Enable CSP on more WebUI pages

content/public/browser/url_data_source.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
 
 #include <string>
 
 #include "base/callback.h"
@@ skipping 68 matching lines @@
   // with the same name that has already been registered. The default is true.
   //
   // WARNING: this is invoked on the IO thread.
   //
   // TODO: nuke this and convert all callers to not replace.
   virtual bool ShouldReplaceExistingSource() const;
 
   // Returns true if responses from this URLDataSource can be cached.
   virtual bool AllowCaching() const;
 
-  // If you are overriding this, then you have a bug.
+  // If you are overriding the following two methods, then you have a bug.
   // It is not acceptable to disable content-security-policy on chrome:// pages
   // to permit functionality excluded by CSP, such as inline script.
   // Instead, you must go back and change your WebUI page so that it is
   // compliant with the policy. This typically involves ensuring that all script
-  // is delivered through the data manager backend. Talk to tsepez for more
-  // info.
+  // is delivered through the data manager backend. Do not disable CSP on your
+  // page without first contacting the chrome security team.
   virtual bool ShouldAddContentSecurityPolicy() const;
+  // For pre-exsiting code, enabling CSP with relaxed script-src attributes
+  // may be marginally better than disabling CSP outright.
+  // Do not override this method without first contacting the chrome security
+  // team.
+  // By default, "script-src chrome://resources 'self' 'unsafe-eval';" is added
+  // to CSP. Override to change this.
+  virtual std::string GetContentSecurityPolicyScriptSrc() const;
 
   // It is OK to override the following two methods to a custom CSP directive

[Tom Sepez, 2016/05/25 23:07:03]

nit: four methods.

[wychen, 2016/05/26 17:54:24]

Done.

   // thereby slightly reducing the protection applied to the page.
 
   // By default, "object-src 'none';" is added to CSP. Override to change this.
   virtual std::string GetContentSecurityPolicyObjectSrc() const;
   // By default, "frame-src 'none';" is added to CSP. Override to change this.
   virtual std::string GetContentSecurityPolicyFrameSrc() const;
+  // By default empty. Override to change this.
+  virtual std::string GetContentSecurityPolicyStyleSrc() const;
+  // By default empty. Override to change this.
+  virtual std::string GetContentSecurityPolicyImgSrc() const;
 
   // By default, the "X-Frame-Options: DENY" header is sent. To stop this from
   // happening, return false. It is OK to return false as needed.
   virtual bool ShouldDenyXFrameOptions() const;
 
   // By default, only chrome: and chrome-devtools: requests are allowed.
   // Override in specific WebUI data sources to enable for additional schemes or
   // to implement fancier access control.  Typically used in concert with
   // ContentBrowserClient::GetAdditionalWebUISchemes() to permit additional
   // WebUI scheme support for an embedder.
@@ skipping 19 matching lines @@
   // Gives the source an opportunity to rewrite |path| to incorporate extra
   // information from the URLRequest prior to serving.
   virtual void WillServiceRequest(
       const net::URLRequest* request,
       std::string* path) const {}
 };
 
 }  // namespace content
 
 #endif  // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_