Remove chrome-extension-resource:// scheme

extensions/common/csp_validator.cc

Index: extensions/common/csp_validator.cc
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
index e6c789f6f8e59fce0d2afdc732efac15d82a37f6..37d1009d69415db9a2e19ca72aa8840166c6692a 100644
--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -31,8 +31,7 @@ const char kObjectSrc[] = "object-src";
 const char kPluginTypes[] = "plugin-types";
 
 const char kObjectSrcDefaultDirective[] = "object-src 'self';";
-const char kScriptSrcDefaultDirective[] =
-    "script-src 'self' chrome-extension-resource:;";
+const char kScriptSrcDefaultDirective[] = "script-src 'self';";
 
 const char kSandboxDirectiveName[] = "sandbox";
 const char kAllowSameOriginToken[] = "allow-same-origin";
@@ -176,13 +175,18 @@ void GetSecureDirectiveValues(const std::string& directive_name,
                          std::string(extensions::kExtensionScheme) +
                              url::kStandardSchemeSeparator,
                          false) ||
-        IsHashSource(source_literal) ||
-        base::StartsWith(source_lower, "chrome-extension-resource:",
-                         base::CompareCase::SENSITIVE)) {
+        IsHashSource(source_literal)) {
       is_secure_csp_token = true;
     } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) &&
                source_lower == "'unsafe-eval'") {
       is_secure_csp_token = true;
+    } else if (base::StartsWith(source_lower, "chrome-extension-resource:",
+                                base::CompareCase::SENSITIVE)) {
+      // The "chrome-extension-resource" scheme has been removed from the
+      // codebase, but it may still appear in existing CSPs. We continue to
+      // allow it here for compatibility. Requests on this scheme will not
+      // return any kind of network response.
+      is_secure_csp_token = true;
     }
 
     if (is_secure_csp_token) {