CSP Suborigins

Source/core/frame/csp/CSPDirectiveList.cpp

Index: Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index 4ea6b5046615a3ee61c4d4b570ab1ac00f98ff84..62ad141fb92a35e58bfd5cb20e5eca9646dbdfe9 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -18,6 +18,7 @@ CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
     , m_headerSource(source)
     , m_reportOnly(false)
     , m_haveSandboxPolicy(false)
+    , m_haveSuboriginPolicy(false)
     , m_reflectedXSSDisposition(ReflectedXSSUnset)
     , m_didSetReferrerPolicy(false)
     , m_referrerPolicy(ReferrerPolicyDefault)
@@ -524,6 +525,19 @@ void CSPDirectiveList::applySandboxPolicy(const String& name, const String& sand
         m_policy->reportInvalidSandboxFlags(invalidTokens);
 }
 
+void CSPDirectiveList::applySuboriginPolicy(const String& name, const String& suboriginPolicy)
+{
+    if (m_haveSuboriginPolicy) {
+        m_policy->reportDuplicateDirective(name);
+        return;
+    }
+    m_haveSuboriginPolicy = true;
+    String invalidTokens;
+    m_policy->enforceSuborigin(parseSuboriginName(suboriginPolicy, invalidTokens));

[abarth-chromium, 2014/07/31 04:56:47]

parseSuboriginName <-- This function should be with the rest of the CSP parsing
functions, not off in a separate file.

Can parseSuboriginName fail?  If it fails, should we not enforceSuborigin?

[jww, 2014/10/21 23:51:06]

Done.
Yes, it can fail, and correct, it doesn't enforce the suborigin in that case.
It's not clear in this code, because they way this is done is by passing a null
suborigin, which implies a lack of suborigin, and thus isn't enforced. I'm
changing this in the new version to make this clearer, though.

+    if (!invalidTokens.isNull())
+        m_policy->reportInvalidSuboriginFlags(invalidTokens);
+}
+
 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value)
 {
     if (m_reflectedXSSDisposition != ReflectedXSSUnset) {
@@ -668,6 +682,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
             parseReflectedXSS(name, value);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer))
             parseReferrer(name, value);
+        else if (equalIgnoringCase(name, ContentSecurityPolicy::Suborigin))
+            applySuboriginPolicy(name, value);
         else
             m_policy->reportUnsupportedDirective(name);
     } else {