Add method to override content security policy for workers

Lottie player runs on a worker thread to paint on an offscreen canvas.
To enable this on chrome internal pages the content security policy
needs to be modified. This patch adds a virtual method that can be used
to add content security policy for worker source url.

A Worker thread is initialized here:
https://chromium-review.googlesource.com/c/chromium/src/+/1725322

Bug: 976057
Change-Id: I91ad1c46c86475d496e6b5b993d9523f12736607
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1724865
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Malay Keshav <malaykeshav@chromium.org>
Cr-Commit-Position: refs/heads/master@{#688672}

content/browser/webui/url_data_manager_backend.cc

@@ -136,6 +136,7 @@ scoped_refptr<net::HttpResponseHeaders> URLDataManagerBackend::GetHeaders(
     base.append(source->GetContentSecurityPolicyChildSrc());
     base.append(source->GetContentSecurityPolicyStyleSrc());
     base.append(source->GetContentSecurityPolicyImgSrc());
+    base.append(source->GetContentSecurityPolicyWorkerSrc());
     headers->AddHeader(base);
   }
 

content/browser/webui/web_ui_data_source_impl.cc

@@ -109,15 +109,7 @@ WebUIDataSourceImpl::WebUIDataSourceImpl(const std::string& source_name)
     : URLDataSourceImpl(source_name,
                         std::make_unique<InternalDataSource>(this)),
       source_name_(source_name),
-      default_resource_(-1),
-      add_csp_(true),
-      script_src_set_(false),
-      object_src_set_(false),
-      frame_src_set_(false),
-      deny_xframe_options_(true),
-      add_load_time_data_defaults_(true),
-      replace_existing_source_(true),
-      should_replace_i18n_in_js_(false) {}
+      default_resource_(-1) {}
 
 WebUIDataSourceImpl::~WebUIDataSourceImpl() {
 }

content/browser/webui/web_ui_data_source_impl.h

@@ -113,17 +113,17 @@ class CONTENT_EXPORT WebUIDataSourceImpl : public URLDataSourceImpl,
   WebUIDataSource::HandleRequestCallback filter_callback_;
   WebUIDataSource::ShouldHandleRequestCallback should_handle_request_callback_;
 
-  bool add_csp_;
-  bool script_src_set_;
+  bool add_csp_ = true;
+  bool script_src_set_ = false;
   std::string script_src_;
-  bool object_src_set_;
+  bool object_src_set_ = false;
   std::string object_src_;
-  bool frame_src_set_;
+  bool frame_src_set_ = false;
   std::string frame_src_;
-  bool deny_xframe_options_;
-  bool add_load_time_data_defaults_;
-  bool replace_existing_source_;
-  bool should_replace_i18n_in_js_;
+  bool deny_xframe_options_ = true;
+  bool add_load_time_data_defaults_ = true;
+  bool replace_existing_source_ = true;
+  bool should_replace_i18n_in_js_ = false;
 
   DISALLOW_COPY_AND_ASSIGN(WebUIDataSourceImpl);
 };

content/public/browser/url_data_source.cc

@@ -91,6 +91,10 @@ std::string URLDataSource::GetContentSecurityPolicyImgSrc() {
   return std::string();
 }
 
+std::string URLDataSource::GetContentSecurityPolicyWorkerSrc() {
+  return std::string();
+}
+
 bool URLDataSource::ShouldDenyXFrameOptions() {
   return true;
 }

content/public/browser/url_data_source.h

@@ -128,6 +128,8 @@ class CONTENT_EXPORT URLDataSource {
   virtual std::string GetContentSecurityPolicyStyleSrc();
   // By default empty. Override to change this.
   virtual std::string GetContentSecurityPolicyImgSrc();
+  // By default empty. Override to change this.
+  virtual std::string GetContentSecurityPolicyWorkerSrc();
 
   // By default, the "X-Frame-Options: DENY" header is sent. To stop this from
   // happening, return false. It is OK to return false as needed.