1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60


ash / webui / file_manager / file_manager_untrusted_ui.cc [blame]

// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/40285824): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif

#include "ash/webui/file_manager/file_manager_untrusted_ui.h"

#include "ash/webui/file_manager/untrusted_resources/grit/file_manager_untrusted_resources.h"
#include "ash/webui/file_manager/untrusted_resources/grit/file_manager_untrusted_resources_map.h"
#include "ash/webui/file_manager/url_constants.h"
#include "content/public/browser/web_contents.h"
#include "content/public/browser/web_ui.h"
#include "content/public/browser/web_ui_data_source.h"
#include "content/public/common/url_constants.h"
#include "url/gurl.h"

namespace ash {
namespace file_manager {

FileManagerUntrustedUIConfig::FileManagerUntrustedUIConfig()
    : DefaultWebUIConfig(content::kChromeUIUntrustedScheme,
                         kChromeUIFileManagerUntrustedHost) {}

FileManagerUntrustedUIConfig::~FileManagerUntrustedUIConfig() = default;

FileManagerUntrustedUI::FileManagerUntrustedUI(content::WebUI* web_ui)
    : ui::UntrustedWebUIController(web_ui) {
  content::WebUIDataSource* untrusted_source =
      content::WebUIDataSource::CreateAndAdd(
          web_ui->GetWebContents()->GetBrowserContext(),
          kChromeUIFileManagerUntrustedURL);

  untrusted_source->AddResourcePaths(kFileManagerUntrustedResources);

  untrusted_source->AddFrameAncestor(GURL(kChromeUIFileManagerURL));

  // By default, prevent all network access. Allow framing blob: URLs for
  // browsable content.
  untrusted_source->OverrideContentSecurityPolicy(
      network::mojom::CSPDirectiveName::FrameSrc, "frame-src blob: 'self';");

  // Allow <img>, <audio>, <video> to handle blob: and data: URLs.
  untrusted_source->OverrideContentSecurityPolicy(
      network::mojom::CSPDirectiveName::DefaultSrc,
      "default-src blob: data: 'self';");

  // Allow inline styling.
  untrusted_source->OverrideContentSecurityPolicy(
      network::mojom::CSPDirectiveName::StyleSrc,
      "style-src 'unsafe-inline' 'self';");
}

FileManagerUntrustedUI::~FileManagerUntrustedUI() = default;

}  // namespace file_manager
}  // namespace ash