From 7e1868b1c3077896fce7fca42e9fcbb2d87b7cd4 Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Sun, 21 Jul 2019 10:37:58 -0400
Subject: [PATCH] Add virtuous signal that remote code execution is not
 possible

Related Chromium issue:
- https://bugs.chromium.org/p/chromium/issues/detail?id=985759

By expressly restricting JavaScript execution to only code
from the extension package, this explicitly tells code reviewer
that uBO can't execute remote code.

I also had to add `object-src 'self'`, otherwise Chromium
refused to load the extension with the following error message:

> 'content_security_policy': CSP directive 'object-src' must be specified

`object-src 'self'` is the default value.
---
 platform/chromium/manifest.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/platform/chromium/manifest.json b/platform/chromium/manifest.json
index ec6d52683..b55193e1a 100644
--- a/platform/chromium/manifest.json
+++ b/platform/chromium/manifest.json
@@ -51,6 +51,7 @@
       "all_frames": false
     }
   ],
+  "content_security_policy": "script-src 'self'; object-src 'self'",
   "default_locale": "en",
   "description": "__MSG_extShortDesc__",
   "icons": {