Create a proprietary scheme for loading web-accessible resources.

content/renderer/render_thread_impl.cc

Index: content/renderer/render_thread_impl.cc
diff --git a/content/renderer/render_thread_impl.cc b/content/renderer/render_thread_impl.cc
index 3e422031b5d329a33646975b044e29c49c173e07..6bc51187cef0ea14d74646927f95761a0be2f166 100644
--- a/content/renderer/render_thread_impl.cc
+++ b/content/renderer/render_thread_impl.cc
@@ -984,6 +984,16 @@ void RenderThreadImpl::RegisterSchemes() {
   WebString swappedout_scheme(base::ASCIIToUTF16(kSwappedOutScheme));
   WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(swappedout_scheme);
   WebSecurityPolicy::registerURLSchemeAsEmptyDocument(swappedout_scheme);
+
+  // This scheme serves resources that may be injected into the
+  // web page (e.g. by Blink). This isn't mixed content, and
+  // content security policy doesn't apply.
+  WebString resource_scheme(base::ASCIIToUTF16(kResourceScheme));
+  WebSecurityPolicy::registerURLSchemeAsSecure(resource_scheme);
+  WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      resource_scheme, static_cast<WebSecurityPolicy::PolicyAreas>(
+                           WebSecurityPolicy::PolicyAreaImage |
+                           WebSecurityPolicy::PolicyAreaStyle));
 }
 
 void RenderThreadImpl::NotifyTimezoneChange() {