What's the origin of the file you are loading? Is it also being loaded from file:// or is it loaded from elsewhere?

Mike, was this an intentional change in M54? It seems potentially related to the discussion at https://github.com/w3c/webappsec-csp/issues/104 ? I don't know how widespread use of CSP meta tags is in cordova applications, but if it's common and the handling of file: origins changed, there might be a lot of apps impacted :/

The scripts/styles/images in Cordova apps are loaded from "file://".

Where is the *document* that references those scripts/styles/images loaded from, though? What is the actual origin of the current page?

file:///android_asset/www/index.html#

 Issue 650154  looks related also.

I assume this is one of shekyan@'s patches which touched `*`. According to the spec, `*` should still include `file:` if included on a page that it itself loaded from `file:`. CCing.

Looking more closely, I think we just missed this bit in https://codereview.chromium.org/2209113002. I'll put up a patch.

https://codereview.chromium.org/2209113002 reflects the spec at the time of implementation. So I implemented what spec said at that time, and completely forgot to  update the Chromium implementation once https://github.com/w3c/webappsec-csp/issues/104 was addressed in the spec. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d55f533b68355157431105281d485ef368e857a6

commit d55f533b68355157431105281d485ef368e857a6
Author: mkwst <mkwst@chromium.org>
Date: Tue Sep 27 06:34:18 2016

Relax '*' in CSPSourceList to match the protected resource's protocol.

'*' should match 'file://whatever.jpg' when loaded from 'file://document.html'.
The patch in [1] tightened '*'s behavior, but missed this bit.

[1]: https://codereview.chromium.org/2209113002

BUG= 648508 

Review-Url: https://codereview.chromium.org/2368073003
Cr-Commit-Position: refs/heads/master@{#421129}

[modify] https://crrev.com/d55f533b68355157431105281d485ef368e857a6/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
[modify] https://crrev.com/d55f533b68355157431105281d485ef368e857a6/third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp

Landed; assuming this doesn't explode in tomorrow's canary, I'll request a merge back to beta so folks can test their webview apps.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

 Issue 650154  has been merged into this issue.

I didn't actually mean to request permission to merge... :) I'll just wait until after tomorrow's Canary is pushed out.

[Bulk edit]

This issue is listed as a release block stable for M54 Android.  We'll be cutting our stable candidate in just about two weeks, so time is running out to fix this bug - please prioritize working on it ASAP.

Are you sure this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.
Unsure if this issue should block the release, or know the issue should block the release but we won't be able to fix it in time?  CC me so that we can discuss.

Thanks!

Setting appropriate status.  Please get this merged by end of week; I'll make sure we get a canary deployed today so you can test.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592

commit 45b9a9238953dcffddcaa40ef5c7d9c5e2d48592
Author: Mike West <mkwst@google.com>
Date: Thu Sep 29 10:05:53 2016

Relax '*' in CSPSourceList to match the protected resource's protocol.

'*' should match 'file://whatever.jpg' when loaded from 'file://document.html'.
The patch in [1] tightened '*'s behavior, but missed this bit.

[1]: https://codereview.chromium.org/2209113002

BUG= 648508 

Review-Url: https://codereview.chromium.org/2368073003
Cr-Commit-Position: refs/heads/master@{#421129}
(cherry picked from commit d55f533b68355157431105281d485ef368e857a6)

Review URL: https://codereview.chromium.org/2375423002 .

Cr-Commit-Position: refs/branch-heads/2840@{#577}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
[modify] https://crrev.com/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592/third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp

Merged to beta. If it explodes, we'll try again. :)

Verified on latest webview M54/ Galaxy S6/MMB29K

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592

commit 45b9a9238953dcffddcaa40ef5c7d9c5e2d48592
Author: Mike West <mkwst@google.com>
Date: Thu Sep 29 10:05:53 2016

Relax '*' in CSPSourceList to match the protected resource's protocol.

'*' should match 'file://whatever.jpg' when loaded from 'file://document.html'.
The patch in [1] tightened '*'s behavior, but missed this bit.

[1]: https://codereview.chromium.org/2209113002

BUG= 648508 

Review-Url: https://codereview.chromium.org/2368073003
Cr-Commit-Position: refs/heads/master@{#421129}
(cherry picked from commit d55f533b68355157431105281d485ef368e857a6)

Review URL: https://codereview.chromium.org/2375423002 .

Cr-Commit-Position: refs/branch-heads/2840@{#577}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
[modify] https://crrev.com/45b9a9238953dcffddcaa40ef5c7d9c5e2d48592/third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp