Refactor nonce support.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
index 272e3f59705350a24044390fa94da92741040c4b..ae528c245208c9140c2453c9225ccaba2b1cdc2d 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -151,8 +151,8 @@ public:
 
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
     bool allowInlineEventHandler(const String& source, const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
-    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, ReportingStatus = SendReport) const;
-    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, ReportingStatus = SendReport) const;
+    bool allowInlineScript(const String& contextURL, const String& nonce, const WTF::OrdinalNumber& contextLine, const String& scriptContent, ReportingStatus = SendReport) const;

[estark, 2016/06/02 18:57:32]

Might be worth a comment to say that you should pass String() to indicate the
resource is being loaded with no nonce.

[Mike West, 2016/06/04 06:30:56]

Done.

+    bool allowInlineStyle(const String& contextURL, const String& nonce, const WTF::OrdinalNumber& contextLine, const String& styleContent, ReportingStatus = SendReport) const;
     // When the reporting status is |SendReport|, the |ExceptionStatus|
     // should indicate whether the caller will throw a JavaScript
     // exception in the event of a violation. When the caller will throw
@@ -166,11 +166,12 @@ public:
     // plugin-types directives from the parent document.
     bool allowPluginTypeForDocument(const Document&, const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
 
-    bool allowScriptFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
+    bool allowScriptFromSource(const KURL&, const String& nonce, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
+    bool allowStyleFromSource(const KURL&, const String& nonce, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
+
     bool allowObjectFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
     bool allowChildFrameFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
     bool allowImageFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
-    bool allowStyleFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
     bool allowFontFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
     bool allowMediaFromSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
     bool allowConnectToSource(const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
@@ -189,18 +190,19 @@ public:
     bool allowAncestors(LocalFrame*, const KURL&, ReportingStatus = SendReport) const;
     bool isFrameAncestorsEnforced() const;
 
-    // The nonce and hash allow functions are guaranteed to not have any side
+    // The hash allow functions are guaranteed to not have any side
     // effects, including reporting.
-    // Nonce/Hash functions check all policies relating to use of a script/style
-    // with the given nonce/hash and return true all CSP policies allow it.
+    // Hash functions check all policies relating to use of a script/style
+    // with the given hash and return true all CSP policies allow it.
     // If these return true, callers can then process the content or
     // issue a load and be safe disabling any further CSP checks.
-    bool allowScriptWithNonce(const String& nonce) const;
-    bool allowStyleWithNonce(const String& nonce) const;
+    //
+    // TODO(mkwst): Fold hashes into 'allow{Script,Style}' checks above, just
+    // as we've done with nonces.

[estark, 2016/06/02 18:57:31]

crbug #?

[Mike West, 2016/06/04 06:30:56]

Done.

     bool allowScriptWithHash(const String& source, InlineType) const;
     bool allowStyleWithHash(const String& source, InlineType) const;
 
-    bool allowRequest(WebURLRequest::RequestContext, const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
+    bool allowRequest(WebURLRequest::RequestContext, const KURL&, const String& nonce, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;
 
     void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
     void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
@@ -270,6 +272,10 @@ public:
     Document* document() const;
 
 private:
+    FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline);
+    FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy);
+    FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceMultiplePolicy);
+
     ContentSecurityPolicy();
 
     void applyPolicySideEffectsToExecutionContext();