Disallow CSP source * matching of data:, blob:, and filesystem: URLs

chrome/common/extensions/docs/templates/articles/offline_apps.html

 <h1>Offline First</h1>
 
 
 <p>
 Because internet connections can be flakey or non-existent,
 you need to consider <em>offline first</em>:
 write your app as if it has no internet connection.
 Once your app works offline,
 add whatever network functionality you need
 for your app to do more when it’s online.
@@ skipping 117 matching lines @@
 </p>
 
 <p>
 Some of the restrictions on Chrome Apps are enforced by the 
 <a href="contentSecurityPolicy">Content Security Policy (CSP)</a>
 which is always the following and cannot be changed for Chrome Apps:
 </p>
 
 <pre>
 default-src 'self';
-connect-src *;
+connect-src * data: blob: filesystem:;
 style-src 'self' blob: data: filesystem: 'unsafe-inline';
 img-src 'self' blob: data: filesystem:;
 frame-src 'self' blob: data: filesystem:;
 font-src 'self' blob: data: filesystem:;
-media-src *;
+media-src * data: blob: filesystem:;
 </pre>
 
 <h2 id="manifest"> Specifying offline_enabled </h2>
 
 <p>
 It is assumed that your app behaves well offline. If it doesn't, you should
 advertise that fact, so that its launch icon is dimmed when the user is offline.
 To do so, set <code>offline_enabled</code> to <code>false</code> in the
 <a href="manifest">app manifest file</a>:
 </p>
@@ skipping 140 matching lines @@
     switching often between online and offline.
   </li>
 </ul>
 
 <p>
 Also make sure that the app saves <b>no sensitive user data</b>
 (such as passwords) on the user's machine.
 </p>
 
 <p class="backtotop"><a href="#top">Back to top</a></p>