Add CSP header for resources with an active policy

Source/core/frame/csp/CSPDirectiveList.cpp

Index: Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index 1f8bd418ed1300c5a8c2fd50f4e55857023ce2b6..5234785cef5c731d8a8955067e4fc0ec4d41185b 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -414,6 +414,38 @@ const String& CSPDirectiveList::pluginTypesText() const
     return m_pluginTypes->text();
 }
 
+bool CSPDirectiveList::shouldSendCSPHeader(Resource::Type type) const
+{
+    switch (type) {
+    case Resource::XSLStyleSheet:
+        ASSERT(RuntimeEnabledFeatures::xsltEnabled());
+        return !!operativeDirective(m_scriptSrc.get());
+    case Resource::Script:
+    case Resource::ImportResource:
+        return !!operativeDirective(m_scriptSrc.get());
+    case Resource::CSSStyleSheet:
+        return !!operativeDirective(m_styleSrc.get());
+    case Resource::SVGDocument:
+    case Resource::Image:
+        return !!operativeDirective(m_imgSrc.get());
+    case Resource::Font:
+        return !!operativeDirective(m_fontSrc.get());
+    case Resource::Media:
+    case Resource::TextTrack:
+        return !!operativeDirective(m_mediaSrc.get());
+    case Resource::Raw:
+        // This request could be for a plugin, a child frame, a worker, or
+        // something else. If there any potentially relevant policies,
+        // send the CSP header; sending it unnecessarily can't hurt.
+        return !!operativeDirective(m_objectSrc.get()) || !!m_pluginTypes.get() || !!operativeDirective(m_childSrc.get()) || !!operativeDirective(m_frameSrc.get()) || !!operativeDirective(m_connectSrc.get()) || !!operativeDirective(m_manifestSrc.get()) || !!m_formAction.get();

[estark, 2015/03/17 18:27:34]

This is sort of the catch-all where we send a CSP header if there is any policy
that might possibly affect the request. This makes me a little nervous because
if a new element <foo> gets added with a corresponding directive foo-src, it
could easily get left out of this list, and so CSP headers would not get sent
for <foo> resources. Thoughts?

[Mike West, 2015/03/20 14:53:54]

This is fine for now. Eventually, I'd like to see the interface to CSP rewritten
on top of WebURLRequest::RequestContext, which is substantially more granular
(want to do that next? :) I landed https://codereview.chromium.org/398313002 a
while back, reverted because of https://crbug.com/396582 which I never spent the
time to track down).

[estark, 2015/03/20 20:27:52]

Sure, I'll take a look!

+    case Resource::MainResource:
+    case Resource::LinkPrefetch:
+    case Resource::LinkSubresource:
+        return false;
+    }
+    ASSERT_NOT_REACHED();
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //