Don't allow HTTP origins for the CryptoToken extension.

chrome/browser/resources/cryptotoken/signer.js

Index: chrome/browser/resources/cryptotoken/signer.js
diff --git a/chrome/browser/resources/cryptotoken/signer.js b/chrome/browser/resources/cryptotoken/signer.js
index f0af2a17ed4f64fd21c7b68d7476340d0d88ae60..9397670d20f29970f034895919e7ee5ae2e4323d 100644
--- a/chrome/browser/resources/cryptotoken/signer.js
+++ b/chrome/browser/resources/cryptotoken/signer.js
@@ -43,6 +43,10 @@ function handleWebSignRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   queuedSignRequest =
       validateAndEnqueueSignRequest(
@@ -82,6 +86,10 @@ function handleU2fSignRequest(messageSender, request, sendResponse) {
     sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
     return null;
   }
+  if (sender.origin.indexOf('http://') == 0 && !HTTP_ORIGINS_ALLOWED) {
+    sendErrorResponse({errorCode: ErrorCodes.BAD_REQUEST});
+    return null;
+  }
 
   queuedSignRequest =
       validateAndEnqueueSignRequest(