Replace <meta> tag with header for content-security-policy on chrome:// pages.

chrome/browser/ui/webui/chrome_url_data_manager_backend.cc

Index: chrome/browser/ui/webui/chrome_url_data_manager_backend.cc
===================================================================
--- chrome/browser/ui/webui/chrome_url_data_manager_backend.cc	(revision 103935)
+++ chrome/browser/ui/webui/chrome_url_data_manager_backend.cc	(working copy)
@@ -4,10 +4,13 @@
 
 #include "chrome/browser/ui/webui/chrome_url_data_manager_backend.h"
 
+#include <set>
+
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/file_util.h"
+#include "base/lazy_instance.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
@@ -34,6 +37,57 @@
 
 namespace {
 
+// X-WebKit-CSP is our development name for Content-Security-Policy.
+// TODO(tsepez) rename when Content-security-policy is done.
+// TODO(tsepez) remove unsafe-eval when bidichecker_packaged.js fixed.
+// TODO(tsepez) chrome-extension: permits the ChromeVox screen reader
+//     extension to function on these pages.  Remove it when the extension
+//     is updated to stop injecting script into the pages.
+const char kChromeURLContentSecurityPolicyHeader[] =
+    "X-WebKit-CSP: object-src 'self'; script-src chrome://resources "
+    "chrome-extension://mndnfokpggljbaajbnioimlmbfngpief "
+    "'self' 'unsafe-eval'";
+
+class ChromeURLContentSecurityPolicyExceptionSet
+    : public std::set<std::string> {
+ public:
+  ChromeURLContentSecurityPolicyExceptionSet() : std::set<std::string>() {
+    insert(chrome::kChromeUICloudPrintResourcesHost);
+    insert(chrome::kChromeUICloudPrintSetupHost);
+    insert(chrome::kChromeUICreditsHost);
+    insert(chrome::kChromeUIDevToolsHost);
+    insert(chrome::kChromeUIDialogHost);
+    insert(chrome::kChromeUINewTabHost);
+    insert(chrome::kChromeUITextfieldsHost);
+#if defined(OS_CHROMEOS)
+    insert(chrome::kChromeUIActiveDownloadsHost);
+    insert(chrome::kChromeUIChooseMobileNetworkHost);
+    insert(chrome::kChromeUIEnterpriseEnrollmentHost);
+    insert(chrome::kChromeUIImageBurnerHost);
+    insert(chrome::kChromeUIKeyboardOverlayHost);
+    insert(chrome::kChromeUIOobeHost);
+    insert(chrome::kChromeUIMobileSetupHost);
+    insert(chrome::kChromeUIProxySettingsHost);
+    insert(chrome::kChromeUIRegisterPageHost);
+    insert(chrome::kChromeUISimUnlockHost);
+    insert(chrome::kChromeUISystemInfoHost);
+#else
+    insert(chrome::kChromeUISyncPromoHost);
+#endif
+#if defined(TOUCH_UI)
+    insert(chrome::kChromeUIKeyboardHost);
+#endif
+#if defined(OS_CHROMEOS) || defined(TOUCH_UI)
+    insert(chrome::kChromeUICollectedCookiesHost);
+    insert(chrome::kChromeUIHttpAuthHost);
+    insert(chrome::kChromeUIRepostFormWarningHost);
+#endif
+  }
+};
+
+base::LazyInstance<ChromeURLContentSecurityPolicyExceptionSet>
+    g_chrome_url_content_security_policy_exceptions(base::LINKER_INITIALIZED);
+
 // Parse a URL into the components used to resolve its request. |source_name|
 // is the hostname and |path| is the remaining portion of the URL.
 void URLToRequest(const GURL& url, std::string* source_name,
@@ -155,6 +209,10 @@
   // status code of 200. Without this they return a 0, which makes the status
   // indistiguishable from other error types. Instant relies on getting a 200.
   info->headers = new net::HttpResponseHeaders("HTTP/1.1 200 OK");
+  ChromeURLContentSecurityPolicyExceptionSet* exceptions =
+      g_chrome_url_content_security_policy_exceptions.Pointer();
+  if (exceptions->find(request_->url().host()) == exceptions->end())
+    info->headers->AddHeader(kChromeURLContentSecurityPolicyHeader);
 }
 
 void URLRequestChromeJob::DataAvailable(RefCountedMemory* bytes) {