Enable CSP on more WebUI pages

chrome/browser/ui/webui/app_launcher_page_ui.cc

Index: chrome/browser/ui/webui/app_launcher_page_ui.cc
diff --git a/chrome/browser/ui/webui/app_launcher_page_ui.cc b/chrome/browser/ui/webui/app_launcher_page_ui.cc
index a3707bb0e0b84c543dc749dbe5f6d1d403da61a5..3e1cb33f6c94fb3f1617a73a2dcdb57f43622e9f 100644
--- a/chrome/browser/ui/webui/app_launcher_page_ui.cc
+++ b/chrome/browser/ui/webui/app_launcher_page_ui.cc
@@ -131,8 +131,19 @@ bool AppLauncherPageUI::HTMLSource::ShouldReplaceExistingSource() const {
   return false;
 }
 
-bool AppLauncherPageUI::HTMLSource::ShouldAddContentSecurityPolicy() const {
-  return false;
+std::string AppLauncherPageUI::HTMLSource::GetContentSecurityPolicyScriptSrc()
+    const {
+  // Add 'unsafe-inline' to script-src.

[Tom Sepez, 2016/05/25 19:20:56]

Note that unsafe-inline is not really any better than no CSP, but ok.

[wychen, 2016/05/25 22:49:41]

Acknowledged.

+  return "script-src chrome://resources 'self' 'unsafe-eval' 'unsafe-inline';";
+}
+
+std::string AppLauncherPageUI::HTMLSource::GetContentSecurityPolicyObjectSrc()
+    const {
+  // Add style-src and img-src.
+  return "object-src 'none';"
+      "style-src 'self' chrome://resources chrome://theme 'unsafe-inline';"

[Tom Sepez, 2016/05/25 19:20:56]

Seems wrong to mash these together.  Can we introduce separate overridable
methods for each while we're making this change?

[wychen, 2016/05/25 22:49:41]

Done.

+      "img-src chrome://extension-icon chrome://theme chrome://resources "
+              "data:;";
 }
 
 AppLauncherPageUI::HTMLSource::~HTMLSource() {}