys = manifest_keys;
 namespace errors = manifest_errors;
 
 using csp_validator::ContentSecurityPolicyIsLegal;
 using csp_validator::SanitizeContentSecurityPolicy;
 
 namespace {
 
 const char kDefaultContentSecurityPolicy[] =
-    "script-src 'self' chrome-extension-resource:; object-src 'self';";
+    "script-src 'self' blob: filesystem: chrome-extension-resource:; "
+    "object-src 'self' blob: filesystem:;";
 
 #define PLATFORM_APP_LOCAL_CSP_SOURCES \
-    "'self' data: chrome-extension-resource:"
+  "'self' blob: filesystem: data: chrome-extension-resource:"
 const char kDefaultPlatformAppContentSecurityPolicy[] =
     // Platform apps can only use local resources by default.
-    "default-src 'self' chrome-extension-resource:;"
+    "default-src 'self' blob: filesystem: chrome-extension-resource:;"

[Finnur, 2015/06/16 13:20:01]

This sounds like a reasonable approach if blob: and filesystem: are
(erroneously) implied in 'self' and you want to get rid of that. However, I'd
like to see a bit more bookkeeping for safely getting rid of these new entries,
so perhaps file a bug and CC kalman and maybe someone from security so we can
evaluate and keep track of this.

     // For remote resources, they can fetch them via XMLHttpRequest.
     " connect-src *;"
     // And serve them via data: or same-origin (blob:, filesystem:) URLs
-    " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES " 'unsafe-inline';"
-    " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
-    " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
-    " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES ";"
+    " style-src " PLATFORM_APP_LOCAL_CSP_SOURCES
+    " 'unsafe-inline';"
+    " img-src " PLATFORM_APP_LOCAL_CSP_SOURCES
+    ";"
+    " frame-src " PLATFORM_APP_LOCAL_CSP_SOURCES
+    ";"
+    " font-src " PLATFORM_APP_LOCAL_CSP_SOURCES
+    ";"

[Mike West, 2015/06/16 13:04:47]

This is all `git cl format`. Sorry. :/

[Finnur, 2015/06/16 13:20:01]

Hmm... Looks less readable and therefore more error-prone this way. :/
Wonder if we should revert this part?

     // Media can be loaded from remote resources since:
     // 1. <video> and <audio> have good fallback behavior when offline or under
     //    spotty connectivity.
     // 2. Fetching via XHR and serving via blob: URLs currently does not allow
     //    streaming or partial buffering.
     " media-src *;";
 
 int GetValidatorOptions(Extension* extension) {
   int options = csp_validator::OPTIONS_NONE;
 
@@ skipping 100 matching lines @@
         type == Manifest::TYPE_LEGACY_PACKAGED_APP;
 }
 
 const std::vector<std::string> CSPHandler::Keys() const {
   const std::string& key = is_platform_app_ ?
       keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
   return SingleKey(key);
 }
 
 }  // namespace extensions