Remove the 'reflected-xss' directive from CSP.

third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp

 /*
  * Copyright (C) 2011 Adam Barth. All Rights Reserved.
  * Copyright (C) 2011 Daniel Bates (dbates@intudata.com).
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 14 matching lines @@
  */
 
 #include "core/html/parser/XSSAuditor.h"
 
 #include "core/HTMLNames.h"
 #include "core/SVGNames.h"
 #include "core/XLinkNames.h"
 #include "core/dom/Document.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/Settings.h"
-#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/HTMLParamElement.h"
 #include "core/html/LinkRelAttribute.h"
 #include "core/html/parser/HTMLDocumentParser.h"
 #include "core/html/parser/HTMLParserIdioms.h"
 #include "core/html/parser/TextResourceDecoder.h"
 #include "core/html/parser/XSSAuditorDelegate.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/MixedContentChecker.h"
 #include "platform/network/EncodedFormData.h"
@@ skipping 217 matching lines @@
       (position = decodedSnippet.find(isNotHTMLSpace<UChar>, position + 1)) !=
           kNotFound &&
       (position = decodedSnippet.find(
            isTerminatingCharacter,
            isHTMLQuote(decodedSnippet[position]) ? position + 1 : position)) !=
           kNotFound) {
     decodedSnippet.truncate(position);
   }
 }
 
-static ReflectedXSSDisposition combineXSSProtectionHeaderAndCSP(
-    ReflectedXSSDisposition xssProtection,
-    ReflectedXSSDisposition reflectedXSS) {
-  ReflectedXSSDisposition result = std::max(xssProtection, reflectedXSS);
-
-  if (result == ReflectedXSSInvalid || result == FilterReflectedXSS ||
-      result == ReflectedXSSUnset)
-    return FilterReflectedXSS;
-
-  return result;
-}
-
 static bool isSemicolonSeparatedAttribute(
     const HTMLToken::Attribute& attribute) {
   return threadSafeMatch(attribute.nameAsVector(), SVGNames::valuesAttr);
 }
 
 static String semicolonSeparatedValueContainingJavaScriptURL(
     const String& value) {
   Vector<String> valueList;
   value.split(';', valueList);
   for (size_t i = 0; i < valueList.size(); ++i) {
     String stripped = stripLeadingAndTrailingHTMLSpaces(valueList[i]);
     if (protocolIsJavaScript(stripped))
       return stripped;
   }
   return emptyString();
 }
 
 XSSAuditor::XSSAuditor()
     : m_isEnabled(false),
       m_xssProtection(FilterReflectedXSS),
-      m_didSendValidCSPHeader(false),
       m_didSendValidXSSProtectionHeader(false),
       m_state(Uninitialized),
       m_scriptTagFoundInRequest(false),
       m_scriptTagNestingLevel(0),
       m_encoding(UTF8Encoding()) {
   // Although tempting to call init() at this point, the various objects
   // we want to reference might not all have been constructed yet.
 }
 
 void XSSAuditor::initForFragment() {
@@ skipping 43 matching lines @@
 
   if (DocumentLoader* documentLoader =
           document->frame()->loader().documentLoader()) {
     const AtomicString& headerValue =
         documentLoader->response().httpHeaderField(HTTPNames::X_XSS_Protection);
     String errorDetails;
     unsigned errorPosition = 0;
     String reportURL;
     KURL xssProtectionReportURL;
 
-    // Process the X-XSS-Protection header, then mix in the CSP header's value.
     ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(
         headerValue, errorDetails, errorPosition, reportURL);
 
     if (xssProtectionHeader == AllowReflectedXSS)
       UseCounter::count(*document, UseCounter::XSSAuditorDisabled);
     else if (xssProtectionHeader == FilterReflectedXSS)
       UseCounter::count(*document, UseCounter::XSSAuditorEnabledFilter);
     else if (xssProtectionHeader == BlockReflectedXSS)
       UseCounter::count(*document, UseCounter::XSSAuditorEnabledBlock);
     else if (xssProtectionHeader == ReflectedXSSInvalid)
       UseCounter::count(*document, UseCounter::XSSAuditorInvalid);
 
     m_didSendValidXSSProtectionHeader =
         xssProtectionHeader != ReflectedXSSUnset &&
         xssProtectionHeader != ReflectedXSSInvalid;
     if ((xssProtectionHeader == FilterReflectedXSS ||
          xssProtectionHeader == BlockReflectedXSS) &&
         !reportURL.isEmpty()) {
       xssProtectionReportURL = document->completeURL(reportURL);
       if (MixedContentChecker::isMixedContent(document->getSecurityOrigin(),
                                               xssProtectionReportURL)) {
         errorDetails = "insecure reporting URL for secure page";
         xssProtectionHeader = ReflectedXSSInvalid;
         xssProtectionReportURL = KURL();
       }
     }
-    if (xssProtectionHeader == ReflectedXSSInvalid)
+    if (xssProtectionHeader == ReflectedXSSInvalid) {
       document->addConsoleMessage(ConsoleMessage::create(
           SecurityMessageSource, ErrorMessageLevel,
           "Error parsing header X-XSS-Protection: " + headerValue + ": " +
               errorDetails + " at character position " +
               String::format("%u", errorPosition) +
               ". The default protections will be applied."));
+    }
 
-    ReflectedXSSDisposition cspHeader =
-        document->contentSecurityPolicy()->getReflectedXSSDisposition();
-    m_didSendValidCSPHeader =
-        cspHeader != ReflectedXSSUnset && cspHeader != ReflectedXSSInvalid;
+    m_xssProtection = xssProtectionHeader;
+    if (m_xssProtection == ReflectedXSSInvalid ||
+        m_xssProtection == ReflectedXSSUnset) {
+      m_xssProtection = FilterReflectedXSS;
+    }
 
-    m_xssProtection =
-        combineXSSProtectionHeaderAndCSP(xssProtectionHeader, cspHeader);
-    // FIXME: Combine the two report URLs in some reasonable way.
     if (auditorDelegate)
       auditorDelegate->setReportURL(xssProtectionReportURL.copy());
 
     EncodedFormData* httpBody = documentLoader->request().httpBody();
     if (httpBody && !httpBody->isEmpty())
       m_httpBodyAsString = httpBody->flattenToString();
   }
 
   setEncoding(m_encoding);
 }
@@ skipping 37 matching lines @@
   else if (m_scriptTagNestingLevel) {
     if (request.token.type() == HTMLToken::Character)
       didBlockScript = filterCharacterToken(request);
     else if (request.token.type() == HTMLToken::EndTag)
       filterEndToken(request);
   }
 
   if (didBlockScript) {
     bool didBlockEntirePage = (m_xssProtection == BlockReflectedXSS);
     std::unique_ptr<XSSInfo> xssInfo = XSSInfo::create(
-        m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader,
-        m_didSendValidCSPHeader);
+        m_documentURL, didBlockEntirePage, m_didSendValidXSSProtectionHeader);
     return xssInfo;
   }
   return nullptr;
 }
 
 bool XSSAuditor::filterStartToken(const FilterTokenRequest& request) {
   m_state = FilteringTokens;
   bool didBlockScript = eraseDangerousAttributesIfInjected(request);
 
   if (hasName(request.token, scriptTag)) {
@@ skipping 436 matching lines @@
 }
 
 bool XSSAuditor::isSafeToSendToAnotherThread() const {
   return m_documentURL.isSafeToSendToAnotherThread() &&
          m_decodedURL.isSafeToSendToAnotherThread() &&
          m_decodedHTTPBody.isSafeToSendToAnotherThread() &&
          m_httpBodyAsString.isSafeToSendToAnotherThread();
 }
 
 }  // namespace blink