Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2003963004:
Enable CSP on more WebUI pages (Closed)
|
Created:
4 years, 7 months ago by wychen Modified:
4 years, 6 months ago CC:
chromium-reviews, dbeam+watch-ntp_chromium.org, caseq+blink_chromium.org, jam, lushnikov+blink_chromium.org, pfeldman+blink_chromium.org, darin-cc_chromium.org, devtools-reviews_chromium.org, blink-reviews, apavlov+blink_chromium.org, sergeyv+blink_chromium.org, kozyatinskiy+blink_chromium.org, pedrosimonetti+watch_chromium.org Base URL:
https://chromium.googlesource.com/a/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionEnable CSP on more WebUI pages
Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered
a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc()
to have relaxed rule is better.
BUG=81636
Committed: https://crrev.com/f59e6634e5e0ac4475b06fa02bbca7b8935d858c
Cr-Commit-Position: refs/heads/master@{#397816}
Patch Set 1 #Patch Set 2 : fix new tab #
Total comments: 6
Patch Set 3 : address comments #
Total comments: 10
Patch Set 4 : revert devtools, fix comments, split methods #
Total comments: 9
Patch Set 5 : fix oopsies #
Total comments: 8
Patch Set 6 : fix typo in comments #
Total comments: 8
Patch Set 7 : address comments #Patch Set 8 : indentation #Messages
Total messages: 53 (23 generated)
The CQ bit was checked by wychen@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2003963004/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2003963004/1
The CQ bit was checked by wychen@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2003963004/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2003963004/20001
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Description was changed from ========== Enable CSP on more WebUI pages BUG= ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is bad. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is less bad. BUG= ==========
wychen@chromium.org changed reviewers: + avi@chromium.org
avi@, could you take a look at URL data source? Thanks!
wychen@chromium.org changed reviewers: + treib@chromium.org
wychen@chromium.org changed reviewers: + dbeam@chromium.org - treib@chromium.org
pfeldman@chromium.org changed reviewers: + pfeldman@chromium.org
https://codereview.chromium.org/2003963004/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/devtools/front_end/inspector.html (left): https://codereview.chromium.org/2003963004/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/devtools/front_end/inspector.html:10: <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-eval' https://chrome-devtools-frontend.appspot.com"> This page operates as a web page as well, so it should retain its CSP header.
Description was changed from ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is bad. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is less bad. BUG= ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is bad. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG= ==========
Why is this happening? Is there a bug for it?
Yep, you need a bug here. This looks reasonable, but I'm not a CSP person. https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... content/public/browser/url_data_source.h:98: // It is OK to override the following two methods to a custom CSP directive three methods? https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... content/public/browser/url_data_source.h:101: // By default, "scrip-src chrome://resources 'self' 'unsafe-eval';" is added scrip -> script ?
Description was changed from ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is bad. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG= ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ==========
wychen@chromium.org changed reviewers: + tsepez@chromium.org
tsepez@, could you take a look? Thanks! https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... content/public/browser/url_data_source.h:98: // It is OK to override the following two methods to a custom CSP directive On 2016/05/24 23:15:07, Avi wrote: > three methods? Reordered. https://codereview.chromium.org/2003963004/diff/20001/content/public/browser/... content/public/browser/url_data_source.h:101: // By default, "scrip-src chrome://resources 'self' 'unsafe-eval';" is added On 2016/05/24 23:15:07, Avi wrote: > scrip -> script ? *shame cube* Thanks! https://codereview.chromium.org/2003963004/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/devtools/front_end/inspector.html (left): https://codereview.chromium.org/2003963004/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/devtools/front_end/inspector.html:10: <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-eval' https://chrome-devtools-frontend.appspot.com"> On 2016/05/24 23:09:31, pfeldman wrote: > This page operates as a web page as well, so it should retain its CSP header. I see. I'll revert this file.
https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... File chrome/browser/ui/webui/devtools_ui.cc (right): https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/devtools_ui.cc:180: std::string DevToolsDataSource::GetContentSecurityPolicyScriptSrc() const { Changes to this file are no longer needed.
https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... File chrome/browser/ui/webui/app_launcher_page_ui.cc (right): https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/app_launcher_page_ui.cc:136: // Add 'unsafe-inline' to script-src. Note that unsafe-inline is not really any better than no CSP, but ok. https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/app_launcher_page_ui.cc:144: "style-src 'self' chrome://resources chrome://theme 'unsafe-inline';" Seems wrong to mash these together. Can we introduce separate overridable methods for each while we're making this change? https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... content/public/browser/url_data_source.h:94: // is delivered through the data manager backend. Talk to tsepez for more change: /Talk to tsepez for more info./Do not disable CSP on your page without first contacting the chrome security team./ https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... content/public/browser/url_data_source.h:97: // If you have to allow more permissions, enabling CSP with relaxed script-src I'd like to wordsmith this comment. // For pre-exsiting code, enabling CSP with relaxed script-src attributes // may be marginally better than disabling CSP outright. // Do not override this method without first contacting the chrome // security team. // By default ...
Patchset #4 (id:60001) has been deleted
Patchset #4 (id:80001) has been deleted
https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... File chrome/browser/ui/webui/app_launcher_page_ui.cc (right): https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/app_launcher_page_ui.cc:136: // Add 'unsafe-inline' to script-src. On 2016/05/25 19:20:56, Tom Sepez wrote: > Note that unsafe-inline is not really any better than no CSP, but ok. Acknowledged. https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/app_launcher_page_ui.cc:144: "style-src 'self' chrome://resources chrome://theme 'unsafe-inline';" On 2016/05/25 19:20:56, Tom Sepez wrote: > Seems wrong to mash these together. Can we introduce separate overridable > methods for each while we're making this change? Done. https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... File chrome/browser/ui/webui/devtools_ui.cc (right): https://codereview.chromium.org/2003963004/diff/40001/chrome/browser/ui/webui... chrome/browser/ui/webui/devtools_ui.cc:180: std::string DevToolsDataSource::GetContentSecurityPolicyScriptSrc() const { On 2016/05/25 14:18:38, pfeldman wrote: > Changes to this file are no longer needed. The rules here is stricter than the ones specified in <meta>. I guess it should be in another CL then. Reverted this file as well. https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... content/public/browser/url_data_source.h:94: // is delivered through the data manager backend. Talk to tsepez for more On 2016/05/25 19:20:56, Tom Sepez wrote: > change: /Talk to tsepez for more info./Do not disable CSP on your page without > first contacting the chrome security team./ Done. https://codereview.chromium.org/2003963004/diff/40001/content/public/browser/... content/public/browser/url_data_source.h:97: // If you have to allow more permissions, enabling CSP with relaxed script-src On 2016/05/25 19:20:56, Tom Sepez wrote: > I'd like to wordsmith this comment. > > // For pre-exsiting code, enabling CSP with relaxed script-src attributes > // may be marginally better than disabling CSP outright. > // Do not override this method without first contacting the chrome > // security team. > // By default ... Done.
Description was changed from ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ==========
wychen@chromium.org changed reviewers: + mdjones@chromium.org
Good. Getting closer https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/interstitials/interstitial_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/interstitials/interstitial_ui.cc:320: "style-src 'self' 'unsafe-inline';" Here we're still mixing object, style, and img. https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:242: "style-src 'self' chrome://resources 'unsafe-inline' chrome://theme;" same here. https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/system_info_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/system_info_ui.cc:70: return "object-src 'none'; style-src 'self' chrome://resources " and here https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... content/public/browser/url_data_source.h:105: // It is OK to override the following two methods to a custom CSP directive nit: four methods.
Even closer. https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:244: const { Looks like we lost the child-src directive here. At the risk of bloating this further, we probably need another method. https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... content/public/browser/url_data_source.h:112: // By default empty. Override to change this. Actually, this one should be in the previous section with the dangerous ones. Sorry if I missed this earlier.
https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/interstitials/interstitial_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/interstitials/interstitial_ui.cc:320: "style-src 'self' 'unsafe-inline';" On 2016/05/25 23:07:03, Tom Sepez wrote: > Here we're still mixing object, style, and img. Oops. Fixed. https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:242: "style-src 'self' chrome://resources 'unsafe-inline' chrome://theme;" On 2016/05/25 23:07:03, Tom Sepez wrote: > same here. For consistency, I changed back to frame-src. In Chromium source, only frame-src is used, but it's deprecated. Should we switch to child-src? https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... File chrome/browser/ui/webui/system_info_ui.cc (right): https://codereview.chromium.org/2003963004/diff/100001/chrome/browser/ui/webu... chrome/browser/ui/webui/system_info_ui.cc:70: return "object-src 'none'; style-src 'self' chrome://resources " On 2016/05/25 23:07:03, Tom Sepez wrote: > and here Done. https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... File content/public/browser/url_data_source.cc (right): https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... content/public/browser/url_data_source.cc:52: return ""; Is this a good default? Do we want to avoid 'unsafe-inline', or it is considered OK? https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/100001/content/public/browser... content/public/browser/url_data_source.h:105: // It is OK to override the following two methods to a custom CSP directive On 2016/05/25 23:07:03, Tom Sepez wrote: > nit: four methods. Done.
https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:244: const { On 2016/05/26 16:00:03, Tom Sepez wrote: > Looks like we lost the child-src directive here. At the risk of bloating this > further, we probably need another method. child-src and frame-src should be equivalent here. I'm using the deprecated one for consistency. https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... content/public/browser/url_data_source.h:112: // By default empty. Override to change this. On 2016/05/26 16:00:03, Tom Sepez wrote: > Actually, this one should be in the previous section with the dangerous ones. > Sorry if I missed this earlier. style-src is not specified by default, so overriding this would only make it more secure. Am I mistaken?
Thanks for taking this to completion. https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/120001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:244: const { On 2016/05/26 18:00:42, wychen wrote: > On 2016/05/26 16:00:03, Tom Sepez wrote: > > Looks like we lost the child-src directive here. At the risk of bloating this > > further, we probably need another method. > > child-src and frame-src should be equivalent here. I'm using the deprecated one > for consistency. Acknowledged. https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... content/public/browser/url_data_source.h:112: // By default empty. Override to change this. On 2016/05/26 18:00:42, wychen wrote: > On 2016/05/26 16:00:03, Tom Sepez wrote: > > Actually, this one should be in the previous section with the dangerous ones. > > Sorry if I missed this earlier. > > style-src is not specified by default, so overriding this would only make it > more secure. Am I mistaken? No, that's just me being dense.
lgtm
lgtm with typo fixed. https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... content/public/browser/url_data_source.h:97: // For pre-exsiting code, enabling CSP with relaxed script-src attributes "pre-existing"
https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... File content/public/browser/url_data_source.h (right): https://codereview.chromium.org/2003963004/diff/120001/content/public/browser... content/public/browser/url_data_source.h:97: // For pre-exsiting code, enabling CSP with relaxed script-src attributes On 2016/05/26 20:20:55, Avi wrote: > "pre-existing" Oops. Thanks!
Ping dbeam@ and mdjones@. PTAL. Thanks!
lgtm
wychen@chromium.org changed reviewers: - dbeam@chromium.org
wychen@chromium.org changed reviewers: + dbeam@chromium.org
lgtm https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/app_launcher_page_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/app_launcher_page_ui.cc:136: // Add 'unsafe-inline' to script-src. can you annotate who should do this? https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:235: "*.google.com *.gstatic.com;"; why is this wrapped here? https://codereview.chromium.org/2003963004/diff/140001/content/public/browser... File content/public/browser/url_data_source.cc (right): https://codereview.chromium.org/2003963004/diff/140001/content/public/browser... content/public/browser/url_data_source.cc:52: return ""; nit: std::string() maybe?
https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/app_launcher_page_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/app_launcher_page_ui.cc:136: // Add 'unsafe-inline' to script-src. On 2016/05/31 21:46:09, Dan Beam wrote: > can you annotate who should do this? I meant to say 'unsafe-inline' is added to script-src, compared with the default string. I guess it's too ambiguous. Done. https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:235: "*.google.com *.gstatic.com;"; On 2016/05/31 21:46:09, Dan Beam wrote: > why is this wrapped here? Otherwise it couldn't fit in 80 chars. The whole string is still one line. https://codereview.chromium.org/2003963004/diff/140001/content/public/browser... File content/public/browser/url_data_source.cc (right): https://codereview.chromium.org/2003963004/diff/140001/content/public/browser... content/public/browser/url_data_source.cc:52: return ""; On 2016/05/31 21:46:09, Dan Beam wrote: > nit: std::string() maybe? Done.
https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:235: "*.google.com *.gstatic.com;"; On 2016/05/31 23:04:34, wychen wrote: > On 2016/05/31 21:46:09, Dan Beam wrote: > > why is this wrapped here? > > Otherwise it couldn't fit in 80 chars. The whole string is still one line. i meant: the indent should be 4 \s for a continuation, right?
https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... File chrome/browser/ui/webui/ntp/new_tab_ui.cc (right): https://codereview.chromium.org/2003963004/diff/140001/chrome/browser/ui/webu... chrome/browser/ui/webui/ntp/new_tab_ui.cc:235: "*.google.com *.gstatic.com;"; On 2016/05/31 23:13:14, Dan Beam wrote: > On 2016/05/31 23:04:34, wychen wrote: > > On 2016/05/31 21:46:09, Dan Beam wrote: > > > why is this wrapped here? > > > > Otherwise it couldn't fit in 80 chars. The whole string is still one line. > > i meant: the indent should be 4 \s for a continuation, right? Oh. I see what you meant. I aligned the 2nd line with the first source. Fixed.
The CQ bit was checked by wychen@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2003963004/180001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2003963004/180001
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by wychen@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from tsepez@chromium.org, avi@chromium.org, mdjones@chromium.org, dbeam@chromium.org Link to the patchset: https://codereview.chromium.org/2003963004/#ps180001 (title: "indentation")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2003963004/180001
Message was sent while issue was closed.
Description was changed from ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ==========
Message was sent while issue was closed.
Committed patchset #8 (id:180001)
Message was sent while issue was closed.
Description was changed from ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 ========== to ========== Enable CSP on more WebUI pages Overriding ShouldAddContentSecurityPolicy() to disable CSP is considered a bug. Enabling CSP while overriding GetContentSecurityPolicyScriptSrc() to have relaxed rule is better. BUG=81636 Committed: https://crrev.com/f59e6634e5e0ac4475b06fa02bbca7b8935d858c Cr-Commit-Position: refs/heads/master@{#397816} ==========
Message was sent while issue was closed.
Patchset 8 (id:??) landed as https://crrev.com/f59e6634e5e0ac4475b06fa02bbca7b8935d858c Cr-Commit-Position: refs/heads/master@{#397816} |
