Add content-security-policy directive to chrome://hung-renderer. WebUI pages should specify CSP ...

Add content-security-policy directive to chrome://hung-renderer.  WebUI pages should specify CSP as a second line of defense against XSS vulnerabilities.
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=103727

[Tom Sepez, 2011-09-30 21:11:39]

Found another one that crept its way in ...

[abarth-chromium, 2011-10-01 01:03:02]

LGTM.

Can we switch this to a whitelist of pages that don't have the policy?
 For example, instead of using the meta tag, we can include it as an
"http" header with all "chrome" URL request handlers.

Adam


On Fri, Sep 30, 2011 at 2:11 PM,  <tsepez@chromium.org> wrote:
> Reviewers: abarth, Evan Stade,
>
> Message:
> Found another one that crept its way in ...
>
> Description:
> Add content-security-policy directive to chrome://hung-renderer.  WebUI
> pages
> should specify CSP as a second line of defense against XSS vulnerabilities.
>
> Please review this at http://codereview.chromium.org/8103008/
>
> SVN Base: svn://svn.chromium.org/chrome/trunk/src/
>
> Affected files:
>  M     chrome/browser/browser_resources.grd
>  M     chrome/browser/resources/hung_renderer_dialog.html
>
>
> Index: chrome/browser/browser_resources.grd
> ===================================================================
> --- chrome/browser/browser_resources.grd        (revision 103541)
> +++ chrome/browser/browser_resources.grd        (working copy)
> @@ -42,7 +42,7 @@
>       <include name="IDR_CREDITS_JS" file="resources\about_credits.js"
> type="BINDATA" />
>       <include name="IDR_DOWNLOADS_JS" file="resources\downloads.js"
> type="BINDATA" />
>       <include name="IDR_DOWNLOADS_HTML" file="resources\downloads.html"
> flattenhtml="true" allowexternalscript="true" type="BINDATA" />
> -      <include name="IDR_HUNG_RENDERER_DIALOG_HTML"
> file="resources\hung_renderer_dialog.html" type="BINDATA" />
> +      <include name="IDR_HUNG_RENDERER_DIALOG_HTML"
> file="resources\hung_renderer_dialog.html" flattenhtml="true"
> allowexternalscript="true" type="BINDATA" />
>       <include name="IDR_HUNG_RENDERER_DIALOG_JS"
> file="resources\hung_renderer_dialog.js" type="BINDATA" />
>       <include name="IDR_HUNG_RENDERER_DIALOG_CSS"
> file="resources\hung_renderer_dialog.css" type="BINDATA" />
>       <include name="IDR_TASK_MANAGER_HTML"
> file="resources\task_manager\main.html" flattenhtml="true"
> allowexternalscript="true" type="BINDATA" />
> Index: chrome/browser/resources/hung_renderer_dialog.html
> ===================================================================
> --- chrome/browser/resources/hung_renderer_dialog.html  (revision 103537)
> +++ chrome/browser/resources/hung_renderer_dialog.html  (working copy)
> @@ -3,6 +3,7 @@
>   <head>
>     <meta charset="utf-8">
>     <title i18n-content="title"></title>
> +    <include src="content_security_policy.html"/>
>     <link rel="stylesheet" href="hung_renderer_dialog.css">
>     <link rel="stylesheet" href="chrome://resources/css/button.css">
>     <link rel="stylesheet" href="chrome://resources/css/chrome_shared.css">
>
>
>

[Tom Sepez, 2011-10-03 16:45:36]

I'll file a bug for moving to the "real" header.  Tx.