<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196012] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196012">196012</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-02 09:57:40 -0800 (Tue, 02 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Support checking content security policy without a script execution context
https://bugs.webkit.org/show_bug.cgi?id=153748
<rdar://problem/24439149>
Reviewed by Darin Alder.
Towards checking a Web Worker's content security policy against a redirected worker
script load or redirected XHR request for an XHR request initiated from it, we should
support instantiating a ContentSecurityPolicy object without a ScriptExecutionContext.
No functionality was changed. So, no new tests.
* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Pass |this| as a reference instead of as a pointer.
* page/csp/ContentSecurityPolicy.cpp: Remove extraneous includes ScriptState.h, TextEncoding.h,
and URL.h as they are included by ContentSecurityPolicy.h, FormDataList.h and FormData.h, respectively.
(WebCore::CSPSource::CSPSource): Take a constant reference to a ContentSecurityPolicy instead
of a pointer since we never expected a null pointer.
(WebCore::CSPSource::schemeMatches): Move logic for checking the protocol of source "self"
from here to ContentSecurityPolicy::protocolMatchesSelf() because we may not have a security
origin if ContentSecurityPolicy was initiated without a ScriptExecutionContext object.
(WebCore::CSPSourceList::allowSelf): Added.
(WebCore::CSPSourceList::CSPSourceList): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer. Remove fields from member
initialization list that can be initialized using C++11 in-class initialization syntax.
(WebCore::CSPSourceList::matches): Call ContentSecurityPolicy::urlMatchesSelf() to match the
effective URL against the URL of source "self".
(WebCore::CSPSourceList::parse): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPSourceList::parseSource): Simplify code by setting internal member fields directly
instead of via member functions.
(WebCore::CSPSourceList::parsePath): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirective::CSPDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::CSPDirective::policy): Return a reference to a const ContentSecurityPolicy.
(WebCore::MediaListDirective::MediaListDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::MediaListDirective::parse): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::SourceListDirective::SourceListDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::SourceListDirective::allows): Write in terms of CSPSourceList::allowSelf() because we
may not have a security origin to get a URL from if ContentSecurityPolicy was initiated without
a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::reportURIs): Change return type from Vector<URL> to Vector<String>
The caller will convert the strings to URLs with respect to the script execution context.
(WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
was initiated without a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::CSPDirectiveList): Take a reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer. It would be better to take a const
reference to a ContentSecurityPolicy, but ContentSecurityPolicy::applySandboxPolicy() needs to set
state on ContentSecurityPolicy :(
(WebCore::CSPDirectiveList::create): Ditto.
(WebCore::CSPDirectiveList::reportViolation): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirectiveList::checkEvalAndReportViolation): Ditto.
(WebCore::CSPDirectiveList::checkInlineAndReportViolation): Ditto.
(WebCore::CSPDirectiveList::parseDirective): Ditto.
(WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
was initiated without a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::setCSPDirective): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirectiveList::applySandboxPolicy): Ditto.
(WebCore::CSPDirectiveList::parseReflectedXSS): Ditto.
(WebCore::CSPDirectiveList::addDirective): Ditto.
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take the ScriptExecutionObject
as a reference and compute the CSPSource object for "self" and cache the protocol for "self". Removed
field m_overrideInlineStyleAllowed from the member initialization list and used C++11 in-class
initialization syntax to initialize it. Added overloaded constructor that takes a SecurityOrigin object.
We are not making use of this overloaded constructor at this time. We will in a subsequent patch.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Store the eval disabled error message for
the last parsed policy in a member field instead of using it as part of disabling eval execution
on the script execution context because we may not have such a context.
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Applies the content security
policy eval and sandbox restrictions to the script execution context.
(WebCore::ContentSecurityPolicy::urlMatchesSelf): Match the specified URL against the URL for
source "self".
(WebCore::ContentSecurityPolicy::protocolMatchesSelf): Match the protocol of the specified URL
against the protocol for source "self".
(WebCore::ContentSecurityPolicy::gatherReportURIs): Modified to use the script execution context
to compute the absolute URL for each report URI.
(WebCore::ContentSecurityPolicy::reportViolation): Bail out if we do not have a script execution
context.
(WebCore::ContentSecurityPolicy::logToConsole): Only log to the console if we have a script
execution context.
(WebCore::ContentSecurityPolicy::reportBlockedScriptExecutionToInspector): Only report blocked
script execution to the Web Inspector if we have a script execution context.
(WebCore::CSPSourceList::addSourceSelf): Deleted.
(WebCore::CSPSourceList::addSourceStar): Deleted.
(WebCore::CSPSourceList::addSourceUnsafeInline): Deleted.
(WebCore::CSPSourceList::addSourceUnsafeEval): Deleted.
(WebCore::CSPDirectiveList::gatherReportURIs): Deleted.
(WebCore::ContentSecurityPolicy::securityOrigin): Deleted.
(WebCore::ContentSecurityPolicy::url): Deleted.
(WebCore::ContentSecurityPolicy::completeURL): Deleted.
(WebCore::ContentSecurityPolicy::enforceSandboxFlags): Deleted.
* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::enforceSandboxFlags): Accumulates the parsed sandbox flags. We
will apply the sandbox flags in ContentSecurityPolicy::applyPolicyToScriptExecutionContext().
* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::WorkerGlobalScope): Instantiate ContentSecurityPolicy.
(WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Move instantiation of
ContentSecurityPolicy from here to constructor.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopecpp">trunk/Source/WebCore/workers/WorkerGlobalScope.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196011 => 196012)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2016-02-02 16:58:41 UTC (rev 196011)
+++ trunk/Source/WebCore/ChangeLog        2016-02-02 17:57:40 UTC (rev 196012)
</span><span class="lines">@@ -1,3 +1,112 @@
</span><ins>+2016-02-02 Daniel Bates <dabates@apple.com>
+
+ CSP: Support checking content security policy without a script execution context
+ https://bugs.webkit.org/show_bug.cgi?id=153748
+ <rdar://problem/24439149>
+
+ Reviewed by Darin Alder.
+
+ Towards checking a Web Worker's content security policy against a redirected worker
+ script load or redirected XHR request for an XHR request initiated from it, we should
+ support instantiating a ContentSecurityPolicy object without a ScriptExecutionContext.
+
+ No functionality was changed. So, no new tests.
+
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext): Pass |this| as a reference instead of as a pointer.
+ * page/csp/ContentSecurityPolicy.cpp: Remove extraneous includes ScriptState.h, TextEncoding.h,
+ and URL.h as they are included by ContentSecurityPolicy.h, FormDataList.h and FormData.h, respectively.
+ (WebCore::CSPSource::CSPSource): Take a constant reference to a ContentSecurityPolicy instead
+ of a pointer since we never expected a null pointer.
+ (WebCore::CSPSource::schemeMatches): Move logic for checking the protocol of source "self"
+ from here to ContentSecurityPolicy::protocolMatchesSelf() because we may not have a security
+ origin if ContentSecurityPolicy was initiated without a ScriptExecutionContext object.
+ (WebCore::CSPSourceList::allowSelf): Added.
+ (WebCore::CSPSourceList::CSPSourceList): Take a constant reference to a ContentSecurityPolicy
+ instead of a pointer since we never expected a null pointer. Remove fields from member
+ initialization list that can be initialized using C++11 in-class initialization syntax.
+ (WebCore::CSPSourceList::matches): Call ContentSecurityPolicy::urlMatchesSelf() to match the
+ effective URL against the URL of source "self".
+ (WebCore::CSPSourceList::parse): Update code as necessary now that m_policy is a reference
+ instead of a pointer.
+ (WebCore::CSPSourceList::parseSource): Simplify code by setting internal member fields directly
+ instead of via member functions.
+ (WebCore::CSPSourceList::parsePath): Update code as necessary now that m_policy is a reference
+ instead of a pointer.
+ (WebCore::CSPDirective::CSPDirective): Take a constant reference to a ContentSecurityPolicy
+ instead of a pointer since we never expected a null pointer.
+ (WebCore::CSPDirective::policy): Return a reference to a const ContentSecurityPolicy.
+ (WebCore::MediaListDirective::MediaListDirective): Take a constant reference to a ContentSecurityPolicy
+ instead of a pointer since we never expected a null pointer.
+ (WebCore::MediaListDirective::parse): Update code as necessary now that m_policy is a reference
+ instead of a pointer.
+ (WebCore::SourceListDirective::SourceListDirective): Take a constant reference to a ContentSecurityPolicy
+ instead of a pointer since we never expected a null pointer.
+ (WebCore::SourceListDirective::allows): Write in terms of CSPSourceList::allowSelf() because we
+ may not have a security origin to get a URL from if ContentSecurityPolicy was initiated without
+ a ScriptExecutionContext object.
+ (WebCore::CSPDirectiveList::reportURIs): Change return type from Vector<URL> to Vector<String>
+ The caller will convert the strings to URLs with respect to the script execution context.
+ (WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
+ because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
+ was initiated without a ScriptExecutionContext object.
+ (WebCore::CSPDirectiveList::CSPDirectiveList): Take a reference to a ContentSecurityPolicy
+ instead of a pointer since we never expected a null pointer. It would be better to take a const
+ reference to a ContentSecurityPolicy, but ContentSecurityPolicy::applySandboxPolicy() needs to set
+ state on ContentSecurityPolicy :(
+ (WebCore::CSPDirectiveList::create): Ditto.
+ (WebCore::CSPDirectiveList::reportViolation): Update code as necessary now that m_policy is a reference
+ instead of a pointer.
+ (WebCore::CSPDirectiveList::checkEvalAndReportViolation): Ditto.
+ (WebCore::CSPDirectiveList::checkInlineAndReportViolation): Ditto.
+ (WebCore::CSPDirectiveList::parseDirective): Ditto.
+ (WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
+ because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
+ was initiated without a ScriptExecutionContext object.
+ (WebCore::CSPDirectiveList::setCSPDirective): Update code as necessary now that m_policy is a reference
+ instead of a pointer.
+ (WebCore::CSPDirectiveList::applySandboxPolicy): Ditto.
+ (WebCore::CSPDirectiveList::parseReflectedXSS): Ditto.
+ (WebCore::CSPDirectiveList::addDirective): Ditto.
+ (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take the ScriptExecutionObject
+ as a reference and compute the CSPSource object for "self" and cache the protocol for "self". Removed
+ field m_overrideInlineStyleAllowed from the member initialization list and used C++11 in-class
+ initialization syntax to initialize it. Added overloaded constructor that takes a SecurityOrigin object.
+ We are not making use of this overloaded constructor at this time. We will in a subsequent patch.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Store the eval disabled error message for
+ the last parsed policy in a member field instead of using it as part of disabling eval execution
+ on the script execution context because we may not have such a context.
+ (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Applies the content security
+ policy eval and sandbox restrictions to the script execution context.
+ (WebCore::ContentSecurityPolicy::urlMatchesSelf): Match the specified URL against the URL for
+ source "self".
+ (WebCore::ContentSecurityPolicy::protocolMatchesSelf): Match the protocol of the specified URL
+ against the protocol for source "self".
+ (WebCore::ContentSecurityPolicy::gatherReportURIs): Modified to use the script execution context
+ to compute the absolute URL for each report URI.
+ (WebCore::ContentSecurityPolicy::reportViolation): Bail out if we do not have a script execution
+ context.
+ (WebCore::ContentSecurityPolicy::logToConsole): Only log to the console if we have a script
+ execution context.
+ (WebCore::ContentSecurityPolicy::reportBlockedScriptExecutionToInspector): Only report blocked
+ script execution to the Web Inspector if we have a script execution context.
+ (WebCore::CSPSourceList::addSourceSelf): Deleted.
+ (WebCore::CSPSourceList::addSourceStar): Deleted.
+ (WebCore::CSPSourceList::addSourceUnsafeInline): Deleted.
+ (WebCore::CSPSourceList::addSourceUnsafeEval): Deleted.
+ (WebCore::CSPDirectiveList::gatherReportURIs): Deleted.
+ (WebCore::ContentSecurityPolicy::securityOrigin): Deleted.
+ (WebCore::ContentSecurityPolicy::url): Deleted.
+ (WebCore::ContentSecurityPolicy::completeURL): Deleted.
+ (WebCore::ContentSecurityPolicy::enforceSandboxFlags): Deleted.
+ * page/csp/ContentSecurityPolicy.h:
+ (WebCore::ContentSecurityPolicy::enforceSandboxFlags): Accumulates the parsed sandbox flags. We
+ will apply the sandbox flags in ContentSecurityPolicy::applyPolicyToScriptExecutionContext().
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::WorkerGlobalScope): Instantiate ContentSecurityPolicy.
+ (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Move instantiation of
+ ContentSecurityPolicy from here to constructor.
+
</ins><span class="cx"> 2016-02-02 Eric Carlson <eric.carlson@apple.com>
</span><span class="cx">
</span><span class="cx"> Allow ports to disable automatic text track selection
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (196011 => 196012)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp        2016-02-02 16:58:41 UTC (rev 196011)
+++ trunk/Source/WebCore/dom/Document.cpp        2016-02-02 17:57:40 UTC (rev 196012)
</span><span class="lines">@@ -5128,7 +5128,7 @@
</span><span class="cx"> // This can occur via document.implementation.createDocument().
</span><span class="cx"> setCookieURL(URL(ParsedURLString, emptyString()));
</span><span class="cx"> setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::createUnique()));
</span><del>- setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</del><ins>+ setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -5141,7 +5141,7 @@
</span><span class="cx"> applyContentDispositionAttachmentSandbox();
</span><span class="cx">
</span><span class="cx"> setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
</span><del>- setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</del><ins>+ setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
</ins><span class="cx">
</span><span class="cx"> if (Settings* settings = this->settings()) {
</span><span class="cx"> if (!settings->webSecurityEnabled()) {
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196011 => 196012)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp        2016-02-02 16:58:41 UTC (rev 196011)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp        2016-02-02 17:57:40 UTC (rev 196012)
</span><span class="lines">@@ -38,11 +38,8 @@
</span><span class="cx"> #include "RuntimeEnabledFeatures.h"
</span><span class="cx"> #include "SchemeRegistry.h"
</span><span class="cx"> #include "ScriptController.h"
</span><del>-#include "ScriptState.h"
</del><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "SecurityPolicyViolationEvent.h"
</span><del>-#include "TextEncoding.h"
-#include "URL.h"
</del><span class="cx"> #include <inspector/InspectorValues.h>
</span><span class="cx"> #include <inspector/ScriptCallStack.h>
</span><span class="cx"> #include <inspector/ScriptCallStackFactory.h>
</span><span class="lines">@@ -215,7 +212,7 @@
</span><span class="cx">
</span><span class="cx"> class CSPSource {
</span><span class="cx"> public:
</span><del>- CSPSource(ContentSecurityPolicy* policy, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
</del><ins>+ CSPSource(const ContentSecurityPolicy& policy, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
</ins><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_scheme(scheme)
</span><span class="cx"> , m_host(host)
</span><span class="lines">@@ -238,14 +235,8 @@
</span><span class="cx"> private:
</span><span class="cx"> bool schemeMatches(const URL& url) const
</span><span class="cx"> {
</span><del>- if (m_scheme.isEmpty()) {
- String protectedResourceScheme(m_policy->securityOrigin()->protocol());
-#if ENABLE(CSP_NEXT)
- if (equalLettersIgnoringASCIICase(protectedResourceScheme, "http"))
- return url.protocolIsInHTTPFamily();
-#endif
- return equalIgnoringASCIICase(url.protocol(), protectedResourceScheme);
- }
</del><ins>+ if (m_scheme.isEmpty())
+ return m_policy.protocolMatchesSelf(url);
</ins><span class="cx"> return equalIgnoringASCIICase(url.protocol(), m_scheme);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -292,7 +283,7 @@
</span><span class="cx">
</span><span class="cx"> bool isSchemeOnly() const { return m_host.isEmpty(); }
</span><span class="cx">
</span><del>- ContentSecurityPolicy* m_policy;
</del><ins>+ const ContentSecurityPolicy& m_policy;
</ins><span class="cx"> String m_scheme;
</span><span class="cx"> String m_host;
</span><span class="cx"> int m_port;
</span><span class="lines">@@ -304,12 +295,13 @@
</span><span class="cx">
</span><span class="cx"> class CSPSourceList {
</span><span class="cx"> public:
</span><del>- CSPSourceList(ContentSecurityPolicy*, const String& directiveName);
</del><ins>+ CSPSourceList(const ContentSecurityPolicy&, const String& directiveName);
</ins><span class="cx">
</span><span class="cx"> void parse(const String&);
</span><span class="cx"> bool matches(const URL&);
</span><span class="cx"> bool allowInline() const { return m_allowInline; }
</span><span class="cx"> bool allowEval() const { return m_allowEval; }
</span><ins>+ bool allowSelf() const { return m_allowSelf; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> void parse(const UChar* begin, const UChar* end);
</span><span class="lines">@@ -320,25 +312,18 @@
</span><span class="cx"> bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
</span><span class="cx"> bool parsePath(const UChar* begin, const UChar* end, String& path);
</span><span class="cx">
</span><del>- void addSourceSelf();
- void addSourceStar();
- void addSourceUnsafeInline();
- void addSourceUnsafeEval();
-
- ContentSecurityPolicy* m_policy;
</del><ins>+ const ContentSecurityPolicy& m_policy;
</ins><span class="cx"> Vector<CSPSource> m_list;
</span><span class="cx"> String m_directiveName;
</span><del>- bool m_allowStar;
- bool m_allowInline;
- bool m_allowEval;
</del><ins>+ bool m_allowSelf { false };
+ bool m_allowStar { false };
+ bool m_allowInline { false };
+ bool m_allowEval { false };
</ins><span class="cx"> };
</span><span class="cx">
</span><del>-CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& directiveName)
</del><ins>+CSPSourceList::CSPSourceList(const ContentSecurityPolicy& policy, const String& directiveName)
</ins><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_directiveName(directiveName)
</span><del>- , m_allowStar(false)
- , m_allowInline(false)
- , m_allowEval(false)
</del><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -358,6 +343,9 @@
</span><span class="cx">
</span><span class="cx"> URL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
</span><span class="cx">
</span><ins>+ if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL))
+ return true;
+
</ins><span class="cx"> for (auto& entry : m_list) {
</span><span class="cx"> if (entry.matches(effectiveURL))
</span><span class="cx"> return true;
</span><span class="lines">@@ -393,10 +381,10 @@
</span><span class="cx"> if (scheme.isEmpty() && host.isEmpty())
</span><span class="cx"> continue;
</span><span class="cx"> if (isDirectiveName(host))
</span><del>- m_policy->reportDirectiveAsSourceExpression(m_directiveName, host);
</del><ins>+ m_policy.reportDirectiveAsSourceExpression(m_directiveName, host);
</ins><span class="cx"> m_list.append(CSPSource(m_policy, scheme, host, port, path, hostHasWildcard, portHasWildcard));
</span><span class="cx"> } else
</span><del>- m_policy->reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
</del><ins>+ m_policy.reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
</ins><span class="cx">
</span><span class="cx"> ASSERT(position == end || isASCIISpace(*position));
</span><span class="cx"> }
</span><span class="lines">@@ -415,22 +403,22 @@
</span><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> if (end - begin == 1 && *begin == '*') {
</span><del>- addSourceStar();
</del><ins>+ m_allowStar = true;
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (equalLettersIgnoringASCIICase(begin, end - begin, "'self'")) {
</span><del>- addSourceSelf();
</del><ins>+ m_allowSelf = true;
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (equalLettersIgnoringASCIICase(begin, end - begin, "'unsafe-inline'")) {
</span><del>- addSourceUnsafeInline();
</del><ins>+ m_allowInline = true;
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (equalLettersIgnoringASCIICase(begin, end - begin, "'unsafe-eval'")) {
</span><del>- addSourceUnsafeEval();
</del><ins>+ m_allowEval = true;
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -590,7 +578,7 @@
</span><span class="cx"> // path/to/file.js?query=string || path/to/file.js#anchor
</span><span class="cx"> // ^ ^
</span><span class="cx"> if (position < end)
</span><del>- m_policy->reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position);
</del><ins>+ m_policy.reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position);
</ins><span class="cx">
</span><span class="cx"> path = decodeURLEscapeSequences(String(begin, position - begin));
</span><span class="cx">
</span><span class="lines">@@ -630,29 +618,9 @@
</span><span class="cx"> return ok;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void CSPSourceList::addSourceSelf()
-{
- m_list.append(CSPSource(m_policy, m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false));
-}
-
-void CSPSourceList::addSourceStar()
-{
- m_allowStar = true;
-}
-
-void CSPSourceList::addSourceUnsafeInline()
-{
- m_allowInline = true;
-}
-
-void CSPSourceList::addSourceUnsafeEval()
-{
- m_allowEval = true;
-}
-
</del><span class="cx"> class CSPDirective {
</span><span class="cx"> public:
</span><del>- CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
</del><ins>+ CSPDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
</ins><span class="cx"> : m_name(name)
</span><span class="cx"> , m_text(name + ' ' + value)
</span><span class="cx"> , m_policy(policy)
</span><span class="lines">@@ -662,17 +630,17 @@
</span><span class="cx"> const String& text() const { return m_text; }
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- const ContentSecurityPolicy* policy() const { return m_policy; }
</del><ins>+ const ContentSecurityPolicy& policy() const { return m_policy; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> String m_name;
</span><span class="cx"> String m_text;
</span><del>- ContentSecurityPolicy* m_policy;
</del><ins>+ const ContentSecurityPolicy& m_policy;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class MediaListDirective : public CSPDirective {
</span><span class="cx"> public:
</span><del>- MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
</del><ins>+ MediaListDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
</ins><span class="cx"> : CSPDirective(name, value, policy)
</span><span class="cx"> {
</span><span class="cx"> parse(value);
</span><span class="lines">@@ -693,7 +661,7 @@
</span><span class="cx">
</span><span class="cx"> // 'plugin-types ____;' OR 'plugin-types;'
</span><span class="cx"> if (value.isEmpty()) {
</span><del>- policy()->reportInvalidPluginTypes(value);
</del><ins>+ policy().reportInvalidPluginTypes(value);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -709,7 +677,7 @@
</span><span class="cx"> begin = position;
</span><span class="cx"> if (!skipExactly<isMediaTypeCharacter>(position, end)) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- policy()->reportInvalidPluginTypes(String(begin, position - begin));
</del><ins>+ policy().reportInvalidPluginTypes(String(begin, position - begin));
</ins><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx"> skipWhile<isMediaTypeCharacter>(position, end);
</span><span class="lines">@@ -718,7 +686,7 @@
</span><span class="cx"> // ^
</span><span class="cx"> if (!skipExactly(position, end, '/')) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- policy()->reportInvalidPluginTypes(String(begin, position - begin));
</del><ins>+ policy().reportInvalidPluginTypes(String(begin, position - begin));
</ins><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -726,7 +694,7 @@
</span><span class="cx"> // ^
</span><span class="cx"> if (!skipExactly<isMediaTypeCharacter>(position, end)) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- policy()->reportInvalidPluginTypes(String(begin, position - begin));
</del><ins>+ policy().reportInvalidPluginTypes(String(begin, position - begin));
</ins><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx"> skipWhile<isMediaTypeCharacter>(position, end);
</span><span class="lines">@@ -735,7 +703,7 @@
</span><span class="cx"> // ^ ^ ^
</span><span class="cx"> if (position < end && isNotASCIISpace(*position)) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- policy()->reportInvalidPluginTypes(String(begin, position - begin));
</del><ins>+ policy().reportInvalidPluginTypes(String(begin, position - begin));
</ins><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx"> m_pluginTypes.add(String(begin, position - begin));
</span><span class="lines">@@ -749,7 +717,7 @@
</span><span class="cx">
</span><span class="cx"> class SourceListDirective : public CSPDirective {
</span><span class="cx"> public:
</span><del>- SourceListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
</del><ins>+ SourceListDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
</ins><span class="cx"> : CSPDirective(name, value, policy)
</span><span class="cx"> , m_sourceList(policy, name)
</span><span class="cx"> {
</span><span class="lines">@@ -758,7 +726,10 @@
</span><span class="cx">
</span><span class="cx"> bool allows(const URL& url)
</span><span class="cx"> {
</span><del>- return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
</del><ins>+ // FIXME: We should investigate returning false for an empty URL.
+ if (url.isEmpty())
+ return m_sourceList.allowSelf();
+ return m_sourceList.matches(url);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool allowInline() const { return m_sourceList.allowInline(); }
</span><span class="lines">@@ -771,8 +742,8 @@
</span><span class="cx"> class CSPDirectiveList {
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>- static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicyHeaderType);
- CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType);
</del><ins>+ static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType);
+ CSPDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
</ins><span class="cx">
</span><span class="cx"> const String& header() const { return m_header; }
</span><span class="cx"> ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
</span><span class="lines">@@ -795,11 +766,10 @@
</span><span class="cx"> bool allowFormAction(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowBaseURI(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx">
</span><del>- void gatherReportURIs(DOMStringList&) const;
</del><span class="cx"> const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
</span><span class="cx"> ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
</span><span class="cx"> bool isReportOnly() const { return m_reportOnly; }
</span><del>- const Vector<URL>& reportURIs() const { return m_reportURIs; }
</del><ins>+ const Vector<String>& reportURIs() const { return m_reportURIs; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> void parse(const String&);
</span><span class="lines">@@ -832,7 +802,8 @@
</span><span class="cx">
</span><span class="cx"> bool denyIfEnforcingPolicy() const { return m_reportOnly; }
</span><span class="cx">
</span><del>- ContentSecurityPolicy* m_policy;
</del><ins>+ // FIXME: Make this a const reference once we teach applySandboxPolicy() to store its policy as opposed to applying it directly onto ContentSecurityPolicy.
+ ContentSecurityPolicy& m_policy;
</ins><span class="cx">
</span><span class="cx"> String m_header;
</span><span class="cx"> ContentSecurityPolicyHeaderType m_headerType;
</span><span class="lines">@@ -854,12 +825,12 @@
</span><span class="cx"> std::unique_ptr<SourceListDirective> m_scriptSrc;
</span><span class="cx"> std::unique_ptr<SourceListDirective> m_styleSrc;
</span><span class="cx">
</span><del>- Vector<URL> m_reportURIs;
</del><ins>+ Vector<String> m_reportURIs;
</ins><span class="cx">
</span><span class="cx"> String m_evalDisabledErrorMessage;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicyHeaderType type)
</del><ins>+CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
</ins><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_headerType(type)
</span><span class="cx"> , m_reportOnly(false)
</span><span class="lines">@@ -869,7 +840,7 @@
</span><span class="cx"> m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicyHeaderType type)
</del><ins>+std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type)
</ins><span class="cx"> {
</span><span class="cx"> auto directives = std::make_unique<CSPDirectiveList>(policy, type);
</span><span class="cx"> directives->parse(header);
</span><span class="lines">@@ -880,7 +851,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (directives->isReportOnly() && directives->reportURIs().isEmpty())
</span><del>- policy->reportMissingReportURI(header);
</del><ins>+ policy.reportMissingReportURI(header);
</ins><span class="cx">
</span><span class="cx"> return directives;
</span><span class="cx"> }
</span><span class="lines">@@ -888,7 +859,7 @@
</span><span class="cx"> void CSPDirectiveList::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</span><span class="cx"> {
</span><span class="cx"> String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
</span><del>- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
</del><ins>+ m_policy.reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
</span><span class="lines">@@ -931,7 +902,7 @@
</span><span class="cx">
</span><span class="cx"> reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", URL(), contextURL, contextLine, state);
</span><span class="cx"> if (!m_reportOnly) {
</span><del>- m_policy->reportBlockedScriptExecutionToInspector(directive->text());
</del><ins>+ m_policy.reportBlockedScriptExecutionToInspector(directive->text());
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx"> return true;
</span><span class="lines">@@ -963,7 +934,7 @@
</span><span class="cx">
</span><span class="cx"> if (!m_reportOnly) {
</span><span class="cx"> if (isScript)
</span><del>- m_policy->reportBlockedScriptExecutionToInspector(directive->text());
</del><ins>+ m_policy.reportBlockedScriptExecutionToInspector(directive->text());
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx"> return true;
</span><span class="lines">@@ -1113,12 +1084,6 @@
</span><span class="cx"> (m_reportOnly || checkSource(operativeDirective(m_connectSrc.get()), url));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void CSPDirectiveList::gatherReportURIs(DOMStringList& list) const
-{
- for (auto& uri : m_reportURIs)
- list.append(uri.string());
-}
-
</del><span class="cx"> bool CSPDirectiveList::allowFormAction(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
</span><span class="lines">@@ -1183,7 +1148,7 @@
</span><span class="cx"> // The directive-name must be non-empty.
</span><span class="cx"> if (nameBegin == position) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
</del><ins>+ m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1194,7 +1159,7 @@
</span><span class="cx">
</span><span class="cx"> if (!skipExactly<isASCIISpace>(position, end)) {
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><del>- m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
</del><ins>+ m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1204,7 +1169,7 @@
</span><span class="cx"> skipWhile<isDirectiveValueCharacter>(position, end);
</span><span class="cx">
</span><span class="cx"> if (position != end) {
</span><del>- m_policy->reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
</del><ins>+ m_policy.reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1219,7 +1184,7 @@
</span><span class="cx"> void CSPDirectiveList::parseReportURI(const String& name, const String& value)
</span><span class="cx"> {
</span><span class="cx"> if (!m_reportURIs.isEmpty()) {
</span><del>- m_policy->reportDuplicateDirective(name);
</del><ins>+ m_policy.reportDuplicateDirective(name);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1233,10 +1198,8 @@
</span><span class="cx"> const UChar* urlBegin = position;
</span><span class="cx"> skipWhile<isNotASCIISpace>(position, end);
</span><span class="cx">
</span><del>- if (urlBegin < position) {
- String url = String(urlBegin, position - urlBegin);
- m_reportURIs.append(m_policy->completeURL(url));
- }
</del><ins>+ if (urlBegin < position)
+ m_reportURIs.append(value.substring(urlBegin - characters, position - urlBegin));
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1245,7 +1208,7 @@
</span><span class="cx"> void CSPDirectiveList::setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>& directive)
</span><span class="cx"> {
</span><span class="cx"> if (directive) {
</span><del>- m_policy->reportDuplicateDirective(name);
</del><ins>+ m_policy.reportDuplicateDirective(name);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> directive = std::make_unique<CSPDirectiveType>(name, value, m_policy);
</span><span class="lines">@@ -1254,27 +1217,27 @@
</span><span class="cx"> void CSPDirectiveList::applySandboxPolicy(const String& name, const String& sandboxPolicy)
</span><span class="cx"> {
</span><span class="cx"> if (m_haveSandboxPolicy) {
</span><del>- m_policy->reportDuplicateDirective(name);
</del><ins>+ m_policy.reportDuplicateDirective(name);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> m_haveSandboxPolicy = true;
</span><span class="cx"> String invalidTokens;
</span><del>- m_policy->enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
</del><ins>+ m_policy.enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
</ins><span class="cx"> if (!invalidTokens.isNull())
</span><del>- m_policy->reportInvalidSandboxFlags(invalidTokens);
</del><ins>+ m_policy.reportInvalidSandboxFlags(invalidTokens);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value)
</span><span class="cx"> {
</span><span class="cx"> if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) {
</span><del>- m_policy->reportDuplicateDirective(name);
</del><ins>+ m_policy.reportDuplicateDirective(name);
</ins><span class="cx"> m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (value.isEmpty()) {
</span><span class="cx"> m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
</span><del>- m_policy->reportInvalidReflectedXSS(value);
</del><ins>+ m_policy.reportInvalidReflectedXSS(value);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1296,7 +1259,7 @@
</span><span class="cx"> m_reflectedXSSDisposition = ContentSecurityPolicy::BlockReflectedXSS;
</span><span class="cx"> else {
</span><span class="cx"> m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
</span><del>- m_policy->reportInvalidReflectedXSS(value);
</del><ins>+ m_policy.reportInvalidReflectedXSS(value);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1307,7 +1270,7 @@
</span><span class="cx"> // value1 value2
</span><span class="cx"> // ^
</span><span class="cx"> m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
</span><del>- m_policy->reportInvalidReflectedXSS(value);
</del><ins>+ m_policy.reportInvalidReflectedXSS(value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void CSPDirectiveList::addDirective(const String& name, const String& value)
</span><span class="lines">@@ -1337,7 +1300,7 @@
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, reportURI))
</span><span class="cx"> parseReportURI(name, value);
</span><span class="cx"> #if ENABLE(CSP_NEXT)
</span><del>- else if (m_policy->experimentalFeaturesEnabled()) {
</del><ins>+ else if (m_policy.experimentalFeaturesEnabled()) {
</ins><span class="cx"> if (equalLettersIgnoringASCIICase(name, baseURI))
</span><span class="cx"> setCSPDirective<SourceListDirective>(name, value, m_baseURI);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, formAction))
</span><span class="lines">@@ -1347,19 +1310,30 @@
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, reflectedXSS))
</span><span class="cx"> parseReflectedXSS(name, value);
</span><span class="cx"> else
</span><del>- m_policy->reportUnsupportedDirective(name);
</del><ins>+ m_policy.reportUnsupportedDirective(name);
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx"> else
</span><del>- m_policy->reportUnsupportedDirective(name);
</del><ins>+ m_policy.reportUnsupportedDirective(name);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
- : m_scriptExecutionContext(scriptExecutionContext)
- , m_overrideInlineStyleAllowed(false)
</del><ins>+ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext& scriptExecutionContext)
+ : m_scriptExecutionContext(&scriptExecutionContext)
+ , m_sandboxFlags(SandboxNone)
</ins><span class="cx"> {
</span><ins>+ ASSERT(scriptExecutionContext.securityOrigin());
+ auto& securityOrigin = *scriptExecutionContext.securityOrigin();
+ m_selfSourceProtocol = securityOrigin.protocol();
+ m_selfSource = std::make_unique<CSPSource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin)
+ : m_sandboxFlags(SandboxNone)
+{
+ m_selfSourceProtocol = securityOrigin.protocol();
+ m_selfSource = std::make_unique<CSPSource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
+}
+
</ins><span class="cx"> ContentSecurityPolicy::~ContentSecurityPolicy()
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -1400,9 +1374,9 @@
</span><span class="cx">
</span><span class="cx"> // header1,header2 OR header1
</span><span class="cx"> // ^ ^
</span><del>- std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(this, String(begin, position - begin), type);
</del><ins>+ std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(*this, String(begin, position - begin), type);
</ins><span class="cx"> if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
</span><del>- m_scriptExecutionContext->disableEval(policy->evalDisabledErrorMessage());
</del><ins>+ m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
</ins><span class="cx">
</span><span class="cx"> m_policies.append(policy.release());
</span><span class="cx">
</span><span class="lines">@@ -1411,13 +1385,39 @@
</span><span class="cx"> skipExactly(position, end, ',');
</span><span class="cx"> begin = position;
</span><span class="cx"> }
</span><ins>+
+ if (m_scriptExecutionContext)
+ applyPolicyToScriptExecutionContext();
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicy::applyPolicyToScriptExecutionContext()
+{
+ ASSERT(m_scriptExecutionContext);
+ if (!m_lastPolicyEvalDisabledErrorMessage.isNull())
+ m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage);
+ if (m_sandboxFlags != SandboxNone && is<Document>(m_scriptExecutionContext))
+ m_scriptExecutionContext->enforceSandboxFlags(m_sandboxFlags);
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
</span><span class="cx"> {
</span><span class="cx"> m_overrideInlineStyleAllowed = value;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::urlMatchesSelf(const URL& url) const
+{
+ return m_selfSource->matches(url);
+}
+
+bool ContentSecurityPolicy::protocolMatchesSelf(const URL& url) const
+{
+#if ENABLE(CSP_NEXT)
+ if (equalLettersIgnoringASCIICase(m_selfSourceProtocol, "http"))
+ return url.protocolIsInHTTPFamily();
+#endif
+ return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol);
+}
+
</ins><span class="cx"> template<bool (CSPDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const>
</span><span class="cx"> bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus)
</span><span class="cx"> {
</span><span class="lines">@@ -1573,30 +1573,13 @@
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::gatherReportURIs(DOMStringList& list) const
</span><span class="cx"> {
</span><del>- for (auto& policy : m_policies)
- policy->gatherReportURIs(list);
</del><ins>+ ASSERT(m_scriptExecutionContext);
+ for (auto& policy : m_policies) {
+ for (auto& url : policy->reportURIs())
+ list.append(m_scriptExecutionContext->completeURL(url).string());
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-SecurityOrigin* ContentSecurityPolicy::securityOrigin() const
-{
- return m_scriptExecutionContext->securityOrigin();
-}
-
-const URL& ContentSecurityPolicy::url() const
-{
- return m_scriptExecutionContext->url();
-}
-
-URL ContentSecurityPolicy::completeURL(const String& url) const
-{
- return m_scriptExecutionContext->completeURL(url);
-}
-
-void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const
-{
- m_scriptExecutionContext->enforceSandboxFlags(mask);
-}
-
</del><span class="cx"> static String stripURLForUseInReport(Document& document, const URL& url)
</span><span class="cx"> {
</span><span class="cx"> if (!url.isValid())
</span><span class="lines">@@ -1628,12 +1611,12 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<URL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</del><ins>+void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</ins><span class="cx"> {
</span><span class="cx"> logToConsole(consoleMessage, contextURL, contextLine, state);
</span><span class="cx">
</span><span class="cx"> // FIXME: Support sending reports from worker.
</span><del>- if (!is<Document>(*m_scriptExecutionContext))
</del><ins>+ if (!is<Document>(m_scriptExecutionContext))
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> Document& document = downcast<Document>(*m_scriptExecutionContext);
</span><span class="lines">@@ -1690,7 +1673,7 @@
</span><span class="cx"> RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
</span><span class="cx">
</span><span class="cx"> for (const auto& url : reportURIs)
</span><del>- PingLoader::sendViolationReport(*frame, url, report.copyRef());
</del><ins>+ PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
</span><span class="lines">@@ -1774,12 +1757,14 @@
</span><span class="cx"> void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</span><span class="cx"> {
</span><span class="cx"> // FIXME: <http://webkit.org/b/114317> ContentSecurityPolicy::logToConsole should include a column number
</span><del>- m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
</del><ins>+ if (m_scriptExecutionContext)
+ m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::reportBlockedScriptExecutionToInspector(const String& directiveText) const
</span><span class="cx"> {
</span><del>- InspectorInstrumentation::scriptExecutionBlockedByCSP(m_scriptExecutionContext, directiveText);
</del><ins>+ if (m_scriptExecutionContext)
+ InspectorInstrumentation::scriptExecutionBlockedByCSP(m_scriptExecutionContext, directiveText);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicy::experimentalFeaturesEnabled() const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196011 => 196012)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h        2016-02-02 16:58:41 UTC (rev 196011)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h        2016-02-02 17:57:40 UTC (rev 196012)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2011 Google, Inc. All rights reserved.
</span><ins>+ * Copyright (C) 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -27,13 +28,9 @@
</span><span class="cx"> #define ContentSecurityPolicy_h
</span><span class="cx">
</span><span class="cx"> #include "ContentSecurityPolicyResponseHeaders.h"
</span><del>-#include "URL.h"
</del><span class="cx"> #include "ScriptState.h"
</span><del>-#include <memory>
-#include <wtf/RefCounted.h>
</del><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx"> #include <wtf/text/TextPosition.h>
</span><del>-#include <wtf/text/WTFString.h>
</del><span class="cx">
</span><span class="cx"> namespace WTF {
</span><span class="cx"> class OrdinalNumber;
</span><span class="lines">@@ -42,26 +39,24 @@
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="cx"> class CSPDirectiveList;
</span><ins>+class CSPSource;
</ins><span class="cx"> class DOMStringList;
</span><span class="cx"> class ScriptExecutionContext;
</span><span class="cx"> class SecurityOrigin;
</span><ins>+class URL;
</ins><span class="cx">
</span><ins>+typedef Vector<std::unique_ptr<CSPDirectiveList>> CSPDirectiveListVector;
</ins><span class="cx"> typedef int SandboxFlags;
</span><del>-typedef Vector<std::unique_ptr<CSPDirectiveList>> CSPDirectiveListVector;
</del><span class="cx">
</span><span class="cx"> class ContentSecurityPolicy {
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>- explicit ContentSecurityPolicy(ScriptExecutionContext*);
</del><ins>+ explicit ContentSecurityPolicy(ScriptExecutionContext&);
+ explicit ContentSecurityPolicy(const SecurityOrigin&);
</ins><span class="cx"> ~ContentSecurityPolicy();
</span><span class="cx">
</span><span class="cx"> void copyStateFrom(const ContentSecurityPolicy*);
</span><span class="cx">
</span><del>- enum class ReportingStatus {
- SendReport,
- SuppressReport
- };
-
</del><span class="cx"> // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
</span><span class="cx"> enum ReflectedXSSDisposition {
</span><span class="cx"> ReflectedXSSUnset = 0,
</span><span class="lines">@@ -70,18 +65,22 @@
</span><span class="cx"> FilterReflectedXSS,
</span><span class="cx"> BlockReflectedXSS
</span><span class="cx"> };
</span><ins>+ ReflectedXSSDisposition reflectedXSSDisposition() const;
</ins><span class="cx">
</span><span class="cx"> ContentSecurityPolicyResponseHeaders responseHeaders() const;
</span><span class="cx"> void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
</span><span class="cx"> void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType);
</span><span class="cx">
</span><ins>+ enum class ReportingStatus {
+ SendReport,
+ SuppressReport
+ };
</ins><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><del>-
</del><span class="cx"> bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="lines">@@ -93,42 +92,57 @@
</span><span class="cx"> bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx">
</span><del>- ReflectedXSSDisposition reflectedXSSDisposition() const;
-
</del><span class="cx"> void setOverrideAllowInlineStyle(bool);
</span><span class="cx">
</span><span class="cx"> bool isActive() const;
</span><ins>+
</ins><span class="cx"> void gatherReportURIs(DOMStringList&) const;
</span><span class="cx">
</span><ins>+ String evalDisabledErrorMessage() const;
+
+ bool experimentalFeaturesEnabled() const;
+
+ static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
+
+ // The following functions are used by internal data structures to call back into this object when parsing, validating,
+ // and applying a Content Security Policy.
+ // FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
+ // This class should traverse the directives, validating the policy, and applying it to the script execution context.
+
+ // Used by MediaListDirective
+ void reportInvalidPluginTypes(const String&) const;
+
+ // Used by CSPSourceList
</ins><span class="cx"> void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
</span><ins>+ void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
+ void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
+ bool urlMatchesSelf(const URL&) const;
+
+ // Used by CSPDirectiveList
</ins><span class="cx"> void reportDuplicateDirective(const String&) const;
</span><span class="cx"> void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
</span><del>- void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
- void reportInvalidPluginTypes(const String&) const;
</del><span class="cx"> void reportInvalidSandboxFlags(const String&) const;
</span><del>- void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
</del><span class="cx"> void reportInvalidReflectedXSS(const String&) const;
</span><span class="cx"> void reportMissingReportURI(const String&) const;
</span><span class="cx"> void reportUnsupportedDirective(const String&) const;
</span><del>- void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<URL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
-
</del><ins>+ void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</ins><span class="cx"> void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
</span><ins>+ void enforceSandboxFlags(SandboxFlags sandboxFlags) { m_sandboxFlags |= sandboxFlags; }
</ins><span class="cx">
</span><del>- const URL& url() const;
- URL completeURL(const String&) const;
- SecurityOrigin* securityOrigin() const;
- void enforceSandboxFlags(SandboxFlags) const;
- String evalDisabledErrorMessage() const;
</del><ins>+ // Used by CSPSource
+ bool protocolMatchesSelf(const URL&) const;
</ins><span class="cx">
</span><del>- bool experimentalFeaturesEnabled() const;
- static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
-
</del><span class="cx"> private:
</span><span class="cx"> void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><ins>+ void applyPolicyToScriptExecutionContext();
</ins><span class="cx">
</span><del>- ScriptExecutionContext* m_scriptExecutionContext;
- bool m_overrideInlineStyleAllowed;
</del><ins>+ ScriptExecutionContext* m_scriptExecutionContext { nullptr };
+ std::unique_ptr<CSPSource> m_selfSource;
+ String m_selfSourceProtocol;
</ins><span class="cx"> CSPDirectiveListVector m_policies;
</span><ins>+ String m_lastPolicyEvalDisabledErrorMessage;
+ SandboxFlags m_sandboxFlags;
+ bool m_overrideInlineStyleAllowed { false };
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (196011 => 196012)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp        2016-02-02 16:58:41 UTC (rev 196011)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp        2016-02-02 17:57:40 UTC (rev 196012)
</span><span class="lines">@@ -72,6 +72,7 @@
</span><span class="cx"> , m_topOrigin(topOrigin)
</span><span class="cx"> {
</span><span class="cx"> setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(url)));
</span><ins>+ setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> WorkerGlobalScope::~WorkerGlobalScope()
</span><span class="lines">@@ -87,7 +88,6 @@
</span><span class="cx">
</span><span class="cx"> void WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders)
</span><span class="cx"> {
</span><del>- setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</del><span class="cx"> contentSecurityPolicy()->didReceiveHeaders(contentSecurityPolicyResponseHeaders);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>