diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-02 16:44:56 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-02 16:44:56 +0000 |
| commit | b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3 (patch) | |
| tree | dbaaabf08550d211f03dd7cc4c46c38c80a294e0 /webkit/blob | |
| parent | 534c4fb35c8c195c6d82e7e12ac303397e796825 (diff) | |
| download | chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.zip chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.tar.gz chromium_src-b1eed66ff9bc1dd0c2c319c8ff42f8f0d1abc1b3.tar.bz2 | |
Apply content-security-policy to chrome://appcache-internals and chrome://blob-internals.
Since these files live under /webkit, just hardcode the CSP directive rather
than trying to read it from a resource bundle. Re-write the page to be
compleltely free of javascript, falling back to form-posts, to avoid having
to pull in an external file.
Review URL: http://codereview.chromium.org/7518011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95093 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/blob')
| -rw-r--r-- | webkit/blob/view_blob_internals_job.cc | 36 |
1 files changed, 13 insertions, 23 deletions
diff --git a/webkit/blob/view_blob_internals_job.cc b/webkit/blob/view_blob_internals_job.cc index 8e980ec..b105607 100644 --- a/webkit/blob/view_blob_internals_job.cc +++ b/webkit/blob/view_blob_internals_job.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -37,27 +37,16 @@ void StartHTML(std::string* out) { out->append( "<!DOCTYPE HTML>" "<html><title>Blob Storage Internals</title>" - "<style>" + "<meta http-equiv=\"X-WebKit-CSP\"" + " content=\"obejct-src 'none'; script-src 'none'\">\n" + "<style>\n" "body { font-family: sans-serif; font-size: 0.8em; }\n" "tt, code, pre { font-family: WebKitHack, monospace; }\n" + "form { display: inline }\n" ".subsection_body { margin: 10px 0 10px 2em; }\n" ".subsection_title { font-weight: bold; }\n" - "</style>" - "<script>\n" - // Unfortunately we can't do XHR from chrome://blob-internals - // because the chrome:// protocol restricts access. - // - // So instead, we will send commands by doing a form - // submission (which as a side effect will reload the page). - "function SubmitCommand(command) {\n" - " document.getElementById('cmd').value = command;\n" - " document.getElementById('cmdsender').submit();\n" - "}\n" - "</script>\n" - "</head><body>" - "<form action='' method=GET id=cmdsender>" - "<input type='hidden' id=cmd name='remove'>" - "</form>"); + "</style>\n" + "</head><body>\n"); } void EndHTML(std::string* out) { @@ -94,10 +83,12 @@ void AddHTMLButton(const std::string& title, // No need to escape title since constant string is passed. std::string escaped_command = EscapeForHTML(command.c_str()); base::StringAppendF(out, - "<input type=\"button\" value=\"%s\" " - "onclick=\"SubmitCommand('%s')\" />", - title.c_str(), - escaped_command.c_str()); + "<form action=\"\" method=\"GET\">\n" + "<input type=\"hidden\" name=\"remove\" value=\"%s\">\n" + "<input type=\"submit\" value=\"%s\">\n" + "</form><br/>\n", + escaped_command.c_str(), + title.c_str()); } } // namespace @@ -173,7 +164,6 @@ void ViewBlobInternalsJob::GenerateHTML(std::string* out) const { ++iter) { AddHTMLBoldText(iter->first, out); AddHTMLButton(kRemove, iter->first, out); - out->append("<br/>"); GenerateHTMLForBlobData(*iter->second, out); } } |