Enable CSP on more WebUI pages

chrome/browser/ui/webui/app_launcher_page_ui.cc

Index: chrome/browser/ui/webui/app_launcher_page_ui.cc
diff --git a/chrome/browser/ui/webui/app_launcher_page_ui.cc b/chrome/browser/ui/webui/app_launcher_page_ui.cc
index a3707bb0e0b84c543dc749dbe5f6d1d403da61a5..e8ae87546fe0a48cfcb882b23f702f38609f6424 100644
--- a/chrome/browser/ui/webui/app_launcher_page_ui.cc
+++ b/chrome/browser/ui/webui/app_launcher_page_ui.cc
@@ -131,8 +131,21 @@ bool AppLauncherPageUI::HTMLSource::ShouldReplaceExistingSource() const {
   return false;
 }
 
-bool AppLauncherPageUI::HTMLSource::ShouldAddContentSecurityPolicy() const {
-  return false;
+std::string AppLauncherPageUI::HTMLSource::GetContentSecurityPolicyScriptSrc()
+    const {
+  // Add 'unsafe-inline' to script-src.

[Dan Beam, 2016/05/31 21:46:09]

can you annotate who should do this?

[wychen, 2016/05/31 23:04:34]

I meant to say 'unsafe-inline' is added to script-src, compared with the default
string. I guess it's too ambiguous.

Done.

+  return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline';";
+}
+
+std::string AppLauncherPageUI::HTMLSource::GetContentSecurityPolicyStyleSrc()
+    const {
+  return "style-src 'self' chrome://resources chrome://theme 'unsafe-inline';";
+}
+
+std::string AppLauncherPageUI::HTMLSource::GetContentSecurityPolicyImgSrc()
+    const {
+  return "img-src chrome://extension-icon chrome://theme chrome://resources "
+                 "data:;";
 }
 
 AppLauncherPageUI::HTMLSource::~HTMLSource() {}