Implement the `require-sri-for` CSP directive

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 3f378187b81d6e7ce58f91da81c9143e6dc3ba2b..159eb4cf1c6074492a600bc5273bf01f3ca8aa78 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -31,6 +31,7 @@
 #include "core/dom/Document.h"
 #include "core/dom/SandboxFlags.h"
 #include "core/events/SecurityPolicyViolationEvent.h"
+#include "core/fetch/IntegrityMetadata.h"
 #include "core/frame/FrameClient.h"
 #include "core/frame/LocalDOMWindow.h"
 #include "core/frame/LocalFrame.h"
@@ -102,6 +103,9 @@ const char ContentSecurityPolicy::UpgradeInsecureRequests[] = "upgrade-insecure-
 // https://mikewest.github.io/cors-rfc1918/#csp
 const char ContentSecurityPolicy::TreatAsPublicAddress[] = "treat-as-public-address";
 
+// https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for
+const char ContentSecurityPolicy::RequireSRIFor[] = "require-sri-for";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
@@ -125,7 +129,8 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name)
         || equalIgnoringCase(name, ManifestSrc)
         || equalIgnoringCase(name, BlockAllMixedContent)
         || equalIgnoringCase(name, UpgradeInsecureRequests)
-        || equalIgnoringCase(name, TreatAsPublicAddress));
+        || equalIgnoringCase(name, TreatAsPublicAddress)
+        || equalIgnoringCase(name, RequireSRIFor));
 }
 
 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
@@ -560,7 +565,16 @@ bool ContentSecurityPolicy::allowStyleWithHash(const String& source, InlineType
     return checkDigest<&CSPDirectiveList::allowStyleHash>(source, type, m_styleHashAlgorithmsUsed, m_policies);
 }
 
-bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context, const KURL& url, const String& nonce, RedirectStatus redirectStatus, ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::checkIntegrityMetadataPresence(WebURLRequest::RequestContext context, const KURL& url, const IntegrityMetadataSet& integrityMetedata, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+    for (const auto& policy : m_policies) {
+        if (!policy->allowRequestWithoutMetadata(context, url, integrityMetedata, reportingStatus))

[Mike West, 2016/06/10 09:25:15]

I don't understand the naming choices here. Why is is named one thing on
ContentSecurityPolicy and another on CSPDirectiveList? I think it makes sense to
name both `allowRequestWithoutIntegrity`, and only to call in if the
IntegrityMetadataSet is empty. See the comments in `::allowRequest`.

WDYT?

[Sergey Shekyan, 2016/06/20 07:12:00]

totally agree. Much clearer.

+            return false;
+    }
+    return true;
+}
+
+bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context, const KURL& url, const String& nonce, const IntegrityMetadataSet& integrityMetedata, RedirectStatus redirectStatus, ReportingStatus reportingStatus) const

[Mike West, 2016/06/10 09:25:15]

Nit: s/Metedata/Metadata/

[Sergey Shekyan, 2016/06/20 07:12:00]

Acknowledged.

 {
     switch (context) {

[Mike West, 2016/06/10 09:25:15]

Rather than calling `checkIntegrityMetadataPresence` inline with the call to
`allowWhateverFromSource`, it might make things clearer to do something like the
following right at the top:

```
if (integrityMetadata.isEmpty() && !allowRequestWithoutIntegrity(context, url,
redirectStatus, reportingStatus))
    return false;
```

[Sergey Shekyan, 2016/06/20 07:12:00]

Acknowledged.

     case WebURLRequest::RequestContextAudio:
@@ -588,6 +602,8 @@ bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context,
         return allowChildFrameFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextImport:
     case WebURLRequest::RequestContextScript:
+        return checkIntegrityMetadataPresence(WebURLRequest::RequestContextScript, url, integrityMetedata, reportingStatus)
+            && allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);

[Mike West, 2016/06/10 09:25:15]

Please add tests for the kinds of script creation that SRI doesn't yet support.
I'm thinking specifically of https://twitter.com/Qab/status/741077446179618816
and imports, but please feel free to be creative. :)

     case WebURLRequest::RequestContextXSLT:
         return allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextManifest:
@@ -597,7 +613,8 @@ bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context,
     case WebURLRequest::RequestContextWorker:
         return allowWorkerContextFromSource(url, redirectStatus, reportingStatus);

[Mike West, 2016/06/10 09:25:15]

Here too, along with layout tests for worker creation.

     case WebURLRequest::RequestContextStyle:
-        return allowStyleFromSource(url, nonce, redirectStatus, reportingStatus);
+        return checkIntegrityMetadataPresence(WebURLRequest::RequestContextStyle, url, integrityMetedata, reportingStatus)
+            && allowStyleFromSource(url, nonce, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextCSPReport:
     case WebURLRequest::RequestContextDownload:
     case WebURLRequest::RequestContextHyperlink:
@@ -996,6 +1013,11 @@ void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue
     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
 }
 
+void ContentSecurityPolicy::reportInvalidRequireSRIForTokens(const String& invalidTokens)
+{
+    logToConsole("Error while parsing the 'require-sri-for' Content Security Policy directive: " + invalidTokens);
+}
+
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value)
 {
     String message = "The value for Content Security Policy directive '" + directiveName + "' contains an invalid character: '" + value + "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.";