Local NTP: Allow iframes from *.google.com

chrome/browser/search/local_ntp_source.cc

Index: chrome/browser/search/local_ntp_source.cc
diff --git a/chrome/browser/search/local_ntp_source.cc b/chrome/browser/search/local_ntp_source.cc
index 82c7d3a7dcf71789797d82f3adfc3815098ed574..85821bc805245b8f04dc42d5d69acd09c9aacbcf 100644
--- a/chrome/browser/search/local_ntp_source.cc
+++ b/chrome/browser/search/local_ntp_source.cc
@@ -431,11 +431,8 @@ std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const {
   if (one_google_bar_service_) {
     // Allow embedding of the most visited iframe, as well as the account
     // switcher and the notifications dropdown from the One Google Bar.
-    // TODO(treib): Figure out a way to also allow staging instances.
-    return base::StringPrintf(
-        "child-src %s https://accounts.google.com/ https://docs.google.com "
-        "https://notifications.google.com;",
-        chrome::kChromeSearchMostVisitedUrl);

[fhorschig, 2017/05/03 10:41:59]

As discussed offline, please point this out in the security review
so that we double-check that this is secure.

+    return base::StringPrintf("child-src %s https://*.google.com/;",
+                              chrome::kChromeSearchMostVisitedUrl);
   }
   // Allow embedding of the most visited iframe.
   return base::StringPrintf("child-src %s;",