Enable CSP on more WebUI pages

content/browser/webui/url_data_manager_backend.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/webui/url_data_manager_backend.h"
 
 #include <set>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 35 matching lines @@
 #include "net/url_request/url_request_error_job.h"
 #include "net/url_request/url_request_job.h"
 #include "net/url_request/url_request_job_factory.h"
 #include "url/url_util.h"
 
 namespace content {
 
 namespace {
 
 const char kChromeURLContentSecurityPolicyHeaderBase[] =
-    "Content-Security-Policy: script-src chrome://resources 'self'";
+    "Content-Security-Policy: ";
 
 const char kChromeURLXFrameOptionsHeader[] = "X-Frame-Options: DENY";
 static const char kNetworkErrorKey[] = "netError";
 
 bool SchemeIsInSchemes(const std::string& scheme,
                        const std::vector<std::string>& schemes) {
   return std::find(schemes.begin(), schemes.end(), scheme) != schemes.end();
 }
 
 // Returns whether |url| passes some sanity checks and is a valid GURL.
@@ skipping 79 matching lines @@
 
   void set_add_content_security_policy(bool add_content_security_policy) {
     add_content_security_policy_ = add_content_security_policy;
   }
 
   void set_content_security_policy_object_source(
       const std::string& data) {
     content_security_policy_object_source_ = data;
   }
 
+  void set_content_security_policy_script_source(
+      const std::string& data) {
+    content_security_policy_script_source_ = data;
+  }
+
   void set_content_security_policy_frame_source(
       const std::string& data) {
     content_security_policy_frame_source_ = data;
   }
 
+  void set_content_security_policy_style_source(
+      const std::string& data) {
+    content_security_policy_style_source_ = data;
+  }
+
+  void set_content_security_policy_image_source(
+      const std::string& data) {
+    content_security_policy_image_source_ = data;
+  }
+
   void set_deny_xframe_options(bool deny_xframe_options) {
     deny_xframe_options_ = deny_xframe_options;
   }
 
   void set_send_content_type_header(bool send_content_type_header) {
     send_content_type_header_ = send_content_type_header;
   }
 
   void set_access_control_allow_origin(const std::string& value) {
     access_control_allow_origin_ = value;
@@ skipping 10 matching lines @@
   // Helper for Start(), to let us start asynchronously.
   // (This pattern is shared by most net::URLRequestJob implementations.)
   void StartAsync(bool allowed);
 
   // Called on the UI thread to check if this request is allowed.
   static void CheckStoragePartitionMatches(
       int render_process_id,
       const GURL& url,
       const base::WeakPtr<URLRequestChromeJob>& job);
 
-  // Specific resources require unsafe-eval in the Content Security Policy.
-  bool RequiresUnsafeEval() const;
-
   // Do the actual copy from data_ (the data we're serving) into |buf|.
   // Separate from ReadRawData so we can handle async I/O. Returns the number of
   // bytes read.
   int CompleteRead(net::IOBuffer* buf, int buf_size);
 
   // The actual data we're serving.  NULL until it's been fetched.
   scoped_refptr<base::RefCountedMemory> data_;
   // The current offset into the data that we're handing off to our
   // callers via the Read interfaces.
   int data_offset_;
 
   // For async reads, we keep around a pointer to the buffer that
   // we're reading into.
   scoped_refptr<net::IOBuffer> pending_buf_;
   int pending_buf_size_;
   std::string mime_type_;
 
   // If true, set a header in the response to prevent it from being cached.
   bool allow_caching_;
 
   // If true, set the Content Security Policy (CSP) header.
   bool add_content_security_policy_;
 
   // These are used with the CSP.
+  std::string content_security_policy_script_source_;
   std::string content_security_policy_object_source_;
   std::string content_security_policy_frame_source_;
+  std::string content_security_policy_style_source_;
+  std::string content_security_policy_image_source_;
 
   // If true, sets  the "X-Frame-Options: DENY" header.
   bool deny_xframe_options_;
 
   // If true, sets the "Content-Type: <mime-type>" header.
   bool send_content_type_header_;
 
   // If not empty, "Access-Control-Allow-Origin:" is set to the value of this
   // string.
   std::string access_control_allow_origin_;
@@ skipping 11 matching lines @@
 
 URLRequestChromeJob::URLRequestChromeJob(net::URLRequest* request,
                                          net::NetworkDelegate* network_delegate,
                                          URLDataManagerBackend* backend,
                                          bool is_incognito)
     : net::URLRequestJob(request, network_delegate),
       data_offset_(0),
       pending_buf_size_(0),
       allow_caching_(true),
       add_content_security_policy_(true),
-      content_security_policy_object_source_("object-src 'none';"),
-      content_security_policy_frame_source_("frame-src 'none';"),
       deny_xframe_options_(true),
       send_content_type_header_(false),
       is_incognito_(is_incognito),
       backend_(backend),
       weak_factory_(this) {
   DCHECK(backend);
 }
 
 URLRequestChromeJob::~URLRequestChromeJob() {
   CHECK(!backend_->HasPendingJob(this));
@@ skipping 56 matching lines @@
   // Set the headers so that requests serviced by ChromeURLDataManager return a
   // status code of 200. Without this they return a 0, which makes the status
   // indistiguishable from other error types. Instant relies on getting a 200.
   info->headers = new net::HttpResponseHeaders("HTTP/1.1 200 OK");
 
   // Determine the least-privileged content security policy header, if any,
   // that is compatible with a given WebUI URL, and append it to the existing
   // response headers.
   if (add_content_security_policy_) {
     std::string base = kChromeURLContentSecurityPolicyHeaderBase;
-    base.append(RequiresUnsafeEval() ? " 'unsafe-eval'; " : "; ");
+    base.append(content_security_policy_script_source_);
     base.append(content_security_policy_object_source_);
     base.append(content_security_policy_frame_source_);
+    base.append(content_security_policy_style_source_);
+    base.append(content_security_policy_image_source_);
     info->headers->AddHeader(base);
   }
 
   if (deny_xframe_options_)
     info->headers->AddHeader(kChromeURLXFrameOptionsHeader);
 
   if (!allow_caching_)
     info->headers->AddHeader("Cache-Control: no-cache");
 
   if (send_content_type_header_ && !mime_type_.empty()) {
@@ skipping 89 matching lines @@
 void URLRequestChromeJob::StartAsync(bool allowed) {
   if (!request_)
     return;
 
   if (!allowed || !backend_->StartRequest(request_, this)) {
     NotifyStartError(net::URLRequestStatus(net::URLRequestStatus::FAILED,
                                            net::ERR_INVALID_URL));
   }
 }
 
-// TODO(tsepez,mfoltz): Refine this method when tests have been fixed to not use
-// eval()/new Function().  http://crbug.com/525224
-bool URLRequestChromeJob::RequiresUnsafeEval() const {
-  return true;
-}
-
 namespace {
 
 // Gets mime type for data that is available from |source| by |path|.
 // After that, notifies |job| that mime type is available. This method
 // should be called on the UI thread, but notification is performed on
 // the IO thread.
 void GetMimeTypeOnUI(URLDataSourceImpl* source,
                      const std::string& path,
                      const base::WeakPtr<URLRequestChromeJob>& job) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
@@ skipping 172 matching lines @@
   URLToRequestPath(request->url(), &path);
   source->source()->WillServiceRequest(request, &path);
 
   // Save this request so we know where to send the data.
   RequestID request_id = next_request_id_++;
   pending_requests_.insert(std::make_pair(request_id, job));
 
   job->set_allow_caching(source->source()->AllowCaching());
   job->set_add_content_security_policy(
       source->source()->ShouldAddContentSecurityPolicy());
+  job->set_content_security_policy_script_source(
+      source->source()->GetContentSecurityPolicyScriptSrc());
   job->set_content_security_policy_object_source(
       source->source()->GetContentSecurityPolicyObjectSrc());
   job->set_content_security_policy_frame_source(
       source->source()->GetContentSecurityPolicyFrameSrc());
+  job->set_content_security_policy_style_source(
+      source->source()->GetContentSecurityPolicyStyleSrc());
+  job->set_content_security_policy_image_source(
+      source->source()->GetContentSecurityPolicyImgSrc());
   job->set_deny_xframe_options(
       source->source()->ShouldDenyXFrameOptions());
   job->set_send_content_type_header(
       source->source()->ShouldServeMimeTypeAsContentTypeHeader());
 
   std::string origin = GetOriginHeaderValue(request);
   if (!origin.empty()) {
     std::string header =
         source->source()->GetAccessControlAllowOriginForOrigin(origin);
     DCHECK(header.empty() || header == origin || header == "*" ||
@@ skipping 150 matching lines @@
 
 }  // namespace
 
 net::URLRequestJobFactory::ProtocolHandler*
 CreateDevToolsProtocolHandler(content::ResourceContext* resource_context,
                               bool is_incognito) {
   return new DevToolsJobFactory(resource_context, is_incognito);
 }
 
 }  // namespace content