Allow the PDF extension for chrome://print pages.

We have an experiment running that would disable parser-inserted usage of 'chrome-extension://' URLs unless explicitly whitelisted. This breaks the print preview page, which relies on the PDF extension URLs inside an HTML import. So. This patch adds a mechanism for whitelisting that extension URL for the print preview page. BUG=667224 R=tsepez@chromium.org Review-Url: https://codereview.chromium.org/2528903002 Cr-Commit-Position: refs/heads/master@{#434770}

Allow the PDF extension for chrome://print pages.
We have an experiment running that would disable parser-inserted usage of 'chrome-extension://' URLs unless explicitly whitelisted. This breaks the print preview page, which relies on the PDF extension URLs inside an HTML import. So. This patch adds a mechanism for whitelisting that extension URL for the print preview page. BUG=667224 R=tsepez@chromium.org Review-Url: https://codereview.chromium.org/2528903002 Cr-Commit-Position: refs/heads/master@{#434770}
c5dd67fc · mkwst · Commit bot · 994db999 · c5dd67fc · c5dd67fc
Commit c5dd67fc authored Nov 28, 2016 by mkwst Committed by Commit bot Nov 28, 2016
4 changed files
--- a/chrome/browser/ui/webui/print_preview/print_preview_ui.cc
+++ b/chrome/browser/ui/webui/print_preview/print_preview_ui.cc
@@ -16,6 +16,7 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
+#include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/synchronization/lock.h"
 #include "base/values.h"
@@ -37,6 +38,7 @@
 #include "content/public/browser/url_data_source.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_ui_data_source.h"
+#include "extensions/common/constants.h"
 #include "printing/features/features.h"
 #include "printing/page_size_margins.h"
 #include "printing/print_job_constants.h"
@@ -397,6 +399,10 @@ content::WebUIDataSource* CreatePrintPreviewUISource() {
                          IDR_PRINT_PREVIEW_IMAGES_MOBILE_SHARED);
  source->SetDefaultResource(IDR_PRINT_PREVIEW_HTML);
  source->SetRequestFilter(base::Bind(&HandleRequestCallback));
+  source->OverrideContentSecurityPolicyScriptSrc(
+      base::StringPrintf("script-src chrome://resources 'self' 'unsafe-eval' "
+                         "chrome-extension://%s;",
+                         extension_misc::kPdfExtensionId));
  source->OverrideContentSecurityPolicyChildSrc("child-src 'self';");
  source->DisableDenyXFrameOptions();
  source->OverrideContentSecurityPolicyObjectSrc("object-src 'self';");

--- a/content/browser/webui/web_ui_data_source_impl.cc
+++ b/content/browser/webui/web_ui_data_source_impl.cc
@@ -61,6 +61,11 @@ class WebUIDataSourceImpl::InternalDataSource : public URLDataSource {
  bool ShouldAddContentSecurityPolicy() const override {
    return parent_->add_csp_;
  }
+  std::string GetContentSecurityPolicyScriptSrc() const override {
+    if (parent_->script_src_set_)
+      return parent_->script_src_;
+    return URLDataSource::GetContentSecurityPolicyScriptSrc();
+  }
  std::string GetContentSecurityPolicyObjectSrc() const override {
    if (parent_->object_src_set_)
      return parent_->object_src_;
@@ -88,6 +93,7 @@ WebUIDataSourceImpl::WebUIDataSourceImpl(const std::string& source_name)
      source_name_(source_name),
      default_resource_(-1),
      add_csp_(true),
+      script_src_set_(false),
      object_src_set_(false),
      frame_src_set_(false),
      deny_xframe_options_(true),
@@ -180,6 +186,12 @@ void WebUIDataSourceImpl::DisableContentSecurityPolicy() {
  add_csp_ = false;
 }

+void WebUIDataSourceImpl::OverrideContentSecurityPolicyScriptSrc(
+    const std::string& data) {
+  script_src_set_ = true;
+  script_src_ = data;
+}
+
 void WebUIDataSourceImpl::OverrideContentSecurityPolicyObjectSrc(
    const std::string& data) {
  object_src_set_ = true;

--- a/content/browser/webui/web_ui_data_source_impl.h
+++ b/content/browser/webui/web_ui_data_source_impl.h
@@ -45,6 +45,7 @@ class CONTENT_EXPORT WebUIDataSourceImpl
      const WebUIDataSource::HandleRequestCallback& callback) override;
  void DisableReplaceExistingSource() override;
  void DisableContentSecurityPolicy() override;
+  void OverrideContentSecurityPolicyScriptSrc(const std::string& data) override;
  void OverrideContentSecurityPolicyObjectSrc(const std::string& data) override;
  void OverrideContentSecurityPolicyChildSrc(const std::string& data) override;
  void DisableDenyXFrameOptions() override;
@@ -97,6 +98,8 @@ class CONTENT_EXPORT WebUIDataSourceImpl
  base::DictionaryValue localized_strings_;
  WebUIDataSource::HandleRequestCallback filter_callback_;
  bool add_csp_;
+  bool script_src_set_;
+  std::string script_src_;
  bool object_src_set_;
  std::string object_src_;
  bool frame_src_set_;

--- a/content/public/browser/web_ui_data_source.h
+++ b/content/public/browser/web_ui_data_source.h
@@ -87,6 +87,8 @@ class WebUIDataSource {
  // Currently only used by embedders for WebUIs with multiple instances.
  virtual void DisableReplaceExistingSource() = 0;
  virtual void DisableContentSecurityPolicy() = 0;
+  virtual void OverrideContentSecurityPolicyScriptSrc(
+      const std::string& data) = 0;
  virtual void OverrideContentSecurityPolicyObjectSrc(
      const std::string& data) = 0;
  virtual void OverrideContentSecurityPolicyChildSrc(