Issue 4722 - Drop support for Chrome 41 - 48

lib/csp.js

Index: lib/csp.js
diff --git a/lib/csp.js b/lib/csp.js
index 937792e99861062ac326b7f38b5adeb71c6fc5ec..8bbb8ba5cdf0839f579a2134ffa6b9b02d442549 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -37,12 +37,7 @@ chrome.webRequest.onHeadersReceived.addListener(function(details)
       // We also need the frame-src and child-src restrictions since CSPs are
       // not inherited from the parent for documents with data: and blob: URLs.
       // https://bugs.chromium.org/p/chromium/issues/detail?id=513860
-      //
-      // As of Chrome 49 "http:" also includes "https:" implictly. We specify
-      // both here for compatibility with earlier versions of Chrome.
-      // https://www.chromestatus.com/feature/6653486812889088

[Wladimir Palant, 2016/12/13 14:15:02]

This comment still adds some value, http: also including https: is non-obvious.
Only the version number is no longer important.

[kzar, 2016/12/13 15:05:40]

Done.

-      value: "connect-src http: https:; frame-src http: https:; " +

[Sebastian Noack, 2016/12/13 14:35:39]

It seems we don't support any Chrome version anymore that doesn't support
child-src. Hence frame-src is redundant at least as far as Chrome is concerned,
since if both are given frame-src is ignored.

Not sure about Edge though. On the other hand, from the comment above, it seems
adding frame-src and child-src was only neccessary to workaround a Chrome bug in
the first place.

[kzar, 2016/12/13 15:05:40]

Done.

-        "child-src http: https:; object-src http: https:"
+      value: "connect-src http:; frame-src http:; child-src http:; object-src http:"
     });
     return {responseHeaders: details.responseHeaders};
   }