MANIFEST_CSP check is not sufficiently precise

[Rob--W]

The logic that checks whether the manifest CSP is permitted is not sufficiently precise. The check relies on the following regexp and .search:

https://github.com/mozilla/addons-linter/blob/ba3b667a13bde65250bcb1ebd814c9d57ccfa80d/src/const.js#L203-L210 https://github.com/mozilla/addons-linter/blob/12b64da87e223f042f7f5fd2ab2a6832435243f1/src/parsers/manifestjson.js#L1051

The regexp has (?!.), with the commented intent "Only match these keywords, anything else is forbidden". But it doesn't account for prefixes, e.g. 'not-none' would still be permitted.

This could be fixed by prepending the negative look-behind assertion, (?<!.) before the group, but I suggest to use a fully-anchored regexp instead:

^(self|none|....)$|^sha(256|384|512)-|^nonce-