Add CSP header for resources with an active policy

Source/core/fetch/ResourceFetcher.cpp

Index: Source/core/fetch/ResourceFetcher.cpp
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp
index dbb5b13878cb8bcad01e57183e89664436b0b989..a05263b735c3444645aefe040beb675498cf804a 100644
--- a/Source/core/fetch/ResourceFetcher.cpp
+++ b/Source/core/fetch/ResourceFetcher.cpp
@@ -685,7 +685,8 @@ ResourcePtr<Resource> ResourceFetcher::requestResource(Resource::Type type, Fetc
     TRACE_EVENT0("blink", "ResourceFetcher::requestResource");
 
     upgradeInsecureRequest(request);
-    addClientHintsIfNeccessary(request);
+    addClientHintsIfNecessary(request);
+    addCSPHeaderIfNecessary(type, request);
 
     KURL url = request.resourceRequest().url();
 
@@ -859,7 +860,7 @@ void ResourceFetcher::upgradeInsecureRequest(FetchRequest& fetchRequest)
     }
 }
 
-void ResourceFetcher::addClientHintsIfNeccessary(FetchRequest& fetchRequest)
+void ResourceFetcher::addClientHintsIfNecessary(FetchRequest& fetchRequest)
 {
     if (!RuntimeEnabledFeatures::clientHintsEnabled() || !document() || !frame())
         return;
@@ -872,6 +873,58 @@ void ResourceFetcher::addClientHintsIfNeccessary(FetchRequest& fetchRequest)
         fetchRequest.mutableResourceRequest().addHTTPHeaderField("RW", AtomicString(String::number(frame()->view()->viewportWidth())));
 }
 
+void ResourceFetcher::addCSPHeaderIfNecessary(Resource::Type type, FetchRequest& fetchRequest)

[Mike West, 2015/03/16 10:39:10]

japhet@ has been refactoring things; I think this will need to move to
'/core/loader/FrameFetchContext.*' (either already, or in the very near future).

[estark, 2015/03/17 18:27:34]

Done.

+{
+    if (!document() || !frame())
+        return;
+
+    const ContentSecurityPolicy* csp = document()->contentSecurityPolicy();
+
+    switch (type) {
+    case Resource::XSLStyleSheet:
+        ASSERT(RuntimeEnabledFeatures::xsltEnabled());
+        if (!csp->hasScriptPolicy())
+            return;
+        break;
+    case Resource::Script:
+    case Resource::ImportResource:
+        if (!csp->hasScriptPolicy())
+            return;
+        break;
+    case Resource::CSSStyleSheet:
+        if (!csp->hasStylePolicy())
+            return;
+        break;
+    case Resource::SVGDocument:
+    case Resource::Image:
+        if (!csp->hasImagePolicy())
+            return;
+        break;
+    case Resource::Font:
+        if (!csp->hasFontPolicy())
+            return;
+        break;
+    case Resource::Media:
+    case Resource::TextTrack:
+        if (!csp->hasMediaPolicy())
+            return;
+        break;
+    case Resource::Raw:
+        // As long as there is a plugin policy in effect, send the CSP
+        // header. This request might not be for a plugin, but sending it
+        // on non-plugin elements can't hurt.
+        if (!csp->hasPluginPolicy())
+            return;
+        break;
+    case Resource::MainResource:
+    case Resource::LinkPrefetch:
+    case Resource::LinkSubresource:
+        return;
+    }

[Mike West, 2015/03/16 10:39:10]

I'd suggest moving this switch into CSP, basically asking "Hey, is a policy
active for this FetchRequest?". That seems clearer than hard-coding
relationships into ResourceFetcher, and adding one-off methods to CSP's public
interface.

[estark, 2015/03/17 18:27:34]

Done. I made the method called |shouldSendCSPHeader| instead of something like
|hasActivePolicy| because that seemed to more accurately reflect the question
that the method is answering (e.g. the method should be allowed to return true
even if there isn't an active policy), but I'm not sure if that makes sense or
not.

+
+    fetchRequest.mutableResourceRequest().addHTTPHeaderField("CSP", "active");
+}
+
 ResourcePtr<Resource> ResourceFetcher::createResourceForRevalidation(const FetchRequest& request, Resource* resource)
 {
     ASSERT(resource);