Chromium Code Reviews Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ | 5 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ |
| 6 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ | 6 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/callback.h" | 10 #include "base/callback.h" |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 79 // with the same name that has already been registered. The default is true. | 79 // with the same name that has already been registered. The default is true. |
| 80 // | 80 // |
| 81 // WARNING: this is invoked on the IO thread. | 81 // WARNING: this is invoked on the IO thread. |
| 82 // | 82 // |
| 83 // TODO: nuke this and convert all callers to not replace. | 83 // TODO: nuke this and convert all callers to not replace. |
| 84 virtual bool ShouldReplaceExistingSource() const; | 84 virtual bool ShouldReplaceExistingSource() const; |
| 85 | 85 |
| 86 // Returns true if responses from this URLDataSource can be cached. | 86 // Returns true if responses from this URLDataSource can be cached. |
| 87 virtual bool AllowCaching() const; | 87 virtual bool AllowCaching() const; |
| 88 | 88 |
| 89 // If you are overriding this, then you have a bug. | 89 // If you are overriding the following two methods, then you have a bug. |
| 90 // It is not acceptable to disable content-security-policy on chrome:// pages | 90 // It is not acceptable to disable content-security-policy on chrome:// pages |
| 91 // to permit functionality excluded by CSP, such as inline script. | 91 // to permit functionality excluded by CSP, such as inline script. |
| 92 // Instead, you must go back and change your WebUI page so that it is | 92 // Instead, you must go back and change your WebUI page so that it is |
| 93 // compliant with the policy. This typically involves ensuring that all script | 93 // compliant with the policy. This typically involves ensuring that all script |
| 94 // is delivered through the data manager backend. Talk to tsepez for more | 94 // is delivered through the data manager backend. Talk to tsepez for more |
|
Tom Sepez
2016/05/25 19:20:56
change: /Talk to tsepez for more info./Do not disa
wychen
2016/05/25 22:49:41
Done.
| |
| 95 // info. | 95 // info. |
| 96 virtual bool ShouldAddContentSecurityPolicy() const; | 96 virtual bool ShouldAddContentSecurityPolicy() const; |
| 97 // If you have to allow more permissions, enabling CSP with relaxed script-src | |
|
Tom Sepez
2016/05/25 19:20:56
I'd like to wordsmith this comment.
// For pre-ex
wychen
2016/05/25 22:49:41
Done.
| |
| 98 // by overriding the following method is better than disabling CSP outright. | |
| 99 // By default, "script-src chrome://resources 'self' 'unsafe-eval';" is added | |
| 100 // to CSP. Override to change this. | |
| 101 virtual std::string GetContentSecurityPolicyScriptSrc() const; | |
| 97 | 102 |
| 98 // It is OK to override the following two methods to a custom CSP directive | 103 // It is OK to override the following two methods to a custom CSP directive |
| 99 // thereby slightly reducing the protection applied to the page. | 104 // thereby slightly reducing the protection applied to the page. |
| 100 | 105 |
| 101 // By default, "object-src 'none';" is added to CSP. Override to change this. | 106 // By default, "object-src 'none';" is added to CSP. Override to change this. |
| 102 virtual std::string GetContentSecurityPolicyObjectSrc() const; | 107 virtual std::string GetContentSecurityPolicyObjectSrc() const; |
| 103 // By default, "frame-src 'none';" is added to CSP. Override to change this. | 108 // By default, "frame-src 'none';" is added to CSP. Override to change this. |
| 104 virtual std::string GetContentSecurityPolicyFrameSrc() const; | 109 virtual std::string GetContentSecurityPolicyFrameSrc() const; |
| 105 | 110 |
| 106 // By default, the "X-Frame-Options: DENY" header is sent. To stop this from | 111 // By default, the "X-Frame-Options: DENY" header is sent. To stop this from |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 134 // Gives the source an opportunity to rewrite |path| to incorporate extra | 139 // Gives the source an opportunity to rewrite |path| to incorporate extra |
| 135 // information from the URLRequest prior to serving. | 140 // information from the URLRequest prior to serving. |
| 136 virtual void WillServiceRequest( | 141 virtual void WillServiceRequest( |
| 137 const net::URLRequest* request, | 142 const net::URLRequest* request, |
| 138 std::string* path) const {} | 143 std::string* path) const {} |
| 139 }; | 144 }; |
| 140 | 145 |
| 141 } // namespace content | 146 } // namespace content |
| 142 | 147 |
| 143 #endif // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ | 148 #endif // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_ |
| OLD | NEW |
