third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h - Issue 2056183002: Implement the `require-sri-for` CSP directive

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Issue 2056183002: Implement the `require-sri-for` CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Set integrity metadata to stylesheet request before allowRequest() is invoked Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

index befa79ce37f8840af11fcd2ca706b592bd98babc..1eb3d018c073d1fdd6adb61585ce0a06d9c60858 100644

--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

@@ -105,6 +105,9 @@ public:

// https://mikewest.github.io/cors-rfc1918/#csp

static const char TreatAsPublicAddress[];

+ // https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for

+ static const char RequireSRIFor[];

enum ReportingStatus {

SendReport,

SuppressReport

@@ -205,7 +208,9 @@ public:

bool allowScriptWithHash(const String& source, InlineType) const;

bool allowStyleWithHash(const String& source, InlineType) const;

- bool allowRequest(WebURLRequest::RequestContext, const KURL&, const String& nonce, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;

+ bool allowRequestWithoutIntegrity(WebURLRequest::RequestContext, const KURL&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;

Mike West 2016/06/24 09:25:06 Nit: I think this will be simpler to understand if

+ bool allowRequest(WebURLRequest::RequestContext, const KURL&, const String& nonce, const IntegrityMetadataSet&, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) const;

void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);

void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);

@@ -228,6 +233,7 @@ public:

void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);

void reportInvalidPathCharacter(const String& directiveName, const String& value, const char);

void reportInvalidPluginTypes(const String&);

+ void reportInvalidRequireSRIForTokens(const String&);

void reportInvalidSandboxFlags(const String&);

void reportInvalidSourceExpression(const String& directiveName, const String& source);

void reportInvalidReflectedXSS(const String&);