| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/public/browser/url_data_source.h" | 5 #include "content/public/browser/url_data_source.h" |
| 6 | 6 |
| 7 #include "content/browser/webui/url_data_manager.h" | 7 #include "content/browser/webui/url_data_manager.h" |
| 8 #include "content/public/browser/browser_thread.h" | 8 #include "content/public/browser/browser_thread.h" |
| 9 #include "content/public/common/url_constants.h" | 9 #include "content/public/common/url_constants.h" |
| 10 #include "net/url_request/url_request.h" | 10 #include "net/url_request/url_request.h" |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 } | 26 } |
| 27 | 27 |
| 28 bool URLDataSource::AllowCaching() const { | 28 bool URLDataSource::AllowCaching() const { |
| 29 return true; | 29 return true; |
| 30 } | 30 } |
| 31 | 31 |
| 32 bool URLDataSource::ShouldAddContentSecurityPolicy() const { | 32 bool URLDataSource::ShouldAddContentSecurityPolicy() const { |
| 33 return true; | 33 return true; |
| 34 } | 34 } |
| 35 | 35 |
| 36 std::string URLDataSource::GetContentSecurityPolicyScriptSrc() const { |
| 37 // Specific resources require unsafe-eval in the Content Security Policy. |
| 38 // TODO(tsepez,mfoltz): Remove 'unsafe-eval' when tests have been fixed to |
| 39 // not use eval()/new Function(). http://crbug.com/525224 |
| 40 return "script-src chrome://resources 'self' 'unsafe-eval';"; |
| 41 } |
| 42 |
| 36 std::string URLDataSource::GetContentSecurityPolicyObjectSrc() const { | 43 std::string URLDataSource::GetContentSecurityPolicyObjectSrc() const { |
| 37 return "object-src 'none';"; | 44 return "object-src 'none';"; |
| 38 } | 45 } |
| 39 | 46 |
| 40 std::string URLDataSource::GetContentSecurityPolicyFrameSrc() const { | 47 std::string URLDataSource::GetContentSecurityPolicyFrameSrc() const { |
| 41 return "frame-src 'none';"; | 48 return "frame-src 'none';"; |
| 42 } | 49 } |
| 43 | 50 |
| 44 bool URLDataSource::ShouldDenyXFrameOptions() const { | 51 bool URLDataSource::ShouldDenyXFrameOptions() const { |
| 45 return true; | 52 return true; |
| 46 } | 53 } |
| 47 | 54 |
| 48 bool URLDataSource::ShouldServiceRequest(const net::URLRequest* request) const { | 55 bool URLDataSource::ShouldServiceRequest(const net::URLRequest* request) const { |
| 49 if (request->url().SchemeIs(kChromeDevToolsScheme) || | 56 if (request->url().SchemeIs(kChromeDevToolsScheme) || |
| 50 request->url().SchemeIs(kChromeUIScheme)) | 57 request->url().SchemeIs(kChromeUIScheme)) |
| 51 return true; | 58 return true; |
| 52 return false; | 59 return false; |
| 53 } | 60 } |
| 54 | 61 |
| 55 bool URLDataSource::ShouldServeMimeTypeAsContentTypeHeader() const { | 62 bool URLDataSource::ShouldServeMimeTypeAsContentTypeHeader() const { |
| 56 return false; | 63 return false; |
| 57 } | 64 } |
| 58 | 65 |
| 59 std::string URLDataSource::GetAccessControlAllowOriginForOrigin( | 66 std::string URLDataSource::GetAccessControlAllowOriginForOrigin( |
| 60 const std::string& origin) const { | 67 const std::string& origin) const { |
| 61 return std::string(); | 68 return std::string(); |
| 62 } | 69 } |
| 63 | 70 |
| 64 } // namespace content | 71 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master