Add `disposition` to SecurityPolicyViolationEvent

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 1037 matching lines @@
 }
 
 static void gatherSecurityPolicyViolationEventData(
     SecurityPolicyViolationEventInit& init,
     Document* document,
     const String& directiveText,
     const String& effectiveDirective,
     const KURL& blockedURL,
     const String& header,
     RedirectStatus redirectStatus,
+    ContentSecurityPolicyHeaderType headerType,
     ContentSecurityPolicy::ViolationType violationType,
     int contextLine) {
   if (equalIgnoringCase(effectiveDirective,
                         ContentSecurityPolicy::FrameAncestors)) {
     // If this load was blocked via 'frame-ancestors', then the URL of
     // |document| has not yet been initialized. In this case, we'll set both
     // 'documentURI' and 'blockedURI' to the blocked document's URL.
     init.setDocumentURI(blockedURL.getString());
     init.setBlockedURI(blockedURL.getString());
   } else {
     init.setDocumentURI(document->url().getString());
     switch (violationType) {
       case ContentSecurityPolicy::InlineViolation:
         init.setBlockedURI("inline");
         break;
       case ContentSecurityPolicy::EvalViolation:
         init.setBlockedURI("eval");
         break;
       case ContentSecurityPolicy::URLViolation:
         init.setBlockedURI(stripURLForUseInReport(
             document, blockedURL, redirectStatus, effectiveDirective));
         break;
     }
   }
   init.setReferrer(document->referrer());
   init.setViolatedDirective(directiveText);
   init.setEffectiveDirective(effectiveDirective);
   init.setOriginalPolicy(header);
+  init.setDisposition(headerType == ContentSecurityPolicyHeaderTypeEnforce
+                          ? "enforce"
+                          : "report");
   init.setSourceFile(String());
   init.setLineNumber(contextLine);
   init.setColumnNumber(0);
   init.setStatusCode(0);
 
   if (!SecurityOrigin::isSecure(document->url()) && document->loader())
     init.setStatusCode(document->loader()->response().httpStatusCode());
 
   std::unique_ptr<SourceLocation> location = SourceLocation::capture(document);
   if (location->lineNumber()) {
     KURL source = KURL(ParsedURLString, location->url());
     init.setSourceFile(stripURLForUseInReport(document, source, redirectStatus,
                                               effectiveDirective));
     init.setLineNumber(location->lineNumber());
     init.setColumnNumber(location->columnNumber());
   }
 }
 
 void ContentSecurityPolicy::reportViolation(
     const String& directiveText,
     const String& effectiveDirective,
     const String& consoleMessage,
     const KURL& blockedURL,
     const Vector<String>& reportEndpoints,
     const String& header,
+    ContentSecurityPolicyHeaderType headerType,
     ViolationType violationType,
     LocalFrame* contextFrame,
     RedirectStatus redirectStatus,
     int contextLine) {
   ASSERT(violationType == URLViolation || blockedURL.isEmpty());
 
   // TODO(lukasza): Support sending reports from OOPIFs -
   // https://crbug.com/611232 (or move CSP child-src and frame-src checks to the
   // browser process - see https://crbug.com/376522).
   if (!m_executionContext && !contextFrame) {
@@ skipping 13 matching lines @@
 
   // FIXME: Support sending reports from worker.
   Document* document =
       contextFrame ? contextFrame->document() : this->document();
   if (!document)
     return;
 
   SecurityPolicyViolationEventInit violationData;
   gatherSecurityPolicyViolationEventData(
       violationData, document, directiveText, effectiveDirective, blockedURL,
-      header, redirectStatus, violationType, contextLine);
+      header, redirectStatus, headerType, violationType, contextLine);
 
   // TODO(mkwst): Obviously, we shouldn't hit this check, as extension-loaded
   // resources should be allowed regardless. We apparently do, however, so
   // we should at least stop spamming reporting endpoints. See
   // https://crbug.com/524356 for detail.
   if (!violationData.sourceFile().isEmpty() &&
       SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
           KURL(ParsedURLString, violationData.sourceFile()).protocol()))
     return;
 
   // We need to be careful here when deciding what information to send to the
   // report-uri. Currently, we send only the current document's URL and the
   // directive that was violated. The document's URL is safe to send because
   // it's the document itself that's requesting that it be sent. You could
   // make an argument that we shouldn't send HTTPS document URLs to HTTP
   // report-uris (for the same reasons that we supress the Referer in that
   // case), but the Referer is sent implicitly whereas this request is only
   // sent explicitly. As for which directive was violated, that's pretty
   // harmless information.
 
   std::unique_ptr<JSONObject> cspReport = JSONObject::create();
   cspReport->setString("document-uri", violationData.documentURI());
   cspReport->setString("referrer", violationData.referrer());
   cspReport->setString("violated-directive", violationData.violatedDirective());
   cspReport->setString("effective-directive",
                        violationData.effectiveDirective());
   cspReport->setString("original-policy", violationData.originalPolicy());
+  cspReport->setString("disposition", violationData.disposition());
   cspReport->setString("blocked-uri", violationData.blockedURI());
   if (violationData.lineNumber())
     cspReport->setInteger("line-number", violationData.lineNumber());
   if (violationData.columnNumber())
     cspReport->setInteger("column-number", violationData.columnNumber());
   if (!violationData.sourceFile().isEmpty())
     cspReport->setString("source-file", violationData.sourceFile());
   cspReport->setInteger("status-code", violationData.statusCode());
 
   std::unique_ptr<JSONObject> reportObject = JSONObject::create();
@@ skipping 297 matching lines @@
   // Collisions have no security impact, so we can save space by storing only
   // the string's hash rather than the whole report.
   return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report) {
   m_violationReportsSent.add(report.impl()->hash());
 }
 
 }  // namespace blink