Enable CSP on more WebUI pages

chrome/browser/ui/webui/devtools_ui.cc

Index: chrome/browser/ui/webui/devtools_ui.cc
diff --git a/chrome/browser/ui/webui/devtools_ui.cc b/chrome/browser/ui/webui/devtools_ui.cc
index 1c5f89a5fc2be8a0facf5e4426a2bc00776e6185..2a956f035c0e3a63e12ec0d184f2dc664f3edbae 100644
--- a/chrome/browser/ui/webui/devtools_ui.cc
+++ b/chrome/browser/ui/webui/devtools_ui.cc
@@ -96,7 +96,10 @@ class DevToolsDataSource : public content::URLDataSource,
  private:
   // content::URLDataSource overrides.
   std::string GetMimeType(const std::string& path) const override;
-  bool ShouldAddContentSecurityPolicy() const override;
+  std::string GetContentSecurityPolicyScriptSrc() const override;
+  std::string GetContentSecurityPolicyObjectSrc() const override;
+  std::string GetContentSecurityPolicyFrameSrc() const override;
+
   bool ShouldDenyXFrameOptions() const override;
   bool ShouldServeMimeTypeAsContentTypeHeader() const override;
 
@@ -174,8 +177,17 @@ std::string DevToolsDataSource::GetMimeType(const std::string& path) const {
   return GetMimeTypeForPath(path);
 }
 
-bool DevToolsDataSource::ShouldAddContentSecurityPolicy() const {
-  return false;
+std::string DevToolsDataSource::GetContentSecurityPolicyScriptSrc() const {

[pfeldman, 2016/05/25 14:18:38]

Changes to this file are no longer needed.

[wychen, 2016/05/25 22:49:41]

The rules here is stricter than the ones specified in <meta>.
I guess it should be in another CL then.
Reverted this file as well.

+  return "script-src 'self' 'unsafe-eval' https://chrome-devtools-frontend.appspot.com;";
+}
+
+std::string DevToolsDataSource::GetContentSecurityPolicyObjectSrc() const {
+  // Add style-src.
+  return "object-src 'none'; style-src 'self' 'unsafe-inline';";
+}
+
+std::string DevToolsDataSource::GetContentSecurityPolicyFrameSrc() const {
+  return "frame-src chrome-extension://*;";
 }
 
 bool DevToolsDataSource::ShouldDenyXFrameOptions() const {