Enable CSP on more WebUI pages

content/public/browser/url_data_source.cc

Index: content/public/browser/url_data_source.cc
diff --git a/content/public/browser/url_data_source.cc b/content/public/browser/url_data_source.cc
index 0c76c50afd0f41af02359306f6b042c96ceb2831..6292e6545f55de4c52e063ea08641bb95345a1be 100644
--- a/content/public/browser/url_data_source.cc
+++ b/content/public/browser/url_data_source.cc
@@ -33,6 +33,13 @@ bool URLDataSource::ShouldAddContentSecurityPolicy() const {
   return true;
 }
 
+std::string URLDataSource::GetContentSecurityPolicyScriptSrc() const {
+  // Specific resources require unsafe-eval in the Content Security Policy.
+  // TODO(tsepez,mfoltz): Remove 'unsafe-eval' when tests have been fixed to
+  // not use eval()/new Function().  http://crbug.com/525224
+  return "script-src chrome://resources 'self' 'unsafe-eval';";
+}
+
 std::string URLDataSource::GetContentSecurityPolicyObjectSrc() const {
   return "object-src 'none';";
 }
@@ -41,6 +48,14 @@ std::string URLDataSource::GetContentSecurityPolicyFrameSrc() const {
   return "frame-src 'none';";
 }
 
+std::string URLDataSource::GetContentSecurityPolicyStyleSrc() const {
+  return "";

[wychen, 2016/05/26 17:54:23]

Is this a good default? Do we want to avoid 'unsafe-inline', or it is considered
OK?

+}
+
+std::string URLDataSource::GetContentSecurityPolicyImgSrc() const {
+  return "";
+}
+
 bool URLDataSource::ShouldDenyXFrameOptions() const {
   return true;
 }