Chromium Code Reviews Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ui/webui/interstitials/interstitial_ui.h" | 5 #include "chrome/browser/ui/webui/interstitials/interstitial_ui.h" |
| 6 | 6 |
| 7 #include "base/macros.h" | 7 #include "base/macros.h" |
| 8 #include "base/strings/string_number_conversions.h" | 8 #include "base/strings/string_number_conversions.h" |
| 9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
| 10 #include "chrome/browser/browser_process.h" | 10 #include "chrome/browser/browser_process.h" |
| (...skipping 28 matching lines...) Expand all Loading... | |
| 39 // Implementation of chrome://interstitials demonstration pages. This code is | 39 // Implementation of chrome://interstitials demonstration pages. This code is |
| 40 // not used in displaying any real interstitials. | 40 // not used in displaying any real interstitials. |
| 41 class InterstitialHTMLSource : public content::URLDataSource { | 41 class InterstitialHTMLSource : public content::URLDataSource { |
| 42 public: | 42 public: |
| 43 explicit InterstitialHTMLSource(content::WebContents* web_contents); | 43 explicit InterstitialHTMLSource(content::WebContents* web_contents); |
| 44 ~InterstitialHTMLSource() override; | 44 ~InterstitialHTMLSource() override; |
| 45 | 45 |
| 46 // content::URLDataSource: | 46 // content::URLDataSource: |
| 47 std::string GetMimeType(const std::string& mime_type) const override; | 47 std::string GetMimeType(const std::string& mime_type) const override; |
| 48 std::string GetSource() const override; | 48 std::string GetSource() const override; |
| 49 bool ShouldAddContentSecurityPolicy() const override; | 49 std::string GetContentSecurityPolicyScriptSrc() const override; |
| 50 std::string GetContentSecurityPolicyObjectSrc() const override; | |
| 50 void StartDataRequest( | 51 void StartDataRequest( |
| 51 const std::string& path, | 52 const std::string& path, |
| 52 int render_process_id, | 53 int render_process_id, |
| 53 int render_frame_id, | 54 int render_frame_id, |
| 54 const content::URLDataSource::GotDataCallback& callback) override; | 55 const content::URLDataSource::GotDataCallback& callback) override; |
| 55 | 56 |
| 56 private: | 57 private: |
| 57 content::WebContents* web_contents_; | 58 content::WebContents* web_contents_; |
| 58 DISALLOW_COPY_AND_ASSIGN(InterstitialHTMLSource); | 59 DISALLOW_COPY_AND_ASSIGN(InterstitialHTMLSource); |
| 59 }; | 60 }; |
| (...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 301 | 302 |
| 302 std::string InterstitialHTMLSource::GetMimeType( | 303 std::string InterstitialHTMLSource::GetMimeType( |
| 303 const std::string& mime_type) const { | 304 const std::string& mime_type) const { |
| 304 return "text/html"; | 305 return "text/html"; |
| 305 } | 306 } |
| 306 | 307 |
| 307 std::string InterstitialHTMLSource::GetSource() const { | 308 std::string InterstitialHTMLSource::GetSource() const { |
| 308 return chrome::kChromeUIInterstitialHost; | 309 return chrome::kChromeUIInterstitialHost; |
| 309 } | 310 } |
| 310 | 311 |
| 311 bool InterstitialHTMLSource::ShouldAddContentSecurityPolicy() | 312 std::string InterstitialHTMLSource::GetContentSecurityPolicyScriptSrc() const { |
| 312 const { | 313 // Add 'unsafe-inline' to script-src. |
| 313 return false; | 314 return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline';"; |
| 315 } | |
| 316 | |
| 317 std::string InterstitialHTMLSource::GetContentSecurityPolicyObjectSrc() const { | |
| 318 // Add style-src and img-src. | |
| 319 return "object-src 'none';" | |
| 320 "style-src 'self' 'unsafe-inline';" | |
|
Tom Sepez
2016/05/25 23:07:03
Here we're still mixing object, style, and img.
wychen
2016/05/26 17:54:23
Oops. Fixed.
| |
| 321 "img-src data:;"; | |
| 314 } | 322 } |
| 315 | 323 |
| 316 void InterstitialHTMLSource::StartDataRequest( | 324 void InterstitialHTMLSource::StartDataRequest( |
| 317 const std::string& path, | 325 const std::string& path, |
| 318 int render_process_id, | 326 int render_process_id, |
| 319 int render_frame_id, | 327 int render_frame_id, |
| 320 const content::URLDataSource::GotDataCallback& callback) { | 328 const content::URLDataSource::GotDataCallback& callback) { |
| 321 std::unique_ptr<content::InterstitialPageDelegate> interstitial_delegate; | 329 std::unique_ptr<content::InterstitialPageDelegate> interstitial_delegate; |
| 322 if (base::StartsWith(path, "ssl", base::CompareCase::SENSITIVE)) { | 330 if (base::StartsWith(path, "ssl", base::CompareCase::SENSITIVE)) { |
| 323 interstitial_delegate.reset(CreateSSLBlockingPage(web_contents_)); | 331 interstitial_delegate.reset(CreateSSLBlockingPage(web_contents_)); |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 339 html = interstitial_delegate.get()->GetHTMLContents(); | 347 html = interstitial_delegate.get()->GetHTMLContents(); |
| 340 } else { | 348 } else { |
| 341 html = ResourceBundle::GetSharedInstance() | 349 html = ResourceBundle::GetSharedInstance() |
| 342 .GetRawDataResource(IDR_SECURITY_INTERSTITIAL_UI_HTML) | 350 .GetRawDataResource(IDR_SECURITY_INTERSTITIAL_UI_HTML) |
| 343 .as_string(); | 351 .as_string(); |
| 344 } | 352 } |
| 345 scoped_refptr<base::RefCountedString> html_bytes = new base::RefCountedString; | 353 scoped_refptr<base::RefCountedString> html_bytes = new base::RefCountedString; |
| 346 html_bytes->data().assign(html.begin(), html.end()); | 354 html_bytes->data().assign(html.begin(), html.end()); |
| 347 callback.Run(html_bytes.get()); | 355 callback.Run(html_bytes.get()); |
| 348 } | 356 } |
| OLD | NEW |
