Create a proprietary scheme for loading web-accessible resources.

content/renderer/render_thread_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_thread_impl.h"
 
 #include <algorithm>
 #include <limits>
 #include <map>
 #include <vector>
@@ skipping 956 matching lines @@
     message_loop()->AddTaskObserver(memory_observer_.get());
   }
 }
 
 void RenderThreadImpl::RegisterSchemes() {
   // swappedout: pages should not be accessible, and should also
   // be treated as empty documents that can commit synchronously.
   WebString swappedout_scheme(base::ASCIIToUTF16(kSwappedOutScheme));
   WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(swappedout_scheme);
   WebSecurityPolicy::registerURLSchemeAsEmptyDocument(swappedout_scheme);
+
+  // This scheme serves resources that may be injected into the
+  // web page (e.g. by Blink). This isn't mixed content, and
+  // content security policy doesn't apply.
+  WebString resource_scheme(base::ASCIIToUTF16(kResourceScheme));
+  WebSecurityPolicy::registerURLSchemeAsSecure(resource_scheme);
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(

[Tom Sepez, 2014/11/17 18:09:11]

Do we need to bypass CSP?  For a CSP-enabled web page that uses this feature,
I'd expect the page to explicitly list 'chrome-resources:' as part of their
policy.  For CSP-enabled pages that don't use this feature, it would be a shame
to allow them to be vulnerable by default to flaws in some chrome-resource://
script.

[jbroman, 2014/11/17 18:35:16]

The goal is to be able to use this scheme to host resources for features the
author may not even be aware of, like the close button graphics in a plugin
placeholder, or some other style resource that's internal to a feature that
the author need not be aware of. I wouldn't expect an author to ever write
"chrome-resource://" in their own document (and would loosely describe the
contract for that scheme as "this is for Chrome's use and valid URLs may
change at any time without warning").

I don't think authors should need to be aware of implementation details of
each user agent to avoid strange breakage of UA features that are supposed
to be, from their perspective, entirely encapsulated.

I don't intend to put scripts there, just stylesheets (for use in UA shadow
roots) and images. I can make the warning comment at the registration sites
more specific if that's helpful. I agree that some caution would have to be
used before a resource is added to a CSP-bypassing scheme.

I see this as analogous to chrome-extension:// web-accessible resources, which
the author doesn't know about.

Is that clear and reasonable, or have I missed your point?

+      resource_scheme);
 }
 
 void RenderThreadImpl::NotifyTimezoneChange() {
   NotifyTimezoneChangeOnThisThread();
   RenderThread::Get()->PostTaskToAllWebWorkers(
       base::Bind(&NotifyTimezoneChangeOnThisThread));
 }
 
 void RenderThreadImpl::RecordAction(const base::UserMetricsAction& action) {
   Send(new ViewHostMsg_UserMetricsRecordAction(action.str_));
@@ skipping 629 matching lines @@
   hidden_widget_count_--;
 
   if (!GetContentClient()->renderer()->RunIdleHandlerWhenWidgetsHidden()) {
     return;
   }
 
   ScheduleIdleHandler(kLongIdleHandlerDelayMs);
 }
 
 }  // namespace content