Implement the `require-sri-for` CSP directive

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
index 257ccb0ef2b40cd38faa8a21fed5e6c7c6b2a1b6..ba269c0f8fb846955080b9abfc138a4b6e8193ae 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
@@ -66,6 +66,8 @@ public:
     bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const;
     bool allowDynamic() const;
 
+    bool allowRequestWithoutMetadata(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&, ContentSecurityPolicy::ReportingStatus) const;

[jww, 2016/06/11 22:45:12]

nit: I'd prefer that this have 'Integrity' somewhere in the method name since I
expect that 'metadata' may be used elsewhere in CSP at a later point. So perhaps
named "allowRequestWithoutIntegrityMetadata"?

[Sergey Shekyan, 2016/06/20 07:12:00]

I renamed it to "allowRequestWithoutIntegrity". Trying to commit a code right
before vacation flight was not a good idea.

+
     bool strictMixedContentChecking() const { return m_strictMixedContentCheckingEnforced; }
     void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatus) const;
 
@@ -75,6 +77,7 @@ public:
     bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<String>& reportEndpoints() const { return m_reportEndpoints; }
+    const Vector<String>& requireSRIForTokens() const { return m_requireSRIFor; }
     bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_reportOnly; }
 
     // Used to copy plugin-types into a plugin document in a nested
@@ -92,6 +95,7 @@ private:
     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
 
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
+    void parseRequireSRIFor(const String& name, const String& value);
     void parseReportURI(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
@@ -121,6 +125,7 @@ private:
     bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::RedirectStatus) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
     bool checkAncestors(SourceListDirective*, LocalFrame*) const;
+    bool checkIntegrityPresence(WebURLRequest::RequestContext, const IntegrityMetadataSet&) const;
 
     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
 
@@ -130,6 +135,7 @@ private:
     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
     bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, const KURL&) const;
+    bool checkIntegrityPresenceAndReportViolation(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&) const;
 
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
 
@@ -167,6 +173,8 @@ private:
     Member<SourceListDirective> m_scriptSrc;
     Member<SourceListDirective> m_styleSrc;
 
+    Vector<String> m_requireSRIFor;
+
     Vector<String> m_reportEndpoints;
 
     String m_evalDisabledErrorMessage;