Enable CSP on more WebUI pages

chrome/browser/ui/webui/ntp/new_tab_ui.cc

Index: chrome/browser/ui/webui/ntp/new_tab_ui.cc
diff --git a/chrome/browser/ui/webui/ntp/new_tab_ui.cc b/chrome/browser/ui/webui/ntp/new_tab_ui.cc
index ae162b625f074fa71f7a6b860f21e89decdfb9b9..60f447b535442831e7e8f7f6f4d3650734d477f4 100644
--- a/chrome/browser/ui/webui/ntp/new_tab_ui.cc
+++ b/chrome/browser/ui/webui/ntp/new_tab_ui.cc
@@ -228,8 +228,26 @@ bool NewTabUI::NewTabHTMLSource::ShouldReplaceExistingSource() const {
   return false;
 }
 
-bool NewTabUI::NewTabHTMLSource::ShouldAddContentSecurityPolicy() const {
-  return false;
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyScriptSrc()
+    const {
+  // Add 'unsafe-inline' and google resources to script-src.
+  return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline' "
+                    "*.google.com *.gstatic.com;";
+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyStyleSrc()
+    const {
+  return "style-src 'self' chrome://resources 'unsafe-inline' chrome://theme;";
+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyImgSrc()
+    const {

[Tom Sepez, 2016/05/26 16:00:03]

Looks like we lost the child-src directive here.  At the risk of bloating this
further, we probably need another method.

[wychen, 2016/05/26 18:00:42]

child-src and frame-src should be equivalent here. I'm using the deprecated one
for consistency.

[Tom Sepez, 2016/05/26 18:04:41]

Acknowledged.

+  return "img-src chrome-search://thumb chrome-search://thumb2 data:;";
+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyFrameSrc()
+    const {
+  return "frame-src chrome-search://most-visited;";
 }
 
 void NewTabUI::NewTabHTMLSource::AddResource(const char* resource,