Disallow non-subdomain wildcards in the extension's CSP

chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html

Index: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
diff --git a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
index 8ed936f6a145dd0bd4787b4e870c24f460eea04e..a76c35170ae5bf363953feaace34afa01286e642 100644
--- a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
+++ b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
@@ -274,8 +274,13 @@ function main() {
   href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
   attacks</a> are both trivial and undetectable over HTTP, those origins will
   not be accepted. Currently, we allow whitelisting origins with the following

[not at google - send to devlin, 2014/08/19 15:05:57]

This paragraph is getting unwieldy, could you split it up between "accepted."
and "Currently"?

[robwu, 2014/08/19 16:31:39]

Done.

-  schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
-  <code>chrome-extension-resource</code>.
+  schemes: <code>blob</code>, <code>filesystem</code>, <code>https</code>,
+  <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
+  The host part of the origin must explicitly be specified for the
+  <code>https</code> and <code>chrome-extension</code> schemes. Wildcards are
+  not allowed, unless it is a subdomain wildcard.
+  For example, <code>https://*</code> is not allowed, but
+  <code>https://example.com</code> and <code>https://*.example.com</code> are.
 </p>
 
 <p>