| Index: content/browser/webui/url_data_manager_backend.cc
|
| diff --git a/content/browser/webui/url_data_manager_backend.cc b/content/browser/webui/url_data_manager_backend.cc
|
| index fe1015f87e445c77ae396386df9182b94fc81cd0..fc59d1ade655d7ea7dcec8e13f52b955f8fe542c 100644
|
| --- a/content/browser/webui/url_data_manager_backend.cc
|
| +++ b/content/browser/webui/url_data_manager_backend.cc
|
| @@ -53,7 +53,7 @@ namespace content {
|
| namespace {
|
|
|
| const char kChromeURLContentSecurityPolicyHeaderBase[] =
|
| - "Content-Security-Policy: script-src chrome://resources 'self'";
|
| + "Content-Security-Policy: ";
|
|
|
| const char kChromeURLXFrameOptionsHeader[] = "X-Frame-Options: DENY";
|
| static const char kNetworkErrorKey[] = "netError";
|
| @@ -153,6 +153,11 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| content_security_policy_object_source_ = data;
|
| }
|
|
|
| + void set_content_security_policy_script_source(
|
| + const std::string& data) {
|
| + content_security_policy_script_source_ = data;
|
| + }
|
| +
|
| void set_content_security_policy_frame_source(
|
| const std::string& data) {
|
| content_security_policy_frame_source_ = data;
|
| @@ -188,9 +193,6 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| const GURL& url,
|
| const base::WeakPtr<URLRequestChromeJob>& job);
|
|
|
| - // Specific resources require unsafe-eval in the Content Security Policy.
|
| - bool RequiresUnsafeEval() const;
|
| -
|
| // Do the actual copy from data_ (the data we're serving) into |buf|.
|
| // Separate from ReadRawData so we can handle async I/O. Returns the number of
|
| // bytes read.
|
| @@ -215,6 +217,7 @@ class URLRequestChromeJob : public net::URLRequestJob {
|
| bool add_content_security_policy_;
|
|
|
| // These are used with the CSP.
|
| + std::string content_security_policy_script_source_;
|
| std::string content_security_policy_object_source_;
|
| std::string content_security_policy_frame_source_;
|
|
|
| @@ -248,8 +251,6 @@ URLRequestChromeJob::URLRequestChromeJob(net::URLRequest* request,
|
| pending_buf_size_(0),
|
| allow_caching_(true),
|
| add_content_security_policy_(true),
|
| - content_security_policy_object_source_("object-src 'none';"),
|
| - content_security_policy_frame_source_("frame-src 'none';"),
|
| deny_xframe_options_(true),
|
| send_content_type_header_(false),
|
| is_incognito_(is_incognito),
|
| @@ -326,7 +327,7 @@ void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
|
| // response headers.
|
| if (add_content_security_policy_) {
|
| std::string base = kChromeURLContentSecurityPolicyHeaderBase;
|
| - base.append(RequiresUnsafeEval() ? " 'unsafe-eval'; " : "; ");
|
| + base.append(content_security_policy_script_source_);
|
| base.append(content_security_policy_object_source_);
|
| base.append(content_security_policy_frame_source_);
|
| info->headers->AddHeader(base);
|
| @@ -438,12 +439,6 @@ void URLRequestChromeJob::StartAsync(bool allowed) {
|
| }
|
| }
|
|
|
| -// TODO(tsepez,mfoltz): Refine this method when tests have been fixed to not use
|
| -// eval()/new Function(). http://crbug.com/525224
|
| -bool URLRequestChromeJob::RequiresUnsafeEval() const {
|
| - return true;
|
| -}
|
| -
|
| namespace {
|
|
|
| // Gets mime type for data that is available from |source| by |path|.
|
| @@ -636,6 +631,8 @@ bool URLDataManagerBackend::StartRequest(const net::URLRequest* request,
|
| job->set_allow_caching(source->source()->AllowCaching());
|
| job->set_add_content_security_policy(
|
| source->source()->ShouldAddContentSecurityPolicy());
|
| + job->set_content_security_policy_script_source(
|
| + source->source()->GetContentSecurityPolicyScriptSrc());
|
| job->set_content_security_policy_object_source(
|
| source->source()->GetContentSecurityPolicyObjectSrc());
|
| job->set_content_security_policy_frame_source(
|
|
|
Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master