Chromium Code Reviews Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ui/webui/devtools_ui.h" | 5 #include "chrome/browser/ui/webui/devtools_ui.h" |
| 6 | 6 |
| 7 #include "base/macros.h" | 7 #include "base/macros.h" |
| 8 #include "base/memory/ref_counted_memory.h" | 8 #include "base/memory/ref_counted_memory.h" |
| 9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
| 10 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 89 std::string GetSource() const override; | 89 std::string GetSource() const override; |
| 90 | 90 |
| 91 void StartDataRequest(const std::string& path, | 91 void StartDataRequest(const std::string& path, |
| 92 int render_process_id, | 92 int render_process_id, |
| 93 int render_frame_id, | 93 int render_frame_id, |
| 94 const GotDataCallback& callback) override; | 94 const GotDataCallback& callback) override; |
| 95 | 95 |
| 96 private: | 96 private: |
| 97 // content::URLDataSource overrides. | 97 // content::URLDataSource overrides. |
| 98 std::string GetMimeType(const std::string& path) const override; | 98 std::string GetMimeType(const std::string& path) const override; |
| 99 bool ShouldAddContentSecurityPolicy() const override; | 99 std::string GetContentSecurityPolicyScriptSrc() const override; |
| 100 std::string GetContentSecurityPolicyObjectSrc() const override; | |
| 101 std::string GetContentSecurityPolicyFrameSrc() const override; | |
| 102 | |
| 100 bool ShouldDenyXFrameOptions() const override; | 103 bool ShouldDenyXFrameOptions() const override; |
| 101 bool ShouldServeMimeTypeAsContentTypeHeader() const override; | 104 bool ShouldServeMimeTypeAsContentTypeHeader() const override; |
| 102 | 105 |
| 103 // net::URLFetcherDelegate overrides. | 106 // net::URLFetcherDelegate overrides. |
| 104 void OnURLFetchComplete(const net::URLFetcher* source) override; | 107 void OnURLFetchComplete(const net::URLFetcher* source) override; |
| 105 | 108 |
| 106 // Serves bundled DevTools frontend from ResourceBundle. | 109 // Serves bundled DevTools frontend from ResourceBundle. |
| 107 void StartBundledDataRequest(const std::string& path, | 110 void StartBundledDataRequest(const std::string& path, |
| 108 int render_process_id, | 111 int render_process_id, |
| 109 int render_frame_id, | 112 int render_frame_id, |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 167 return; | 170 return; |
| 168 } | 171 } |
| 169 | 172 |
| 170 callback.Run(NULL); | 173 callback.Run(NULL); |
| 171 } | 174 } |
| 172 | 175 |
| 173 std::string DevToolsDataSource::GetMimeType(const std::string& path) const { | 176 std::string DevToolsDataSource::GetMimeType(const std::string& path) const { |
| 174 return GetMimeTypeForPath(path); | 177 return GetMimeTypeForPath(path); |
| 175 } | 178 } |
| 176 | 179 |
| 177 bool DevToolsDataSource::ShouldAddContentSecurityPolicy() const { | 180 std::string DevToolsDataSource::GetContentSecurityPolicyScriptSrc() const { |
|
pfeldman
2016/05/25 14:18:38
Changes to this file are no longer needed.
wychen
2016/05/25 22:49:41
The rules here is stricter than the ones specified
| |
| 178 return false; | 181 return "script-src 'self' 'unsafe-eval' https://chrome-devtools-frontend.appsp ot.com;"; |
| 182 } | |
| 183 | |
| 184 std::string DevToolsDataSource::GetContentSecurityPolicyObjectSrc() const { | |
| 185 // Add style-src. | |
| 186 return "object-src 'none'; style-src 'self' 'unsafe-inline';"; | |
| 187 } | |
| 188 | |
| 189 std::string DevToolsDataSource::GetContentSecurityPolicyFrameSrc() const { | |
| 190 return "frame-src chrome-extension://*;"; | |
| 179 } | 191 } |
| 180 | 192 |
| 181 bool DevToolsDataSource::ShouldDenyXFrameOptions() const { | 193 bool DevToolsDataSource::ShouldDenyXFrameOptions() const { |
| 182 return false; | 194 return false; |
| 183 } | 195 } |
| 184 | 196 |
| 185 bool DevToolsDataSource::ShouldServeMimeTypeAsContentTypeHeader() const { | 197 bool DevToolsDataSource::ShouldServeMimeTypeAsContentTypeHeader() const { |
| 186 return true; | 198 return true; |
| 187 } | 199 } |
| 188 | 200 |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 264 bindings_(web_ui->GetWebContents()) { | 276 bindings_(web_ui->GetWebContents()) { |
| 265 web_ui->SetBindings(0); | 277 web_ui->SetBindings(0); |
| 266 Profile* profile = Profile::FromWebUI(web_ui); | 278 Profile* profile = Profile::FromWebUI(web_ui); |
| 267 content::URLDataSource::Add( | 279 content::URLDataSource::Add( |
| 268 profile, | 280 profile, |
| 269 new DevToolsDataSource(profile->GetRequestContext())); | 281 new DevToolsDataSource(profile->GetRequestContext())); |
| 270 } | 282 } |
| 271 | 283 |
| 272 DevToolsUI::~DevToolsUI() { | 284 DevToolsUI::~DevToolsUI() { |
| 273 } | 285 } |
| OLD | NEW |
