Ignore insecure parts of CSP in extensions and allow extension to load

extensions/common/manifest_handlers/csp_info.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/manifest_handlers/csp_info.h"
 
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "extensions/common/csp_validator.h"
+#include "extensions/common/install_warning.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/manifest_handlers/sandboxed_page_info.h"
 
 namespace extensions {
 
 namespace keys = manifest_keys;
 namespace errors = manifest_errors;
 
 using csp_validator::ContentSecurityPolicyIsLegal;
 using csp_validator::ContentSecurityPolicyIsSecure;
@@ skipping 79 matching lines @@
 bool CSPHandler::Parse(Extension* extension, base::string16* error) {
   const std::string key = Keys()[0];
   if (!extension->manifest()->HasPath(key)) {
     if (extension->manifest_version() >= 2) {
       // TODO(abarth): Should we continue to let extensions override the
       //               default Content-Security-Policy?
       std::string content_security_policy = is_platform_app_ ?
           kDefaultPlatformAppContentSecurityPolicy :
           kDefaultContentSecurityPolicy;
 
       CHECK(ContentSecurityPolicyIsSecure(content_security_policy,

[not at google - send to devlin, 2014/12/01 19:19:31]

Indeed I find these changes hard to reason about because the semantics of
ContentSecurityPolicyIsSecure has changed.

-                                          GetValidatorOptions(extension)));
+                                          GetValidatorOptions(extension),
+                                          NULL, NULL));
       extension->SetManifestData(keys::kContentSecurityPolicy,
                                  new CSPInfo(content_security_policy));
     }
     return true;
   }
 
   std::string content_security_policy;
   if (!extension->manifest()->GetString(key, &content_security_policy)) {
     *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
     return false;
   }
   if (!ContentSecurityPolicyIsLegal(content_security_policy)) {
     *error = base::ASCIIToUTF16(errors::kInvalidContentSecurityPolicy);
     return false;
   }
+  std::string sanitized_csp;
+  std::vector<InstallWarning> warnings;
   if (extension->manifest_version() >= 2 &&
       !ContentSecurityPolicyIsSecure(content_security_policy,
-                                     GetValidatorOptions(extension))) {
-    *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy);
-    return false;
+                                     GetValidatorOptions(extension),
+                                     &sanitized_csp, &warnings)) {
+    extension->AddInstallWarnings(warnings);
+    content_security_policy = sanitized_csp;
   }
 
   extension->SetManifestData(keys::kContentSecurityPolicy,
                              new CSPInfo(content_security_policy));
   return true;
 }
 
 bool CSPHandler::AlwaysParseForType(Manifest::Type type) const {
   if (is_platform_app_)
     return type == Manifest::TYPE_PLATFORM_APP;
   else
     return type == Manifest::TYPE_EXTENSION ||
         type == Manifest::TYPE_LEGACY_PACKAGED_APP;
 }
 
 const std::vector<std::string> CSPHandler::Keys() const {
   const std::string& key = is_platform_app_ ?
       keys::kPlatformAppContentSecurityPolicy : keys::kContentSecurityPolicy;
   return SingleKey(key);
 }
 
 }  // namespace extensions