Chromium Code Reviews Chromium Code Reviews
Issue 2003963004:
Enable CSP on more WebUI pages (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@master| Index: content/public/browser/url_data_source.h |
| diff --git a/content/public/browser/url_data_source.h b/content/public/browser/url_data_source.h |
| index 565b0ff291a3f99866e271b4ed46028910622a19..43856110516630369928dabb5c0edf678473d9a3 100644 |
| --- a/content/public/browser/url_data_source.h |
| +++ b/content/public/browser/url_data_source.h |
| @@ -86,7 +86,7 @@ class CONTENT_EXPORT URLDataSource { |
| // Returns true if responses from this URLDataSource can be cached. |
| virtual bool AllowCaching() const; |
| - // If you are overriding this, then you have a bug. |
| + // If you are overriding the following two methods, then you have a bug. |
| // It is not acceptable to disable content-security-policy on chrome:// pages |
| // to permit functionality excluded by CSP, such as inline script. |
| // Instead, you must go back and change your WebUI page so that it is |
| @@ -94,6 +94,11 @@ class CONTENT_EXPORT URLDataSource { |
| // is delivered through the data manager backend. Talk to tsepez for more |
|
Tom Sepez
2016/05/25 19:20:56
change: /Talk to tsepez for more info./Do not disa
wychen
2016/05/25 22:49:41
Done.
|
| // info. |
| virtual bool ShouldAddContentSecurityPolicy() const; |
| + // If you have to allow more permissions, enabling CSP with relaxed script-src |
|
Tom Sepez
2016/05/25 19:20:56
I'd like to wordsmith this comment.
// For pre-ex
wychen
2016/05/25 22:49:41
Done.
|
| + // by overriding the following method is better than disabling CSP outright. |
| + // By default, "script-src chrome://resources 'self' 'unsafe-eval';" is added |
| + // to CSP. Override to change this. |
| + virtual std::string GetContentSecurityPolicyScriptSrc() const; |
| // It is OK to override the following two methods to a custom CSP directive |
| // thereby slightly reducing the protection applied to the page. |
