Add content-security-policy directive to print-preview pages.

Since print-preview uses an object tag, relax the object-src restriction in
the content_security_policy.html file.  Also fix typo in print_preview.html
where the object tag has a src="", not a data="" attribute.
Review URL: http://codereview.chromium.org/7566049

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95850 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/browser_resources.grd

@@ -84,7 +84,8 @@
       <include name="IDR_PLUGINS_HTML" file="resources\plugins.html" flattenhtml="true" allowexternalscript="true" type="BINDATA" />
       <include name="IDR_PLUGINS_JS" file="resources\plugins.js" type="BINDATA" />
       <include name="IDR_READER_OUT_OF_DATE_HTML" file="resources\reader_out_of_date.html" flattenhtml="true" type="BINDATA" />
-      <include name="IDR_PRINT_PREVIEW_HTML" file="resources\print_preview\print_preview.html" flattenhtml="true" type="BINDATA" />
+      <include name="IDR_PRINT_PREVIEW_HTML" file="resources\print_preview\print_preview.html" flattenhtml="true" allowexternalscript="true" type="BINDATA" />
+      <include name="IDR_PRINT_PREVIEW_JS" file="resources\print_preview\print_preview.js" flattenhtml="true" type="BINDATA" />
       <include name="IDR_SAFE_BROWSING_MALWARE_BLOCK" file="resources\safe_browsing_malware_block.html" flattenhtml="true" type="BINDATA" />
       <include name="IDR_SAFE_BROWSING_MULTIPLE_THREAT_BLOCK" file="resources\safe_browsing_multiple_threat_block.html" flattenhtml="true" type="BINDATA" />
       <include name="IDR_SAFE_BROWSING_PHISHING_BLOCK" file="resources\safe_browsing_phishing_block.html" flattenhtml="true" type="BINDATA" />

chrome/browser/resources/content_security_policy.html

@@ -11,7 +11,7 @@
 -->
 <meta
   http-equiv="X-WebKit-CSP"
-  content="object-src 'none';
+  content="object-src 'self';
            script-src chrome://resources
                       chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
                       'self'

chrome/browser/resources/print_preview/print_preview.html

@@ -2,6 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
+<include src="../content_security_policy.html"/>
 <title i18n-content="title"></title>
 <link rel="icon" href="../../../app/theme/print_preview_favicon.png">
 <link rel="stylesheet" href="../webui.css">
@@ -10,15 +11,8 @@
 <script src="chrome://resources/js/local_strings.js"></script>
 <script src="chrome://resources/js/cr.js"></script>
 <script src="chrome://resources/js/util.js"></script>
-<script src="print_preview.js"></script>
-<script src="print_preview_animations.js"></script>
-<script src="print_preview_cloud.js"></script>
-<script src="print_preview_utils.js"></script>
-<script src="print_header.js"></script>
-<script src="page_settings.js"></script>
-<script src="copies_settings.js"></script>
-<script src="layout_settings.js"></script>
-<script src="color_settings.js"></script>
+<script src="chrome://print/print_preview.js"></script>
+<script src="chrome://print/strings.js"></script>
 </head>
 <body>
   <div id="sidebar">
@@ -70,6 +64,8 @@
   </div>
   <object id="dummy-viewer"
       type="application/x-google-chrome-print-preview-pdf"
-      src="chrome://print/dummy.pdf"></object>
+      data="chrome://print/dummy.pdf"></object>
+  <script src="chrome://resources/js/i18n_template.js"></script>
+  <script src="chrome://resources/js/i18n_process.js"></script>
 </body>
 </html>

chrome/browser/resources/print_preview/print_preview.js

@@ -966,3 +966,12 @@ PrintSettings.prototype.save = function() {
   this.isLandscape = layoutSettings.isLandscape();
 }
 
+/// Pull in all other scripts in a single shot.
+<include src="print_preview_animations.js"/>
+<include src="print_preview_cloud.js"/>
+<include src="print_preview_utils.js"/>
+<include src="print_header.js"/>
+<include src="page_settings.js"/>
+<include src="copies_settings.js"/>
+<include src="layout_settings.js"/>
+<include src="color_settings.js"/>

chrome/browser/ui/webui/chrome_web_ui_data_source.cc

@@ -33,6 +33,9 @@ std::string ChromeWebUIDataSource::GetMimeType(const std::string& path) const {
   if (EndsWith(path, ".js", false))
     return "application/javascript";
 
+  if (EndsWith(path, ".pdf", false))
+    return "application/pdf";
+
   return "text/html";
 }
 

chrome/browser/ui/webui/print_preview_data_source.h

@@ -10,10 +10,11 @@
 
 #include "base/compiler_specific.h"
 #include "chrome/browser/ui/webui/chrome_url_data_manager.h"
+#include "chrome/browser/ui/webui/chrome_web_ui_data_source.h"
 
 // PrintPreviewDataSource serves data for chrome://print requests.
 //
-// The format for requesting data is as follows:
+// The format for requesting PDF data is as follows:
 // chrome://print/<PrintPreviewUIAddrStr>/<PageIndex>/print.pdf
 //
 // Parameters (< > required):
@@ -24,8 +25,10 @@
 //
 // Example:
 //    chrome://print/0xab0123ef/10/print.pdf
-
-class PrintPreviewDataSource : public ChromeURLDataManager::DataSource {
+//
+// Requests to chrome://print with paths not ending in /print.pdf are used
+// to return the markup or other resources for the print preview page itself.
+class PrintPreviewDataSource : public ChromeWebUIDataSource {
  public:
   PrintPreviewDataSource();
 
@@ -33,8 +36,6 @@ class PrintPreviewDataSource : public ChromeURLDataManager::DataSource {
   virtual void StartDataRequest(const std::string& path,
                                 bool is_incognito,
                                 int request_id) OVERRIDE;
-  virtual std::string GetMimeType(const std::string& path) const OVERRIDE;
-
  private:
   virtual ~PrintPreviewDataSource();