CSP: Permit exempting schemes only for certain policy areas.

LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html

+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src https:; script-src 'unsafe-inline'">
+<script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+
+    var testIndex = 1;
+    var testCount = 12;
+    function produceOutput(promise) {
+        var suffix = ' (' + testIndex++ + '/' + testCount + ')';
+        return promise.then(function() { console.log('PASS' + suffix); },
+                            function() { console.log('FAIL' + suffix); });
+    }
+
+
+    function expectImageLoad(shouldLoad) {
+        return produceOutput(new Promise(function(resolve, reject) {
+            var img = document.createElement('img');
+            var pass = function() { resolve(); };
+            var fail = function() { reject(new Error()); };
+            img.onload = shouldLoad ? pass : fail;
+            img.onerror = shouldLoad ? fail : pass;
+            img.src = '../resources/abe.png';
+        }));
+    }
+
+    function expectStyleLoad(shouldLoad) {
+        // onerror doesn't seem to work on <link>.
+        // Fortunately, srcdoc iframes are bound by containing CSP.
+        return produceOutput(new Promise(function(resolve, reject) {
+            var iframe = document.createElement('iframe');
+            iframe.onload = function() {
+                var didLoad = iframe.contentDocument.styleSheets.length > 0;
+                (shouldLoad == didLoad) ? resolve() : reject(new Error());
+                iframe.remove();
+            };
+            iframe.srcdoc = '<link rel="stylesheet" href="../resources/cssStyle.css">';
+            document.body.appendChild(iframe);
+        }));
+    }
+
+    window.onload = function() {
+        Promise.resolve()
+            .then(function() {
+                return expectImageLoad(false).then(function() { return expectStyleLoad(false); });
+            })
+            .then(function() {
+                internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
+                return expectImageLoad(true).then(function() { return expectStyleLoad(true); });
+            })
+            .then(function() {
+                internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
+                internals.registerURLSchemeAsBypassingContentSecurityPolicy('http', []);
+                return expectImageLoad(false).then(function() { return expectStyleLoad(false); });
+            })
+            .then(function() {
+                internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
+                internals.registerURLSchemeAsBypassingContentSecurityPolicy('http', ['img']);
+                return expectImageLoad(true).then(function() { return expectStyleLoad(false); });
+            })
+            .then(function() {
+                internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
+                internals.registerURLSchemeAsBypassingContentSecurityPolicy('http', ['style']);
+                return expectImageLoad(false).then(function() { return expectStyleLoad(true); });
+            })
+            .then(function() {
+                internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
+                return expectImageLoad(false).then(function() { return expectStyleLoad(false); });
+            })
+            .then(function() { if (window.testRunner) testRunner.notifyDone(); });
+    };
+</script>
+</head>
+<body>
+    <p>
+        This test ensures that registering a scheme as bypassing CSP actually bypasses CSP.
+        This test passes if only PASSes are generated.
+    </p>
+</body>
+</html>