Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(86)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/public/browser/url_data_source.h

Issue 2003963004: Enable CSP on more WebUI pages (Closed) Base URL: https://chromium.googlesource.com/a/chromium/src.git@master
Patch Set: fix new tab Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/webui/url_data_manager_backend.cc ('k') | content/public/browser/url_data_source.cc » ('j') | third_party/WebKit/Source/devtools/front_end/inspector.html » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ 5 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
6 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ 6 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
7 7
8 #include <string> 8 #include <string>
9 9
10 #include "base/callback.h" 10 #include "base/callback.h"
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
88 88
89 // If you are overriding this, then you have a bug. 89 // If you are overriding this, then you have a bug.
90 // It is not acceptable to disable content-security-policy on chrome:// pages 90 // It is not acceptable to disable content-security-policy on chrome:// pages
91 // to permit functionality excluded by CSP, such as inline script. 91 // to permit functionality excluded by CSP, such as inline script.
92 // Instead, you must go back and change your WebUI page so that it is 92 // Instead, you must go back and change your WebUI page so that it is
93 // compliant with the policy. This typically involves ensuring that all script 93 // compliant with the policy. This typically involves ensuring that all script
94 // is delivered through the data manager backend. Talk to tsepez for more 94 // is delivered through the data manager backend. Talk to tsepez for more
95 // info. 95 // info.
96 virtual bool ShouldAddContentSecurityPolicy() const; 96 virtual bool ShouldAddContentSecurityPolicy() const;
97 97
98 // It is OK to override the following two methods to a custom CSP directive 98 // It is OK to override the following two methods to a custom CSP directive
Avi (use Gerrit) 2016/05/24 23:15:07 three methods?
wychen 2016/05/25 12:55:08 Reordered.
99 // thereby slightly reducing the protection applied to the page. 99 // thereby slightly reducing the protection applied to the page.
100 100
101 // By default, "scrip-src chrome://resources 'self' 'unsafe-eval';" is added
Avi (use Gerrit) 2016/05/24 23:15:07 scrip -> script ?
wychen 2016/05/25 12:55:08 *shame cube* Thanks!
102 // to CSP. Override to change this.
103 virtual std::string GetContentSecurityPolicyScriptSrc() const;
101 // By default, "object-src 'none';" is added to CSP. Override to change this. 104 // By default, "object-src 'none';" is added to CSP. Override to change this.
102 virtual std::string GetContentSecurityPolicyObjectSrc() const; 105 virtual std::string GetContentSecurityPolicyObjectSrc() const;
103 // By default, "frame-src 'none';" is added to CSP. Override to change this. 106 // By default, "frame-src 'none';" is added to CSP. Override to change this.
104 virtual std::string GetContentSecurityPolicyFrameSrc() const; 107 virtual std::string GetContentSecurityPolicyFrameSrc() const;
105 108
106 // By default, the "X-Frame-Options: DENY" header is sent. To stop this from 109 // By default, the "X-Frame-Options: DENY" header is sent. To stop this from
107 // happening, return false. It is OK to return false as needed. 110 // happening, return false. It is OK to return false as needed.
108 virtual bool ShouldDenyXFrameOptions() const; 111 virtual bool ShouldDenyXFrameOptions() const;
109 112
110 // By default, only chrome: and chrome-devtools: requests are allowed. 113 // By default, only chrome: and chrome-devtools: requests are allowed.
(...skipping 23 matching lines...) Expand all
134 // Gives the source an opportunity to rewrite |path| to incorporate extra 137 // Gives the source an opportunity to rewrite |path| to incorporate extra
135 // information from the URLRequest prior to serving. 138 // information from the URLRequest prior to serving.
136 virtual void WillServiceRequest( 139 virtual void WillServiceRequest(
137 const net::URLRequest* request, 140 const net::URLRequest* request,
138 std::string* path) const {} 141 std::string* path) const {}
139 }; 142 };
140 143
141 } // namespace content 144 } // namespace content
142 145
143 #endif // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ 146 #endif // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
OLDNEW
« no previous file with comments | « content/browser/webui/url_data_manager_backend.cc ('k') | content/public/browser/url_data_source.cc » ('j') | third_party/WebKit/Source/devtools/front_end/inspector.html » ('J')

Powered by Google App Engine
This is Rietveld 408576698