Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(991)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/public/browser/url_data_source.h

Issue 2003963004: Enable CSP on more WebUI pages (Closed) Base URL: https://chromium.googlesource.com/a/chromium/src.git@master
Patch Set: revert devtools, fix comments, split methods Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ui/webui/system_info_ui.cc ('K') | « content/browser/webui/url_data_manager_backend.cc ('k') | content/public/browser/url_data_source.cc » ('j') | content/public/browser/url_data_source.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/public/browser/url_data_source.h
diff --git a/content/public/browser/url_data_source.h b/content/public/browser/url_data_source.h
index 565b0ff291a3f99866e271b4ed46028910622a19..3916fb1c5512fbf90d58548bd429e509ed2706c1 100644
--- a/content/public/browser/url_data_source.h
+++ b/content/public/browser/url_data_source.h
@@ -86,14 +86,21 @@ class CONTENT_EXPORT URLDataSource {
// Returns true if responses from this URLDataSource can be cached.
virtual bool AllowCaching() const;
- // If you are overriding this, then you have a bug.
+ // If you are overriding the following two methods, then you have a bug.
// It is not acceptable to disable content-security-policy on chrome:// pages
// to permit functionality excluded by CSP, such as inline script.
// Instead, you must go back and change your WebUI page so that it is
// compliant with the policy. This typically involves ensuring that all script
- // is delivered through the data manager backend. Talk to tsepez for more
- // info.
+ // is delivered through the data manager backend. Do not disable CSP on your
+ // page without first contacting the chrome security team.
virtual bool ShouldAddContentSecurityPolicy() const;
+ // For pre-exsiting code, enabling CSP with relaxed script-src attributes
+ // may be marginally better than disabling CSP outright.
+ // Do not override this method without first contacting the chrome security
+ // team.
+ // By default, "script-src chrome://resources 'self' 'unsafe-eval';" is added
+ // to CSP. Override to change this.
+ virtual std::string GetContentSecurityPolicyScriptSrc() const;
// It is OK to override the following two methods to a custom CSP directive
Tom Sepez 2016/05/25 23:07:03 nit: four methods.
wychen 2016/05/26 17:54:24 Done.
// thereby slightly reducing the protection applied to the page.
@@ -102,6 +109,10 @@ class CONTENT_EXPORT URLDataSource {
virtual std::string GetContentSecurityPolicyObjectSrc() const;
// By default, "frame-src 'none';" is added to CSP. Override to change this.
virtual std::string GetContentSecurityPolicyFrameSrc() const;
+ // By default empty. Override to change this.
+ virtual std::string GetContentSecurityPolicyStyleSrc() const;
+ // By default empty. Override to change this.
+ virtual std::string GetContentSecurityPolicyImgSrc() const;
// By default, the "X-Frame-Options: DENY" header is sent. To stop this from
// happening, return false. It is OK to return false as needed.
« chrome/browser/ui/webui/system_info_ui.cc ('K') | « content/browser/webui/url_data_manager_backend.cc ('k') | content/public/browser/url_data_source.cc » ('j') | content/public/browser/url_data_source.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698