Only allow insecure object-src directives for whitelisted mime types

extensions/common/manifest_handlers/csp_info.cc

Index: extensions/common/manifest_handlers/csp_info.cc
diff --git a/extensions/common/manifest_handlers/csp_info.cc b/extensions/common/manifest_handlers/csp_info.cc
index 2fd74fb76b272a096eae2e8f215861835955aeb6..2c3838fa6351daad489a6fb16d9830d7775719d2 100644
--- a/extensions/common/manifest_handlers/csp_info.cc
+++ b/extensions/common/manifest_handlers/csp_info.cc
@@ -44,6 +44,27 @@ const char kDefaultPlatformAppContentSecurityPolicy[] =
     //    streaming or partial buffering.
     "media-src *;";
 
+int GetValidatorOptions(Extension* extension) {
+  int options = csp_validator::OPTIONS_NONE;
+
+  // crbug.com/146487
+  if (extension->GetType() == Manifest::TYPE_EXTENSION ||
+      extension->GetType() == Manifest::TYPE_LEGACY_PACKAGED_APP) {
+    options |= csp_validator::OPTIONS_ALLOW_UNSAFE_EVAL;
+  }
+
+  // Component extensions can specify an insecure object-src directive. This
+  // should be safe because non-NPAPI plugins should load in a sandboxed process
+  // and only allow communication via postMessage. Flash is an exception since
+  // it allows scripting into the embedder page, but even then it should
+  // disallow cross-origin scripting. At some point we may want to consider
+  // allowing this publicly.

[Mike West, 2014/11/25 13:42:36]

What conditions will have to be met to allow this publicly? If we consider PDF
and PNaCl "safe enough" for component extensions, we should probably consider
them safe enough for normal extensions as well.

That's a policy question for kalman@ et al, however. Not something that this CL
needs to address.

[raymes, 2014/11/25 13:51:05]

From my understanding of things, this would be reasonable to allow publicly
as-is but it would probably be best for someone on security to sign off on that
:)

+  if (extensions::Manifest::IsComponentLocation(extension->location()))
+    options |= csp_validator::OPTIONS_ALLOW_INSECURE_OBJECT_SRC;
+
+  return options;
+}
+
 }  // namespace
 
 CSPInfo::CSPInfo(const std::string& security_policy)
@@ -88,7 +109,7 @@ bool CSPHandler::Parse(Extension* extension, base::string16* error) {
           kDefaultContentSecurityPolicy;
 
       CHECK(ContentSecurityPolicyIsSecure(content_security_policy,
-                                          extension->GetType()));
+                                          GetValidatorOptions(extension)));
       extension->SetManifestData(keys::kContentSecurityPolicy,
                                  new CSPInfo(content_security_policy));
     }
@@ -106,7 +127,7 @@ bool CSPHandler::Parse(Extension* extension, base::string16* error) {
   }
   if (extension->manifest_version() >= 2 &&
       !ContentSecurityPolicyIsSecure(content_security_policy,
-                                     extension->GetType())) {
+                                     GetValidatorOptions(extension))) {
     *error = base::ASCIIToUTF16(errors::kInsecureContentSecurityPolicy);
     return false;
   }