Consolidate content-security-policy markup for chrome:// pages into a single file, and have grit preprocess it into all the places it belongs. Also add to resource bundle so that the about handler can return the same thing.

Review URL: http://codereview.chromium.org/7396026

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93052 0039d316-1c4b-4281-b951-d872f2087c98

17 files changed, 38 insertions, 104 deletions

diff --git a/chrome/browser/browser_about_handler.cc b/chrome/browser/browser_about_handler.cc
index 6ee0a36..8b6f8ae 100644
--- a/chrome/browser/browser_about_handler.cc
+++ b/chrome/browser/browser_about_handler.cc
@@ -408,11 +408,9 @@ void AppendHeader(std::string* output, int refresh,
     output->append(EscapeForHTML(unescaped_title));
     output->append("</title>\n");
   }
-  output->append(
-      "<meta charset=\"utf-8\">\n<meta http-equiv=\"X-WebKit-CSP\" "
-      "content=\"object-src 'none'; "
-      "script-src chrome-extension://mndnfokpggljbaajbnioimlmbfngpief "
-      " 'self' 'unsafe-eval'\">\n");
+  output->append("<meta charset=\"utf-8\">\n");
+  output->append(ResourceBundle::GetSharedInstance().GetRawDataResource(
+      IDR_CONTENT_SECURITY_POLICY_HTML).as_string());
   if (refresh > 0) {
     output->append("<meta http-equiv=\"refresh\" content=\"");
     output->append(base::IntToString(refresh));
diff --git a/chrome/browser/browser_resources.grd b/chrome/browser/browser_resources.grd
index 0590e0f..49c0382 100644
--- a/chrome/browser/browser_resources.grd
+++ b/chrome/browser/browser_resources.grd
@@ -35,6 +35,7 @@
         <include name="IDR_CERTIFICATE_VIEWER_JS" file="resources\certificate_viewer.js" type="BINDATA" />
         <include name="IDR_CERTIFICATE_VIEWER_CSS" file="resources\certificate_viewer.css" type="BINDATA" />
       </if>
+      <include name="IDR_CONTENT_SECURITY_POLICY_HTML" file="resources\content_security_policy.html" type="BINDATA" />
       <include name="IDR_CRASHES_HTML" file="resources\crashes.html" flattenhtml="true" allowexternalscript="true" type="BINDATA" />
       <include name="IDR_CRASHES_JS" file="resources\crashes.js" type="BINDATA" />
       <include name="IDR_CREDITS_HTML" file="resources\about_credits.html" flattenhtml="true" type="BINDATA" />
diff --git a/chrome/browser/resources/about_conflicts.html b/chrome/browser/resources/about_conflicts.html
index 6ac20b1..c0bb551 100644
--- a/chrome/browser/resources/about_conflicts.html
+++ b/chrome/browser/resources/about_conflicts.html
@@ -2,9 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources 'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <style>
 body {
   margin: 10px;
diff --git a/chrome/browser/resources/about_flash.html b/chrome/browser/resources/about_flash.html
index ff619d2..27c9b66 100644
--- a/chrome/browser/resources/about_flash.html
+++ b/chrome/browser/resources/about_flash.html
@@ -1,13 +1,6 @@
 <!DOCTYPE HTML>
 <html i18n-values="dir:textdirection;">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     TODO(tsepez) rename when Content-security-policy is done.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <head>
 <style>
 .key {
diff --git a/chrome/browser/resources/about_memory.html b/chrome/browser/resources/about_memory.html
index 09be7a8..8e1751d 100644
--- a/chrome/browser/resources/about_memory.html
+++ b/chrome/browser/resources/about_memory.html
@@ -6,12 +6,8 @@ about:memory template page
 <html id="t">
 <head>
   <title>About Memory</title>
-  <meta http-equiv="X-WebKit-CSP"
-        content="object-src 'none';
-                 script-src chrome://resources
-                            chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                            'self' 'unsafe-eval'">
-    <link rel="stylesheet" href="shared/css/about_memory.css">
+  <include src="content_security_policy.html"/>
+  <link rel="stylesheet" href="shared/css/about_memory.css">
 <style>
 body {
   font-family: Helvetica, Arial, sans-serif;
diff --git a/chrome/browser/resources/about_memory_linux.html b/chrome/browser/resources/about_memory_linux.html
index 92dce75..652f4bb 100644
--- a/chrome/browser/resources/about_memory_linux.html
+++ b/chrome/browser/resources/about_memory_linux.html
@@ -6,13 +6,8 @@ about:memory template page
 <html id="t">
 <head>
   <title>About Memory</title>
-  <meta http-equiv="X-WebKit-CSP"
-        content="object-src 'none';
-                 script-src chrome://resources
-                            chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                            'self' 'unsafe-eval'">
+  <include src="content_security_policy.html"/>
   <link rel="stylesheet" href="shared/css/about_memory.css">
-
 <style>
 body {
   font-family: Arial, Helvetica, sans-serif;
diff --git a/chrome/browser/resources/about_memory_mac.html b/chrome/browser/resources/about_memory_mac.html
index 5515b44..cd29dc5 100644
--- a/chrome/browser/resources/about_memory_mac.html
+++ b/chrome/browser/resources/about_memory_mac.html
@@ -6,12 +6,8 @@ about:memory template page
 <html id="t">
 <head>
   <title>About Memory</title>
-  <meta http-equiv="X-WebKit-CSP"
-        content="object-src 'none';
-                 script-src chrome://resources
-                            chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                            'self' 'unsafe-eval'">
-    <link rel="stylesheet" href="shared/css/about_memory.css">
+  <include src="content_security_policy.html"/>
+  <link rel="stylesheet" href="shared/css/about_memory.css">
 <style>
 body {
   font-family: Helvetica, sans-serif;
diff --git a/chrome/browser/resources/about_stats.html b/chrome/browser/resources/about_stats.html
index 11a8990..60111d1 100644
--- a/chrome/browser/resources/about_stats.html
+++ b/chrome/browser/resources/about_stats.html
@@ -3,15 +3,7 @@
 <html id="t">
 <head>
 <title>About Stats</title>
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     The 'unsafe-eval' is required for jstemplate_compiled.js.
-     TODO(tsepez) rename when Content-security-policy is done.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <style>
 body {
   border-top: 10px solid #3B85E3;
diff --git a/chrome/browser/resources/about_version.html b/chrome/browser/resources/about_version.html
index 04ae1d7..1789ea9 100644
--- a/chrome/browser/resources/about_version.html
+++ b/chrome/browser/resources/about_version.html
@@ -7,12 +7,7 @@ about:version template page
 <html id="t">
   <head>
     <title i18n-content="title"></title>
-    <meta http-equiv="X-WebKit-CSP"
-          content="object-src 'none';
-                   script-src
-                       chrome://resources
-                       chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                       'self' 'unsafe-eval'">
+    <include src="content_security_policy.html"/>
     <style>
       body {
         font-family:Helvetica,Arial,sans-serif;
diff --git a/chrome/browser/resources/content_security_policy.html b/chrome/browser/resources/content_security_policy.html
new file mode 100644
index 0000000..a0a6581
--- /dev/null
+++ b/chrome/browser/resources/content_security_policy.html
@@ -0,0 +1,18 @@
+<!-- Copyright (c) 2011 The Chromium Authors. All rights reserved.
+     Use of this source code is governed by a BSD-style license that can be
+     found in the LICENSE file.
+-->
+<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
+     TODO(tsepez) rename when Content-security-policy is done.
+     TODO(tsepez) remove unsafe-eval when bidichecker_packaged.js fixed.
+     TODO(tsepez) chrome-extension: permits the ChromeVox screen reader
+         extension to function on these pages.  Remove it when the extension
+         is updated to stop injecting script into the pages.
+-->
+<meta
+  http-equiv="X-WebKit-CSP"
+  content="object-src 'none';
+           script-src chrome://resources
+                      chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
+                      'self'
+                      'unsafe-eval'">
diff --git a/chrome/browser/resources/crashes.html b/chrome/browser/resources/crashes.html
index a8dfafc..9816989 100644
--- a/chrome/browser/resources/crashes.html
+++ b/chrome/browser/resources/crashes.html
@@ -2,11 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
   <meta charset="utf-8">
-  <meta http-equiv="X-WebKit-CSP"
-        content="object-src 'none';
-                 script-src chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                            chrome://resources
-                            'self' 'unsafe-eval'">
+  <include src="content_security_policy.html"/>
   <title i18n-content="crashesTitle"></title>
   <link rel="stylesheet" href="crashes.css">
   <script src="chrome://resources/js/local_strings.js"></script>
diff --git a/chrome/browser/resources/downloads.html b/chrome/browser/resources/downloads.html
index 1bd0187..f6c8992 100644
--- a/chrome/browser/resources/downloads.html
+++ b/chrome/browser/resources/downloads.html
@@ -2,15 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     TODO(tsepez) rename when Content-security-policy is done.
-     TODO(tsepez) remove unsafe-eval when bidichecker_packaged.js fixed.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <title i18n-content="title"></title>
 <link rel="icon" href="../../app/theme/downloads_favicon.png">
 <style>
diff --git a/chrome/browser/resources/extensions_ui.html b/chrome/browser/resources/extensions_ui.html
index 2cf11bd..d6c00a5 100644
--- a/chrome/browser/resources/extensions_ui.html
+++ b/chrome/browser/resources/extensions_ui.html
@@ -2,11 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <title i18n-content="title"></title>
 <style>
 body {
diff --git a/chrome/browser/resources/flags.html b/chrome/browser/resources/flags.html
index 659cc88..503cfce 100644
--- a/chrome/browser/resources/flags.html
+++ b/chrome/browser/resources/flags.html
@@ -2,15 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     The 'unsafe-eval' is required for jstemplate_compiled.js.
-     TODO(tsepez) rename when Content-security-policy is done.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <link rel="stylesheet" href="flags.css"/>
 <script src="chrome://flags/flags.js"></script>
 <script src="chrome://flags/strings.js"></script>
diff --git a/chrome/browser/resources/history.html b/chrome/browser/resources/history.html
index ea7386b..5e92220 100644
--- a/chrome/browser/resources/history.html
+++ b/chrome/browser/resources/history.html
@@ -2,15 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     TODO(tsepez) rename when Content-security-policy is done.
-     TODO(tsepez) remove unsafe-eval when bidichecker_packaged.js fixed.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <title i18n-content="title"></title>
 <link rel="icon" href="../../app/theme/history_favicon.png">
 <script src="chrome://resources/js/local_strings.js"></script>
diff --git a/chrome/browser/resources/options/options.html b/chrome/browser/resources/options/options.html
index 6364b32..68c906f 100644
--- a/chrome/browser/resources/options/options.html
+++ b/chrome/browser/resources/options/options.html
@@ -2,15 +2,7 @@
 <html id="t" i18n-values="dir:textdirection">
 <head>
 <meta charset="utf-8">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     TODO(tsepez) rename when Content-security-policy is done.
-     TODO(tsepez) remove unsafe-eval when bidichecker_packaged.js fixed.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="../content_security_policy.html"/>
 <!-- Set the title to that of the default page so that the title doesn't flash
      on load (for the most common case). -->
 <title i18n-content="browserPageTabTitle"></title>
diff --git a/chrome/browser/resources/plugins.html b/chrome/browser/resources/plugins.html
index 170b2d8..01b5cd5 100644
--- a/chrome/browser/resources/plugins.html
+++ b/chrome/browser/resources/plugins.html
@@ -2,15 +2,7 @@
 <html i18n-values="dir:textdirection;">
 <head>
 <meta charset="utf-8">
-<!-- X-WebKit-CSP is our development name for Content-Security-Policy.
-     The 'unsafe-eval' is required for jstemplate_compiled.js.
-     TODO(tsepez) rename when Content-security-policy is done.
--->
-<meta http-equiv="X-WebKit-CSP"
-      content="object-src 'none';
-               script-src chrome://resources
-                          chrome-extension://mndnfokpggljbaajbnioimlmbfngpief
-                          'self' 'unsafe-eval'">
+<include src="content_security_policy.html"/>
 <title i18n-content="pluginsTitle"></title>
 <style>
 body {