Enable CSP on more WebUI pages

chrome/browser/ui/webui/ntp/new_tab_ui.cc

Index: chrome/browser/ui/webui/ntp/new_tab_ui.cc
diff --git a/chrome/browser/ui/webui/ntp/new_tab_ui.cc b/chrome/browser/ui/webui/ntp/new_tab_ui.cc
index ae162b625f074fa71f7a6b860f21e89decdfb9b9..60f447b535442831e7e8f7f6f4d3650734d477f4 100644
--- a/chrome/browser/ui/webui/ntp/new_tab_ui.cc
+++ b/chrome/browser/ui/webui/ntp/new_tab_ui.cc
@@ -228,8 +228,26 @@ bool NewTabUI::NewTabHTMLSource::ShouldReplaceExistingSource() const {
   return false;
 }
 
-bool NewTabUI::NewTabHTMLSource::ShouldAddContentSecurityPolicy() const {
-  return false;
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyScriptSrc()
+    const {
+  // Add 'unsafe-inline' and google resources to script-src.
+  return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline' "
+                    "*.google.com *.gstatic.com;";

[Dan Beam, 2016/05/31 21:46:09]

why is this wrapped here?

[wychen, 2016/05/31 23:04:34]

Otherwise it couldn't fit in 80 chars. The whole string is still one line.

[Dan Beam, 2016/05/31 23:13:14]

i meant: the indent should be 4 \s for a continuation, right?

[wychen, 2016/06/01 00:19:19]

Oh. I see what you meant. I aligned the 2nd line with the first source.
Fixed.

+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyStyleSrc()
+    const {
+  return "style-src 'self' chrome://resources 'unsafe-inline' chrome://theme;";
+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyImgSrc()
+    const {
+  return "img-src chrome-search://thumb chrome-search://thumb2 data:;";
+}
+
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyFrameSrc()
+    const {
+  return "frame-src chrome-search://most-visited;";
 }
 
 void NewTabUI::NewTabHTMLSource::AddResource(const char* resource,