Adding `content_security_policy` to the "Mappy" sample.

Adding `content_security_policy` to the "Mappy" sample.

This involved pretty much rewriting the popup code to avoid a script injected
via `document.write` in the Maps API code.

BUG=92644
TEST=

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=106043

[Mike West, 2011-10-16 12:25:55]

And another.

I rewrote a chunk of this to avoid using the Maps API that injects script via
`document.write`. I don't know the Maps API well enough to know if a newer
version loads script in a more friendly way or not, so I just avoided loading
the script (as opposed to adding `unsafe-inline`, which I'd like to avoid
entirely).

Thanks!

-Mike

[abarth-chromium, 2011-10-16 19:48:16]

http://codereview.chromium.org/8311007/diff/1/chrome/common/extensions/docs/e...
File chrome/common/extensions/docs/examples/extensions/mappy/manifest.json
(right):

http://codereview.chromium.org/8311007/diff/1/chrome/common/extensions/docs/e...
chrome/common/extensions/docs/examples/extensions/mappy/manifest.json:20:
"content_security_policy": "script-src 'self'; connect-src
https://maps.googleapis.com; img-src https://maps.google.com"
Please add an object-src directive (ideally with 'none').  Without default-src
or object-src, an XSS vulnerability can execute script by embedding a SWF.

[Mike West, 2011-10-16 21:14:56]

Thanks.

http://codereview.chromium.org/8311007/diff/1/chrome/common/extensions/docs/e...
File chrome/common/extensions/docs/examples/extensions/mappy/manifest.json
(right):

http://codereview.chromium.org/8311007/diff/1/chrome/common/extensions/docs/e...
chrome/common/extensions/docs/examples/extensions/mappy/manifest.json:20:
"content_security_policy": "script-src 'self'; connect-src
https://maps.googleapis.com; img-src https://maps.google.com"
On 2011/10/16 19:48:16, abarth wrote:
> Please add an object-src directive (ideally with 'none').  Without default-src
> or object-src, an XSS vulnerability can execute script by embedding a SWF.

Makes sense.

Would adding a `default-src` directive with `'none'` be appropriate (and a
`style-src` directive to allow the stylesheet)? I actually thought that's what
it would default to, but I apparently invented that part of the spec out of
nothing... :)

[abarth-chromium, 2011-10-16 21:20:32]

Yeah, default-src 'none' is the best approach.  An older version of the spec
used to have a default value for default-src, which is probably what you were
thinking of.  :)

[Mike West, 2011-10-17 07:54:06]

On 2011/10/16 21:20:32, abarth wrote:
> Yeah, default-src 'none' is the best approach.  An older version of the spec
> used to have a default value for default-src, which is probably what you were
> thinking of.  :)

Alright. I've updated the manifest and rebuilt docs. Boris, I'd appreciate you
giving this a look sometime in the relatively near future so I can avoid
rebuilding docs again. ;)

[Boris Smus, 2011-10-17 21:39:25]

LGTM. Thanks for adding the license header too.