Remove the 'reflected-xss' directive from CSP.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 74 matching lines @@
 const char ContentSecurityPolicy::Sandbox[] = "sandbox";
 const char ContentSecurityPolicy::ScriptSrc[] = "script-src";
 const char ContentSecurityPolicy::StyleSrc[] = "style-src";
 
 // CSP Level 2 Directives
 const char ContentSecurityPolicy::BaseURI[] = "base-uri";
 const char ContentSecurityPolicy::ChildSrc[] = "child-src";
 const char ContentSecurityPolicy::FormAction[] = "form-action";
 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors";
 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types";
-const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss";
 const char ContentSecurityPolicy::Referrer[] = "referrer";
 
 // CSP Editor's Draft:
 // https://w3c.github.io/webappsec/specs/content-security-policy
 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
 
 // Mixed Content Directive
 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
 const char ContentSecurityPolicy::BlockAllMixedContent[] =
     "block-all-mixed-content";
@@ skipping 14 matching lines @@
       equalIgnoringCase(name, ConnectSrc) ||
       equalIgnoringCase(name, DefaultSrc) || equalIgnoringCase(name, FontSrc) ||
       equalIgnoringCase(name, FrameSrc) || equalIgnoringCase(name, ImgSrc) ||
       equalIgnoringCase(name, MediaSrc) || equalIgnoringCase(name, ObjectSrc) ||
       equalIgnoringCase(name, ReportURI) || equalIgnoringCase(name, Sandbox) ||
       equalIgnoringCase(name, ScriptSrc) || equalIgnoringCase(name, StyleSrc) ||
       equalIgnoringCase(name, BaseURI) || equalIgnoringCase(name, ChildSrc) ||
       equalIgnoringCase(name, FormAction) ||
       equalIgnoringCase(name, FrameAncestors) ||
       equalIgnoringCase(name, PluginTypes) ||
-      equalIgnoringCase(name, ReflectedXSS) ||
       equalIgnoringCase(name, Referrer) ||
       equalIgnoringCase(name, ManifestSrc) ||
       equalIgnoringCase(name, BlockAllMixedContent) ||
       equalIgnoringCase(name, UpgradeInsecureRequests) ||
       equalIgnoringCase(name, TreatAsPublicAddress) ||
       equalIgnoringCase(name, RequireSRIFor));
 }
 
 bool ContentSecurityPolicy::isNonceableElement(const Element* element) {
   if (!element->fastHasAttribute(HTMLNames::nonceAttr))
@@ skipping 862 matching lines @@
     if (policy->isFrameAncestorsEnforced())
       return true;
   }
   return false;
 }
 
 bool ContentSecurityPolicy::isActive() const {
   return !m_policies.isEmpty();
 }
 
-ReflectedXSSDisposition ContentSecurityPolicy::getReflectedXSSDisposition()
-    const {
-  ReflectedXSSDisposition disposition = ReflectedXSSUnset;
-  for (const auto& policy : m_policies) {
-    if (policy->getReflectedXSSDisposition() > disposition)
-      disposition = std::max(disposition, policy->getReflectedXSSDisposition());
-  }
-  return disposition;
-}
-
 bool ContentSecurityPolicy::didSetReferrerPolicy() const {
   for (const auto& policy : m_policies) {
     if (policy->didSetReferrerPolicy())
       return true;
   }
   return false;
 }
 
 const KURL ContentSecurityPolicy::url() const {
   return m_executionContext->contextURL();
@@ skipping 366 matching lines @@
   logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportInvalidSandboxFlags(
     const String& invalidFlags) {
   logToConsole(
       "Error while parsing the 'sandbox' Content Security Policy directive: " +
       invalidFlags);
 }
 
-void ContentSecurityPolicy::reportInvalidReflectedXSS(
-    const String& invalidValue) {
-  logToConsole(
-      "The 'reflected-xss' Content Security Policy directive has the invalid "
-      "value \"" +
-      invalidValue +
-      "\". Valid values are \"allow\", \"filter\", and \"block\".");
-}
-
 void ContentSecurityPolicy::reportInvalidRequireSRIForTokens(
     const String& invalidTokens) {
   logToConsole(
       "Error while parsing the 'require-sri-for' Content Security Policy "
       "directive: " +
       invalidTokens);
 }
 
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(
     const String& directiveName,
@@ skipping 116 matching lines @@
   // Collisions have no security impact, so we can save space by storing only
   // the string's hash rather than the whole report.
   return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report) {
   m_violationReportsSent.add(report.impl()->hash());
 }
 
 }  // namespace blink