Disallow non-subdomain wildcards in the extension's CSP

extensions/common/csp_validator.cc

Index: extensions/common/csp_validator.cc
diff --git a/extensions/common/csp_validator.cc b/extensions/common/csp_validator.cc
index d19c7f27ef803c519421858fa31f4171a208b5c4..d9788e7d41c5e7100b60cd085b6e592312ef867e 100644
--- a/extensions/common/csp_validator.cc
+++ b/extensions/common/csp_validator.cc
@@ -44,7 +44,7 @@ bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
     std::string source = tokenizer.token();
     base::StringToLowerASCII(&source);
 
-    // Don't alow whitelisting of all hosts. This boils down to:
+    // Don't allow whitelisting of all hosts. This boils down to:
     //   1. Maximum of 2 '*' characters.
     //   2. Each '*' is either followed by a '.' or preceded by a ':'
     int wildcards = 0;
@@ -71,7 +71,7 @@ bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
         LowerCaseEqualsASCII(source, "http://localhost") ||
         StartsWithASCII(source, "http://127.0.0.1:", false) ||
         StartsWithASCII(source, "http://localhost:", false) ||
-        StartsWithASCII(source, "https://", true) ||
+        (StartsWithASCII(source, "https://", true) && source.length() > 8) ||

[not at google - send to devlin, 2014/08/18 17:17:18]

what is 8?

[robwu, 2014/08/18 19:50:05]

The length of "https://".

[not at google - send to devlin, 2014/08/18 19:53:40]

I think that (StartsWithASCII(source, "https://") && source != "https://") would
be clearer, and accompany with a comment.

[robwu, 2014/08/18 21:08:18]

Done. See the bug report and the other CL at the linked bug if you need some
more context to review the comment.

         StartsWithASCII(source, "chrome://", true) ||
         StartsWithASCII(source,
                         std::string(extensions::kExtensionScheme) +