Replace frame-src with child-src in WebUI CSP

"frame-src" is deprecated, and is replaced by "child-src". BUG=81636, 336788 Review-Url: https://codereview.chromium.org/2012393003 Cr-Commit-Position: refs/heads/master@{#397869}

Replace frame-src with child-src in WebUI CSP
"frame-src" is deprecated, and is replaced by "child-src". BUG=81636, 336788 Review-Url: https://codereview.chromium.org/2012393003 Cr-Commit-Position: refs/heads/master@{#397869}
d6eb7796 · wychen · Commit bot · 030567f4 · d6eb7796 · d6eb7796
Commit d6eb7796 authored Jun 03, 2016 by wychen Committed by Commit bot Jun 04, 2016
16 changed files
--- a/chrome/browser/search/local_ntp_source.cc
+++ b/chrome/browser/search/local_ntp_source.cc
@@ -270,8 +270,8 @@ bool LocalNtpSource::ShouldServiceRequest(
  return false;
 }

-std::string LocalNtpSource::GetContentSecurityPolicyFrameSrc() const {
+std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const {
  // Allow embedding of most visited iframes.
-  return base::StringPrintf("frame-src %s;",
+  return base::StringPrintf("child-src %s;",
                            chrome::kChromeSearchMostVisitedUrl);
 }
--- a/chrome/browser/search/local_ntp_source.h
+++ b/chrome/browser/search/local_ntp_source.h
@@ -29,7 +29,7 @@ class LocalNtpSource : public content::URLDataSource {
      const content::URLDataSource::GotDataCallback& callback) override;
  std::string GetMimeType(const std::string& path) const override;
  bool ShouldServiceRequest(const net::URLRequest* request) const override;
-  std::string GetContentSecurityPolicyFrameSrc() const override;
+  std::string GetContentSecurityPolicyChildSrc() const override;

  Profile* profile_;


--- a/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc
+++ b/chrome/browser/ui/webui/chromeos/login/oobe_ui.cc
@@ -152,9 +152,9 @@ content::WebUIDataSource* CreateOobeUIDataSource(
                            IDR_CUSTOM_ELEMENTS_LOGIN_JS);
  }
  source->AddResourcePath(kKeyboardUtilsJSPath, IDR_KEYBOARD_UTILS_JS);
-  source->OverrideContentSecurityPolicyFrameSrc(
+  source->OverrideContentSecurityPolicyChildSrc(
      base::StringPrintf(
-          "frame-src chrome://terms/ %s/;",
+          "child-src chrome://terms/ %s/;",
          extensions::kGaiaAuthExtensionOrigin));
  source->OverrideContentSecurityPolicyObjectSrc("object-src *;");
  source->AddResourcePath("gaia_auth_host.js",

--- a/chrome/browser/ui/webui/ntp/new_tab_ui.cc
+++ b/chrome/browser/ui/webui/ntp/new_tab_ui.cc
@@ -245,9 +245,9 @@ std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyImgSrc()
  return "img-src chrome-search://thumb chrome-search://thumb2 data:;";
 }

-std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyFrameSrc()
+std::string NewTabUI::NewTabHTMLSource::GetContentSecurityPolicyChildSrc()
    const {
-  return "frame-src chrome-search://most-visited;";
+  return "child-src chrome-search://most-visited;";
 }

 void NewTabUI::NewTabHTMLSource::AddResource(const char* resource,

--- a/chrome/browser/ui/webui/ntp/new_tab_ui.h
+++ b/chrome/browser/ui/webui/ntp/new_tab_ui.h
@@ -71,7 +71,7 @@ class NewTabUI : public content::WebUIController {
    std::string GetContentSecurityPolicyScriptSrc() const override;
    std::string GetContentSecurityPolicyStyleSrc() const override;
    std::string GetContentSecurityPolicyImgSrc() const override;
-    std::string GetContentSecurityPolicyFrameSrc() const override;
+    std::string GetContentSecurityPolicyChildSrc() const override;

    // Adds |resource| to the source. |resource_id| is resource id or 0,
    // which means return empty data set. |mime_type| is mime type of the

--- a/chrome/browser/ui/webui/print_preview/print_preview_ui.cc
+++ b/chrome/browser/ui/webui/print_preview/print_preview_ui.cc
@@ -391,7 +391,7 @@ content::WebUIDataSource* CreatePrintPreviewUISource() {
                          IDR_PRINT_PREVIEW_IMAGES_MOBILE_SHARED);
  source->SetDefaultResource(IDR_PRINT_PREVIEW_HTML);
  source->SetRequestFilter(base::Bind(&HandleRequestCallback));
-  source->OverrideContentSecurityPolicyFrameSrc("frame-src 'self';");
+  source->OverrideContentSecurityPolicyChildSrc("child-src 'self';");
  source->DisableDenyXFrameOptions();
  source->OverrideContentSecurityPolicyObjectSrc("object-src 'self';");
  source->AddLocalizedString("moreOptionsLabel", IDS_MORE_OPTIONS_LABEL);

--- a/chrome/browser/ui/webui/signin/inline_login_ui.cc
+++ b/chrome/browser/ui/webui/signin/inline_login_ui.cc
@@ -28,7 +28,7 @@ namespace {
 content::WebUIDataSource* CreateWebUIDataSource() {
  content::WebUIDataSource* source =
        content::WebUIDataSource::Create(chrome::kChromeUIChromeSigninHost);
-  source->OverrideContentSecurityPolicyFrameSrc("frame-src chrome-extension:;");
+  source->OverrideContentSecurityPolicyChildSrc("child-src chrome-extension:;");
  source->OverrideContentSecurityPolicyObjectSrc("object-src *;");
  source->SetJsonPath("strings.js");


--- a/chrome/browser/ui/webui/uber/uber_ui.cc
+++ b/chrome/browser/ui/webui/uber/uber_ui.cc
@@ -45,7 +45,7 @@ content::WebUIDataSource* CreateUberHTMLSource() {
  source->AddResourcePath("uber.js", IDR_UBER_JS);
  source->AddResourcePath("uber_utils.js", IDR_UBER_UTILS_JS);
  source->SetDefaultResource(IDR_UBER_HTML);
-  source->OverrideContentSecurityPolicyFrameSrc("frame-src chrome:;");
+  source->OverrideContentSecurityPolicyChildSrc("child-src chrome:;");

  // Hack alert: continue showing "Loading..." until a real title is set.
  source->AddLocalizedString("pageTitle", IDS_TAB_LOADING_TITLE);
@@ -115,7 +115,7 @@ content::WebUIDataSource* CreateUberFrameHTMLSource(
      && !overrides_history);

  source->DisableDenyXFrameOptions();
-  source->OverrideContentSecurityPolicyFrameSrc("frame-src chrome:;");
+  source->OverrideContentSecurityPolicyChildSrc("child-src chrome:;");

  source->AddBoolean("profileIsGuest",
      Profile::FromBrowserContext(browser_context)->IsGuestSession());

--- a/components/dom_distiller/content/browser/dom_distiller_viewer_source.cc
+++ b/components/dom_distiller/content/browser/dom_distiller_viewer_source.cc
@@ -285,8 +285,8 @@ std::string DomDistillerViewerSource::GetContentSecurityPolicyStyleSrc()
  return "style-src 'self' https://fonts.googleapis.com;";
 }

-std::string DomDistillerViewerSource::GetContentSecurityPolicyFrameSrc() const {
-  return "frame-src *;";
+std::string DomDistillerViewerSource::GetContentSecurityPolicyChildSrc() const {
+  return "child-src *;";
 }

 }  // namespace dom_distiller
--- a/components/dom_distiller/content/browser/dom_distiller_viewer_source.h
+++ b/components/dom_distiller/content/browser/dom_distiller_viewer_source.h
@@ -42,7 +42,7 @@ class DomDistillerViewerSource : public content::URLDataSource {
  void WillServiceRequest(const net::URLRequest* request,
                          std::string* path) const override;
  std::string GetContentSecurityPolicyStyleSrc() const override;
-  std::string GetContentSecurityPolicyFrameSrc() const override;
+  std::string GetContentSecurityPolicyChildSrc() const override;

 private:
  friend class DomDistillerViewerSourceTest;

--- a/content/browser/webui/url_data_manager_backend.cc
+++ b/content/browser/webui/url_data_manager_backend.cc
@@ -158,9 +158,9 @@ class URLRequestChromeJob : public net::URLRequestJob {
    content_security_policy_script_source_ = data;
  }

-  void set_content_security_policy_frame_source(
+  void set_content_security_policy_child_source(
      const std::string& data) {
-    content_security_policy_frame_source_ = data;
+    content_security_policy_child_source_ = data;
  }

  void set_content_security_policy_style_source(
@@ -230,7 +230,7 @@ class URLRequestChromeJob : public net::URLRequestJob {
  // These are used with the CSP.
  std::string content_security_policy_script_source_;
  std::string content_security_policy_object_source_;
-  std::string content_security_policy_frame_source_;
+  std::string content_security_policy_child_source_;
  std::string content_security_policy_style_source_;
  std::string content_security_policy_image_source_;

@@ -331,7 +331,7 @@ void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
    std::string base = kChromeURLContentSecurityPolicyHeaderBase;
    base.append(content_security_policy_script_source_);
    base.append(content_security_policy_object_source_);
-    base.append(content_security_policy_frame_source_);
+    base.append(content_security_policy_child_source_);
    base.append(content_security_policy_style_source_);
    base.append(content_security_policy_image_source_);
    info->headers->AddHeader(base);
@@ -625,8 +625,8 @@ bool URLDataManagerBackend::StartRequest(const net::URLRequest* request,
      source->source()->GetContentSecurityPolicyScriptSrc());
  job->set_content_security_policy_object_source(
      source->source()->GetContentSecurityPolicyObjectSrc());
-  job->set_content_security_policy_frame_source(
-      source->source()->GetContentSecurityPolicyFrameSrc());
+  job->set_content_security_policy_child_source(
+      source->source()->GetContentSecurityPolicyChildSrc());
  job->set_content_security_policy_style_source(
      source->source()->GetContentSecurityPolicyStyleSrc());
  job->set_content_security_policy_image_source(

--- a/content/browser/webui/web_ui_data_source_impl.cc
+++ b/content/browser/webui/web_ui_data_source_impl.cc
@@ -66,10 +66,10 @@ class WebUIDataSourceImpl::InternalDataSource : public URLDataSource {
      return parent_->object_src_;
    return URLDataSource::GetContentSecurityPolicyObjectSrc();
  }
-  std::string GetContentSecurityPolicyFrameSrc() const override {
+  std::string GetContentSecurityPolicyChildSrc() const override {
    if (parent_->frame_src_set_)
      return parent_->frame_src_;
-    return URLDataSource::GetContentSecurityPolicyFrameSrc();
+    return URLDataSource::GetContentSecurityPolicyChildSrc();
  }
  bool ShouldDenyXFrameOptions() const override {
    return parent_->deny_xframe_options_;
@@ -169,7 +169,7 @@ void WebUIDataSourceImpl::OverrideContentSecurityPolicyObjectSrc(
  object_src_ = data;
 }

-void WebUIDataSourceImpl::OverrideContentSecurityPolicyFrameSrc(
+void WebUIDataSourceImpl::OverrideContentSecurityPolicyChildSrc(
    const std::string& data) {
  frame_src_set_ = true;
  frame_src_ = data;

--- a/content/browser/webui/web_ui_data_source_impl.h
+++ b/content/browser/webui/web_ui_data_source_impl.h
@@ -42,7 +42,7 @@ class CONTENT_EXPORT WebUIDataSourceImpl
  void DisableReplaceExistingSource() override;
  void DisableContentSecurityPolicy() override;
  void OverrideContentSecurityPolicyObjectSrc(const std::string& data) override;
-  void OverrideContentSecurityPolicyFrameSrc(const std::string& data) override;
+  void OverrideContentSecurityPolicyChildSrc(const std::string& data) override;
  void DisableDenyXFrameOptions() override;

 protected:

--- a/content/public/browser/url_data_source.cc
+++ b/content/public/browser/url_data_source.cc
@@ -44,8 +44,8 @@ std::string URLDataSource::GetContentSecurityPolicyObjectSrc() const {
  return "object-src 'none';";
 }

-std::string URLDataSource::GetContentSecurityPolicyFrameSrc() const {
-  return "frame-src 'none';";
+std::string URLDataSource::GetContentSecurityPolicyChildSrc() const {
+  return "child-src 'none';";
 }

 std::string URLDataSource::GetContentSecurityPolicyStyleSrc() const {

--- a/content/public/browser/url_data_source.h
+++ b/content/public/browser/url_data_source.h
@@ -107,8 +107,8 @@ class CONTENT_EXPORT URLDataSource {

  // By default, "object-src 'none';" is added to CSP. Override to change this.
  virtual std::string GetContentSecurityPolicyObjectSrc() const;
-  // By default, "frame-src 'none';" is added to CSP. Override to change this.
-  virtual std::string GetContentSecurityPolicyFrameSrc() const;
+  // By default, "child-src 'none';" is added to CSP. Override to change this.
+  virtual std::string GetContentSecurityPolicyChildSrc() const;
  // By default empty. Override to change this.
  virtual std::string GetContentSecurityPolicyStyleSrc() const;
  // By default empty. Override to change this.

--- a/content/public/browser/web_ui_data_source.h
+++ b/content/public/browser/web_ui_data_source.h
@@ -82,7 +82,7 @@ class WebUIDataSource {
  virtual void DisableContentSecurityPolicy() = 0;
  virtual void OverrideContentSecurityPolicyObjectSrc(
      const std::string& data) = 0;
-  virtual void OverrideContentSecurityPolicyFrameSrc(
+  virtual void OverrideContentSecurityPolicyChildSrc(
      const std::string& data) = 0;
  virtual void DisableDenyXFrameOptions() = 0;
 };