[HTML Import] Respect Content Security Policy Model

Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 2619 matching lines @@
     else if (equalIgnoringCase(equiv, "refresh"))
         processHttpEquivRefresh(content);
     else if (equalIgnoringCase(equiv, "set-cookie"))
         processHttpEquivSetCookie(content);
     else if (equalIgnoringCase(equiv, "content-language"))
         setContentLanguage(content);
     else if (equalIgnoringCase(equiv, "x-dns-prefetch-control"))
         parseDNSPrefetchControlHeader(content);
     else if (equalIgnoringCase(equiv, "x-frame-options"))
         processHttpEquivXFrameOptions(content);
-    else if (equalIgnoringCase(equiv, "content-security-policy"))
+    else if (equalIgnoringCase(equiv, "content-security-policy")
+        || equalIgnoringCase(equiv, "content-security-policy-report-only")
+        || equalIgnoringCase(equiv, "content-security-policy-report-only")
+        || equalIgnoringCase(equiv, "x-webkit-csp")
+        || equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
+        processHttpEquivContentSecurityPolicy(equiv, content);
+}
+
+void Document::processHttpEquivContentSecurityPolicy(const String& equiv, const String& content)

[Mike West, 2013/07/22 14:39:42]

I like this cleanup, but it's unrelated to the core of this change. Would you
mind splitting this out into a separate CL?

+{
+    if (!this->frame())
+        return;
+
+    if (equalIgnoringCase(equiv, "content-security-policy"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Enforce);
     else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Report);
     else if (equalIgnoringCase(equiv, "x-webkit-csp"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedEnforce);
     else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedReport);
+    else
+        ASSERT_NOT_REACHED();
 }
 
 void Document::processHttpEquivDefaultStyle(const String& content)
 {
     // The preferred style set has been overridden as per section
     // 14.3.2 of the HTML4.0 specification. We need to update the
     // sheet used variable and then update our style selector.
     // For more info, see the test at:
     // http://www.hixie.ch/tests/evil/css/import/main/preferred.html
     // -dwh
@@ skipping 1535 matching lines @@
     initSecurityContext(DocumentInit(m_url, m_frame, m_import));
 }
 
 void Document::initSecurityContext(const DocumentInit& initializer)
 {
     if (haveInitializedSecurityOrigin()) {
         ASSERT(securityOrigin());
         return;
     }
 
-    if (!initializer.frame()) {
+    if (!initializer.hasSecurityContext()) {
         // No source for a security context.
         // This can occur via document.implementation.createDocument().
         m_cookieURL = KURL(ParsedURLString, emptyString());
         setSecurityOrigin(SecurityOrigin::createUnique());
         setContentSecurityPolicy(ContentSecurityPolicy::create(this));
         return;
     }
 
     // In the common case, create the security context from the currently
     // loading URL with a fresh content security policy.
@@ skipping 53 matching lines @@
     }
 
     m_cookieURL = ownerFrame->document()->cookieURL();
     // We alias the SecurityOrigins to match Firefox, see Bug 15313
     // https://bugs.webkit.org/show_bug.cgi?id=15313
     setSecurityOrigin(ownerFrame->document()->securityOrigin());
 }
 
 void Document::initContentSecurityPolicy()
 {
-    if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
-        return;
-
-    contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+    if (m_frame && m_frame->tree()->parent() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))
+        contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+    if (HTMLImport* import = this->import())
+        contentSecurityPolicy()->copyStateFrom(import->master()->contentSecurityPolicy());
 }
 
 void Document::didUpdateSecurityOrigin()
 {
     if (!m_frame)
         return;
     m_frame->script()->updateSecurityOrigin();
 }
 
 bool Document::isContextThread() const
@@ skipping 790 matching lines @@
 {
     return DocumentLifecycleNotifier::create(this);
 }
 
 DocumentLifecycleNotifier* Document::lifecycleNotifier()
 {
     return static_cast<DocumentLifecycleNotifier*>(ScriptExecutionContext::lifecycleNotifier());
 }
 
 } // namespace WebCore