Chromium Code Reviews Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master| Index: chrome/browser/ui/webui/interstitials/interstitial_ui.cc |
| diff --git a/chrome/browser/ui/webui/interstitials/interstitial_ui.cc b/chrome/browser/ui/webui/interstitials/interstitial_ui.cc |
| index a0dc29837e5bfbd696dafa92451f64dcefaea952..039d293ecef367e388237d2d63d25cbedc333b4c 100644 |
| --- a/chrome/browser/ui/webui/interstitials/interstitial_ui.cc |
| +++ b/chrome/browser/ui/webui/interstitials/interstitial_ui.cc |
| @@ -46,7 +46,8 @@ class InterstitialHTMLSource : public content::URLDataSource { |
| // content::URLDataSource: |
| std::string GetMimeType(const std::string& mime_type) const override; |
| std::string GetSource() const override; |
| - bool ShouldAddContentSecurityPolicy() const override; |
| + std::string GetContentSecurityPolicyScriptSrc() const override; |
| + std::string GetContentSecurityPolicyObjectSrc() const override; |
| void StartDataRequest( |
| const std::string& path, |
| int render_process_id, |
| @@ -308,9 +309,16 @@ std::string InterstitialHTMLSource::GetSource() const { |
| return chrome::kChromeUIInterstitialHost; |
| } |
| -bool InterstitialHTMLSource::ShouldAddContentSecurityPolicy() |
| - const { |
| - return false; |
| +std::string InterstitialHTMLSource::GetContentSecurityPolicyScriptSrc() const { |
| + // Add 'unsafe-inline' to script-src. |
| + return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline';"; |
| +} |
| + |
| +std::string InterstitialHTMLSource::GetContentSecurityPolicyObjectSrc() const { |
| + // Add style-src and img-src. |
| + return "object-src 'none';" |
| + "style-src 'self' 'unsafe-inline';" |
|
Tom Sepez
2016/05/25 23:07:03
Here we're still mixing object, style, and img.
wychen
2016/05/26 17:54:23
Oops. Fixed.
|
| + "img-src data:;"; |
| } |
| void InterstitialHTMLSource::StartDataRequest( |
