| Index: content/browser/webui/url_data_manager_backend.cc
|
| diff --git a/content/browser/webui/url_data_manager_backend.cc b/content/browser/webui/url_data_manager_backend.cc
|
| index fe1015f87e445c77ae396386df9182b94fc81cd0..f2a6823a9ebe366e9fdd47a77c80b923218b10c1 100644
|
| --- a/content/browser/webui/url_data_manager_backend.cc
|
| +++ b/content/browser/webui/url_data_manager_backend.cc
|
| @@ -53,7 +53,7 @@ namespace content {
|
| namespace {
|
|
|
| const char kChromeURLContentSecurityPolicyHeaderBase[] =
|
| - "Content-Security-Policy: script-src chrome://resources 'self'";
|
| + "Content-Security-Policy: ";
|
|
|
| const char kChromeURLXFrameOptionsHeader[] = "X-Frame-Options: DENY";
|
| static const char kNetworkErrorKey[] = "netError";
|
| @@ -153,11 +153,26 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| content_security_policy_object_source_ = data;
|
| }
|
|
|
| + void set_content_security_policy_script_source(
|
| + const std::string& data) {
|
| + content_security_policy_script_source_ = data;
|
| + }
|
| +
|
| void set_content_security_policy_frame_source(
|
| const std::string& data) {
|
| content_security_policy_frame_source_ = data;
|
| }
|
|
|
| + void set_content_security_policy_style_source(
|
| + const std::string& data) {
|
| + content_security_policy_style_source_ = data;
|
| + }
|
| +
|
| + void set_content_security_policy_image_source(
|
| + const std::string& data) {
|
| + content_security_policy_image_source_ = data;
|
| + }
|
| +
|
| void set_deny_xframe_options(bool deny_xframe_options) {
|
| deny_xframe_options_ = deny_xframe_options;
|
| }
|
| @@ -188,9 +203,6 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| const GURL& url,
|
| const base::WeakPtr<URLRequestChromeJob>& job);
|
|
|
| - // Specific resources require unsafe-eval in the Content Security Policy.
|
| - bool RequiresUnsafeEval() const;
|
| -
|
| // Do the actual copy from data_ (the data we're serving) into |buf|.
|
| // Separate from ReadRawData so we can handle async I/O. Returns the number of
|
| // bytes read.
|
| @@ -215,8 +227,11 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| bool add_content_security_policy_;
|
|
|
| // These are used with the CSP.
|
| + std::string content_security_policy_script_source_;
|
| std::string content_security_policy_object_source_;
|
| std::string content_security_policy_frame_source_;
|
| + std::string content_security_policy_style_source_;
|
| + std::string content_security_policy_image_source_;
|
|
|
| // If true, sets the "X-Frame-Options: DENY" header.
|
| bool deny_xframe_options_;
|
| @@ -248,8 +263,6 @@ URLRequestChromeJob::URLRequestChromeJob(net::URLRequest* request,
|
| pending_buf_size_(0),
|
| allow_caching_(true),
|
| add_content_security_policy_(true),
|
| - content_security_policy_object_source_("object-src 'none';"),
|
| - content_security_policy_frame_source_("frame-src 'none';"),
|
| deny_xframe_options_(true),
|
| send_content_type_header_(false),
|
| is_incognito_(is_incognito),
|
| @@ -326,9 +339,11 @@ void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
|
| // response headers.
|
| if (add_content_security_policy_) {
|
| std::string base = kChromeURLContentSecurityPolicyHeaderBase;
|
| - base.append(RequiresUnsafeEval() ? " 'unsafe-eval'; " : "; ");
|
| + base.append(content_security_policy_script_source_);
|
| base.append(content_security_policy_object_source_);
|
| base.append(content_security_policy_frame_source_);
|
| + base.append(content_security_policy_style_source_);
|
| + base.append(content_security_policy_image_source_);
|
| info->headers->AddHeader(base);
|
| }
|
|
|
| @@ -438,12 +453,6 @@ void URLRequestChromeJob::StartAsync(bool allowed) {
|
| }
|
| }
|
|
|
| -// TODO(tsepez,mfoltz): Refine this method when tests have been fixed to not use
|
| -// eval()/new Function(). http://crbug.com/525224
|
| -bool URLRequestChromeJob::RequiresUnsafeEval() const {
|
| - return true;
|
| -}
|
| -
|
| namespace {
|
|
|
| // Gets mime type for data that is available from |source| by |path|.
|
| @@ -636,10 +645,16 @@ bool URLDataManagerBackend::StartRequest(const net::URLRequest* request,
|
| job->set_allow_caching(source->source()->AllowCaching());
|
| job->set_add_content_security_policy(
|
| source->source()->ShouldAddContentSecurityPolicy());
|
| + job->set_content_security_policy_script_source(
|
| + source->source()->GetContentSecurityPolicyScriptSrc());
|
| job->set_content_security_policy_object_source(
|
| source->source()->GetContentSecurityPolicyObjectSrc());
|
| job->set_content_security_policy_frame_source(
|
| source->source()->GetContentSecurityPolicyFrameSrc());
|
| + job->set_content_security_policy_style_source(
|
| + source->source()->GetContentSecurityPolicyStyleSrc());
|
| + job->set_content_security_policy_image_source(
|
| + source->source()->GetContentSecurityPolicyImgSrc());
|
| job->set_deny_xframe_options(
|
| source->source()->ShouldDenyXFrameOptions());
|
| job->set_send_content_type_header(
|
|
|
Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master