CSP Suborigins

Source/core/dom/ExecutionContext.cpp

Index: Source/core/dom/ExecutionContext.cpp
diff --git a/Source/core/dom/ExecutionContext.cpp b/Source/core/dom/ExecutionContext.cpp
index 5abde3878489ee2166a8fe0a3988a17fbe8b2a69..ed79927892bebb3e3743430203b92859f454e8d1 100644
--- a/Source/core/dom/ExecutionContext.cpp
+++ b/Source/core/dom/ExecutionContext.cpp
@@ -37,6 +37,7 @@
 #include "core/page/WindowFocusAllowedIndicator.h"
 #include "core/workers/WorkerGlobalScope.h"
 #include "core/workers/WorkerThread.h"
+#include "platform/RuntimeEnabledFeatures.h"
 #include "wtf/MainThread.h"
 
 namespace blink {
@@ -226,6 +227,20 @@ bool ExecutionContext::isWindowInteractionAllowed() const
     return m_windowInteractionTokens > 0 || WindowFocusAllowedIndicator::windowFocusAllowed();
 }
 
+// |name| should be non-empty, and this should be enforced by parsing.
+void ExecutionContext::enforceSuborigin(const String& name)
+{
+    if (name.isNull())
+        return;
+    ASSERT(!name.isEmpty());
+    ASSERT(RuntimeEnabledFeatures::suboriginsEnabled());
+    SecurityOrigin* origin = securityContext().securityOrigin();
+    ASSERT(origin);
+    ASSERT(!origin->hasSuborigin() || origin->suboriginName() == name);

[Mike West, 2015/03/23 07:32:55]

ASSERTing here means that `Content-Security-Policy: suborigin foo, suborigin
bar` will crash the renderer, doesn't it?

[jww, 2015/04/11 02:52:36]

It should never get to that point. In the assignment of suborigins, the last
assigned suborigin should "win" and be the assigned suborigin. If this state is
ever reached in enforce, something very bad has happened, hence the ASSERT. I've
added a test for multiple suborigins to verify that there isn't a renderer
crash.

+    origin->addSuborigin(name);
+    securityContext().didUpdateSecurityOrigin();
+}
+
 DEFINE_TRACE(ExecutionContext)
 {
 #if ENABLE(OILPAN)