| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/webui/url_data_manager_backend.h" | 5 #include "content/browser/webui/url_data_manager_backend.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 151 void set_content_security_policy_object_source( | 151 void set_content_security_policy_object_source( |
| 152 const std::string& data) { | 152 const std::string& data) { |
| 153 content_security_policy_object_source_ = data; | 153 content_security_policy_object_source_ = data; |
| 154 } | 154 } |
| 155 | 155 |
| 156 void set_content_security_policy_script_source( | 156 void set_content_security_policy_script_source( |
| 157 const std::string& data) { | 157 const std::string& data) { |
| 158 content_security_policy_script_source_ = data; | 158 content_security_policy_script_source_ = data; |
| 159 } | 159 } |
| 160 | 160 |
| 161 void set_content_security_policy_frame_source( | 161 void set_content_security_policy_child_source( |
| 162 const std::string& data) { | 162 const std::string& data) { |
| 163 content_security_policy_frame_source_ = data; | 163 content_security_policy_child_source_ = data; |
| 164 } | 164 } |
| 165 | 165 |
| 166 void set_content_security_policy_style_source( | 166 void set_content_security_policy_style_source( |
| 167 const std::string& data) { | 167 const std::string& data) { |
| 168 content_security_policy_style_source_ = data; | 168 content_security_policy_style_source_ = data; |
| 169 } | 169 } |
| 170 | 170 |
| 171 void set_content_security_policy_image_source( | 171 void set_content_security_policy_image_source( |
| 172 const std::string& data) { | 172 const std::string& data) { |
| 173 content_security_policy_image_source_ = data; | 173 content_security_policy_image_source_ = data; |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 216 | 216 |
| 217 // If true, set a header in the response to prevent it from being cached. | 217 // If true, set a header in the response to prevent it from being cached. |
| 218 bool allow_caching_; | 218 bool allow_caching_; |
| 219 | 219 |
| 220 // If true, set the Content Security Policy (CSP) header. | 220 // If true, set the Content Security Policy (CSP) header. |
| 221 bool add_content_security_policy_; | 221 bool add_content_security_policy_; |
| 222 | 222 |
| 223 // These are used with the CSP. | 223 // These are used with the CSP. |
| 224 std::string content_security_policy_script_source_; | 224 std::string content_security_policy_script_source_; |
| 225 std::string content_security_policy_object_source_; | 225 std::string content_security_policy_object_source_; |
| 226 std::string content_security_policy_frame_source_; | 226 std::string content_security_policy_child_source_; |
| 227 std::string content_security_policy_style_source_; | 227 std::string content_security_policy_style_source_; |
| 228 std::string content_security_policy_image_source_; | 228 std::string content_security_policy_image_source_; |
| 229 | 229 |
| 230 // If true, sets the "X-Frame-Options: DENY" header. | 230 // If true, sets the "X-Frame-Options: DENY" header. |
| 231 bool deny_xframe_options_; | 231 bool deny_xframe_options_; |
| 232 | 232 |
| 233 // If true, sets the "Content-Type: <mime-type>" header. | 233 // If true, sets the "Content-Type: <mime-type>" header. |
| 234 bool send_content_type_header_; | 234 bool send_content_type_header_; |
| 235 | 235 |
| 236 // If not empty, "Access-Control-Allow-Origin:" is set to the value of this | 236 // If not empty, "Access-Control-Allow-Origin:" is set to the value of this |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 302 // indistiguishable from other error types. Instant relies on getting a 200. | 302 // indistiguishable from other error types. Instant relies on getting a 200. |
| 303 info->headers = new net::HttpResponseHeaders("HTTP/1.1 200 OK"); | 303 info->headers = new net::HttpResponseHeaders("HTTP/1.1 200 OK"); |
| 304 | 304 |
| 305 // Determine the least-privileged content security policy header, if any, | 305 // Determine the least-privileged content security policy header, if any, |
| 306 // that is compatible with a given WebUI URL, and append it to the existing | 306 // that is compatible with a given WebUI URL, and append it to the existing |
| 307 // response headers. | 307 // response headers. |
| 308 if (add_content_security_policy_) { | 308 if (add_content_security_policy_) { |
| 309 std::string base = kChromeURLContentSecurityPolicyHeaderBase; | 309 std::string base = kChromeURLContentSecurityPolicyHeaderBase; |
| 310 base.append(content_security_policy_script_source_); | 310 base.append(content_security_policy_script_source_); |
| 311 base.append(content_security_policy_object_source_); | 311 base.append(content_security_policy_object_source_); |
| 312 base.append(content_security_policy_frame_source_); | 312 base.append(content_security_policy_child_source_); |
| 313 base.append(content_security_policy_style_source_); | 313 base.append(content_security_policy_style_source_); |
| 314 base.append(content_security_policy_image_source_); | 314 base.append(content_security_policy_image_source_); |
| 315 info->headers->AddHeader(base); | 315 info->headers->AddHeader(base); |
| 316 } | 316 } |
| 317 | 317 |
| 318 if (deny_xframe_options_) | 318 if (deny_xframe_options_) |
| 319 info->headers->AddHeader(kChromeURLXFrameOptionsHeader); | 319 info->headers->AddHeader(kChromeURLXFrameOptionsHeader); |
| 320 | 320 |
| 321 if (!allow_caching_) | 321 if (!allow_caching_) |
| 322 info->headers->AddHeader("Cache-Control: no-cache"); | 322 info->headers->AddHeader("Cache-Control: no-cache"); |
| (...skipping 265 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 588 RequestID request_id = next_request_id_++; | 588 RequestID request_id = next_request_id_++; |
| 589 pending_requests_.insert(std::make_pair(request_id, job)); | 589 pending_requests_.insert(std::make_pair(request_id, job)); |
| 590 | 590 |
| 591 job->set_allow_caching(source->source()->AllowCaching()); | 591 job->set_allow_caching(source->source()->AllowCaching()); |
| 592 job->set_add_content_security_policy( | 592 job->set_add_content_security_policy( |
| 593 source->source()->ShouldAddContentSecurityPolicy()); | 593 source->source()->ShouldAddContentSecurityPolicy()); |
| 594 job->set_content_security_policy_script_source( | 594 job->set_content_security_policy_script_source( |
| 595 source->source()->GetContentSecurityPolicyScriptSrc()); | 595 source->source()->GetContentSecurityPolicyScriptSrc()); |
| 596 job->set_content_security_policy_object_source( | 596 job->set_content_security_policy_object_source( |
| 597 source->source()->GetContentSecurityPolicyObjectSrc()); | 597 source->source()->GetContentSecurityPolicyObjectSrc()); |
| 598 job->set_content_security_policy_frame_source( | 598 job->set_content_security_policy_child_source( |
| 599 source->source()->GetContentSecurityPolicyFrameSrc()); | 599 source->source()->GetContentSecurityPolicyChildSrc()); |
| 600 job->set_content_security_policy_style_source( | 600 job->set_content_security_policy_style_source( |
| 601 source->source()->GetContentSecurityPolicyStyleSrc()); | 601 source->source()->GetContentSecurityPolicyStyleSrc()); |
| 602 job->set_content_security_policy_image_source( | 602 job->set_content_security_policy_image_source( |
| 603 source->source()->GetContentSecurityPolicyImgSrc()); | 603 source->source()->GetContentSecurityPolicyImgSrc()); |
| 604 job->set_deny_xframe_options( | 604 job->set_deny_xframe_options( |
| 605 source->source()->ShouldDenyXFrameOptions()); | 605 source->source()->ShouldDenyXFrameOptions()); |
| 606 job->set_send_content_type_header( | 606 job->set_send_content_type_header( |
| 607 source->source()->ShouldServeMimeTypeAsContentTypeHeader()); | 607 source->source()->ShouldServeMimeTypeAsContentTypeHeader()); |
| 608 | 608 |
| 609 std::string origin = GetOriginHeaderValue(request); | 609 std::string origin = GetOriginHeaderValue(request); |
| (...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 764 | 764 |
| 765 } // namespace | 765 } // namespace |
| 766 | 766 |
| 767 net::URLRequestJobFactory::ProtocolHandler* | 767 net::URLRequestJobFactory::ProtocolHandler* |
| 768 CreateDevToolsProtocolHandler(content::ResourceContext* resource_context, | 768 CreateDevToolsProtocolHandler(content::ResourceContext* resource_context, |
| 769 bool is_incognito) { | 769 bool is_incognito) { |
| 770 return new DevToolsJobFactory(resource_context, is_incognito); | 770 return new DevToolsJobFactory(resource_context, is_incognito); |
| 771 } | 771 } |
| 772 | 772 |
| 773 } // namespace content | 773 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2012393003:
Replace frame-src with child-src in WebUI CSP (Closed)
Base URL: https://chromium.googlesource.com/a/chromium/src.git@csp