Implement the `require-sri-for` CSP directive

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CSPDirectiveList_h
 #define CSPDirectiveList_h
 
 #include "core/fetch/Resource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/frame/csp/MediaListDirective.h"
@@ skipping 48 matching lines @@
     // result of a redirect. After a redirect, source paths are usually
     // ignored to stop a page from learning the path to which the
     // request was redirected, but this is not a concern for ancestors,
     // because a child frame can't manipulate the URL of a cross-origin
     // parent.
     bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowScriptHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const;
     bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const;
     bool allowDynamic() const;
 
+    bool allowRequestWithoutMetadata(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&, ContentSecurityPolicy::ReportingStatus) const;

[jww, 2016/06/11 22:45:12]

nit: I'd prefer that this have 'Integrity' somewhere in the method name since I
expect that 'metadata' may be used elsewhere in CSP at a later point. So perhaps
named "allowRequestWithoutIntegrityMetadata"?

[Sergey Shekyan, 2016/06/20 07:12:00]

I renamed it to "allowRequestWithoutIntegrity". Trying to commit a code right
before vacation flight was not a good idea.

+
     bool strictMixedContentChecking() const { return m_strictMixedContentCheckingEnforced; }
     void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatus) const;
 
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     ReflectedXSSDisposition getReflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     ReferrerPolicy getReferrerPolicy() const { return m_referrerPolicy; }
     bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<String>& reportEndpoints() const { return m_reportEndpoints; }
+    const Vector<String>& requireSRIForTokens() const { return m_requireSRIFor; }
     bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_reportOnly; }
 
     // Used to copy plugin-types into a plugin document in a nested
     // browsing context.
     bool hasPluginTypes() const { return !!m_pluginTypes; }
     const String& pluginTypesText() const;
 
     bool shouldSendCSPHeader(Resource::Type) const;
 
     DECLARE_TRACE();
 
 private:
     FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent);

[Mike West, 2016/06/10 09:25:15]

Please add parsing tests to CSPDirectiveListTest to verify the bits of state
that you're setting here.

 
     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
 
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
+    void parseRequireSRIFor(const String& name, const String& value);
     void parseReportURI(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
     void parseReferrer(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
     void enforceStrictMixedContentChecking(const String& name, const String& value);
     void enableInsecureRequestsUpgrade(const String& name, const String& value);
     void treatAsPublicAddress(const String& name, const String& value);
 
     template <class CSPDirectiveType>
     void setCSPDirective(const String& name, const String& value, Member<CSPDirectiveType>&);
 
     SourceListDirective* operativeDirective(SourceListDirective*) const;
     SourceListDirective* operativeDirective(SourceListDirective*, SourceListDirective* override) const;
     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::RedirectStatus) const;
     void reportViolationWithFrame(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFrame*) const;
     void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& message, const KURL& blockedURL, ScriptState*, const ContentSecurityPolicy::ExceptionStatus) const;
 
     bool checkEval(SourceListDirective*) const;
     bool checkInline(SourceListDirective*) const;
     bool checkDynamic(SourceListDirective*) const;
     bool isMatchingNoncePresent(SourceListDirective*, const String&) const;
     bool checkHash(SourceListDirective*, const CSPHashValue&) const;
     bool checkHashedAttributes(SourceListDirective*) const;
     bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::RedirectStatus) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
     bool checkAncestors(SourceListDirective*, LocalFrame*) const;
+    bool checkIntegrityPresence(WebURLRequest::RequestContext, const IntegrityMetadataSet&) const;
 
     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
 
     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*, ContentSecurityPolicy::ExceptionStatus = ContentSecurityPolicy::WillNotThrowException) const;
     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript, const String& hashValue) const;
 
     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
     bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, const KURL&) const;
+    bool checkIntegrityPresenceAndReportViolation(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&) const;
 
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
 
     Member<ContentSecurityPolicy> m_policy;
 
     String m_header;
     ContentSecurityPolicyHeaderType m_headerType;
     ContentSecurityPolicyHeaderSource m_headerSource;
 
     bool m_reportOnly;
@@ skipping 17 matching lines @@
     Member<SourceListDirective> m_formAction;
     Member<SourceListDirective> m_frameAncestors;
     Member<SourceListDirective> m_frameSrc;
     Member<SourceListDirective> m_imgSrc;
     Member<SourceListDirective> m_mediaSrc;
     Member<SourceListDirective> m_manifestSrc;
     Member<SourceListDirective> m_objectSrc;
     Member<SourceListDirective> m_scriptSrc;
     Member<SourceListDirective> m_styleSrc;
 
+    Vector<String> m_requireSRIFor;
+
     Vector<String> m_reportEndpoints;
 
     String m_evalDisabledErrorMessage;
 };
 
 } // namespace blink
 
 #endif