Allow 'chrome-extension:' URLs to bypass content settings (1/2)

extensions/renderer/dispatcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/dispatcher.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/containers/scoped_ptr_map.h"
@@ skipping 260 matching lines @@
   // allowed to receive CORS requests.
   WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme);
   WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);
 
   // chrome-extension: resources should bypass Content Security Policy checks
   // when included in protected resources.
   WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
       extension_scheme);
   WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
       extension_resource_scheme);
+
+  // Extension resources, when loaded as the top-level document, should
+  // bypass Blink's strict first-party origin checks.
+  WebSecurityPolicy::registerURLSchemeAsFirstPartyWhenTopLevel(
+      extension_scheme);
+  WebSecurityPolicy::registerURLSchemeAsFirstPartyWhenTopLevel(
+      extension_resource_scheme);
 }
 
 Dispatcher::~Dispatcher() {
 }
 
 void Dispatcher::OnRenderFrameCreated(content::RenderFrame* render_frame) {
   script_injection_manager_->OnRenderFrameCreated(render_frame);
 }
 
 bool Dispatcher::IsExtensionActive(const std::string& extension_id) const {
@@ skipping 1294 matching lines @@
 void Dispatcher::AddChannelSpecificFeatures() {
   // chrome-extension: resources should be allowed to register a Service Worker.
   if (FeatureProvider::GetBehaviorFeature(BehaviorFeature::kServiceWorker)
           ->IsAvailableToEnvironment()
           .is_available())
     WebSecurityPolicy::registerURLSchemeAsAllowingServiceWorkers(
         WebString::fromUTF8(kExtensionScheme));
 }
 
 }  // namespace extensions