Ignore insecure parts of CSP in extensions and allow extension to load

extensions/common/csp_validator.h

Index: extensions/common/csp_validator.h
diff --git a/extensions/common/csp_validator.h b/extensions/common/csp_validator.h
index e7446f6d4fd885f0363d7002f9d780053e3ab7ba..2b6df2d3d2a0395357742d7372dab56cda8ec28b 100644
--- a/extensions/common/csp_validator.h
+++ b/extensions/common/csp_validator.h
@@ -28,8 +28,15 @@ bool ContentSecurityPolicyIsLegal(const std::string& policy);
 // However, we found that it broke too many deployed extensions to limit
 // 'unsafe-eval' in the script-src directive, so that is allowed as a special
 // case for extensions. Platform apps disallow it.
-bool ContentSecurityPolicyIsSecure(
-    const std::string& policy, Manifest::Type type);
+//
+// If |sanitized_csp| is not NULL, |policy| minus the insecure values is stored
+// in |sanitized_csp|.

[not at google - send to devlin, 2014/11/24 18:26:08]

Concise is nice:
If |sanitized_csp| is non-NULL it will be set to |policy| with the insecure
values removed.

And maybe it should be "safe_policy".

+// If |warnings| is not NULL, any validation errors are appended to |warnings|.
+// Returns whether |policy| meets the minimum security requirements.
+bool ContentSecurityPolicyIsSecure(const std::string& policy,
+                                   Manifest::Type type,
+                                   std::string* sanitized_csp,
+                                   std::vector<InstallWarning>* warnings);
 
 // Checks whether the given |policy| enforces a unique origin sandbox as
 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/