CSP: Don't override the location set in reportViolationWithLocation.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 
 #include <memory>
 #include "bindings/core/v8/ScriptController.h"
-#include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/DOMStringList.h"
 #include "core/dom/Document.h"
 #include "core/dom/Element.h"
 #include "core/dom/SandboxFlags.h"
 #include "core/dom/TaskRunnerHelper.h"
 #include "core/events/EventQueue.h"
 #include "core/events/SecurityPolicyViolationEvent.h"
 #include "core/frame/FrameClient.h"
 #include "core/frame/LocalDOMWindow.h"
 #include "core/frame/LocalFrame.h"
@@ skipping 992 matching lines @@
 static void gatherSecurityPolicyViolationEventData(
     SecurityPolicyViolationEventInit& init,
     ExecutionContext* context,
     const String& directiveText,
     const ContentSecurityPolicy::DirectiveType& effectiveType,
     const KURL& blockedURL,
     const String& header,
     RedirectStatus redirectStatus,
     ContentSecurityPolicyHeaderType headerType,
     ContentSecurityPolicy::ViolationType violationType,
-    int contextLine,
+    std::unique_ptr<SourceLocation> sourceLocation,
     const String& scriptSource) {
   if (effectiveType == ContentSecurityPolicy::DirectiveType::FrameAncestors) {
     // If this load was blocked via 'frame-ancestors', then the URL of
     // |document| has not yet been initialized. In this case, we'll set both
     // 'documentURI' and 'blockedURI' to the blocked document's URL.
     String strippedURL = stripURLForUseInReport(
         context, blockedURL, RedirectStatus::NoRedirect,
         ContentSecurityPolicy::DirectiveType::DefaultSrc);
     init.setDocumentURI(strippedURL);
     init.setBlockedURI(strippedURL);
@@ skipping 17 matching lines @@
   }
 
   String effectiveDirective =
       ContentSecurityPolicy::getDirectiveName(effectiveType);
   init.setViolatedDirective(effectiveDirective);
   init.setEffectiveDirective(effectiveDirective);
   init.setOriginalPolicy(header);
   init.setDisposition(headerType == ContentSecurityPolicyHeaderTypeEnforce
                           ? "enforce"
                           : "report");
-  init.setSourceFile(String());
-  init.setLineNumber(contextLine);
-  init.setColumnNumber(0);
   init.setStatusCode(0);
 
   // TODO(mkwst): We only have referrer and status code information for
   // Documents. It would be nice to get them for Workers as well.
   if (context->isDocument()) {
     Document* document = toDocument(context);
     DCHECK(document);
     init.setReferrer(document->referrer());
     if (!SecurityOrigin::isSecure(context->url()) && document->loader())
       init.setStatusCode(document->loader()->response().httpStatusCode());
   }
 
-  std::unique_ptr<SourceLocation> location = SourceLocation::capture(context);
-  if (location->lineNumber()) {
-    KURL source = KURL(ParsedURLString, location->url());
+  // If no source location is provided, use the source location of the context.
+  if (!sourceLocation)
+    sourceLocation = SourceLocation::capture(context);
+  if (sourceLocation->lineNumber()) {
+    KURL source = KURL(ParsedURLString, sourceLocation->url());
     init.setSourceFile(
         stripURLForUseInReport(context, source, redirectStatus, effectiveType));
-    init.setLineNumber(location->lineNumber());
-    init.setColumnNumber(location->columnNumber());
+    init.setLineNumber(sourceLocation->lineNumber());
+    init.setColumnNumber(sourceLocation->columnNumber());
+  } else {
+    init.setSourceFile(String());
+    init.setLineNumber(0);
+    init.setColumnNumber(0);
   }
 
   if (!scriptSource.isEmpty())
     init.setSample(scriptSource.stripWhiteSpace().left(40));
 }
 
 void ContentSecurityPolicy::reportViolation(
     const String& directiveText,
     const DirectiveType& effectiveType,
     const String& consoleMessage,
     const KURL& blockedURL,
     const Vector<String>& reportEndpoints,
     const String& header,
     ContentSecurityPolicyHeaderType headerType,
     ViolationType violationType,
+    std::unique_ptr<SourceLocation> sourceLocation,
     LocalFrame* contextFrame,
     RedirectStatus redirectStatus,
-    int contextLine,
     Element* element,
     const String& source) {
   ASSERT(violationType == URLViolation || blockedURL.isEmpty());
 
   // TODO(lukasza): Support sending reports from OOPIFs -
   // https://crbug.com/611232 (or move CSP child-src and frame-src checks to the
   // browser process - see https://crbug.com/376522).
   if (!m_executionContext && !contextFrame) {
     DCHECK(effectiveType == DirectiveType::ChildSrc ||
            effectiveType == DirectiveType::FrameSrc ||
            effectiveType == DirectiveType::PluginTypes);
     return;
   }
 
   DCHECK((m_executionContext && !contextFrame) ||
          ((effectiveType == DirectiveType::FrameAncestors) && contextFrame));
 
   SecurityPolicyViolationEventInit violationData;
 
   // If we're processing 'frame-ancestors', use |contextFrame|'s execution
   // context to gather data. Otherwise, use the policy's execution context.
   ExecutionContext* relevantContext =
       contextFrame ? contextFrame->document() : m_executionContext;
   DCHECK(relevantContext);
   gatherSecurityPolicyViolationEventData(
       violationData, relevantContext, directiveText, effectiveType, blockedURL,
-      header, redirectStatus, headerType, violationType, contextLine, source);
+      header, redirectStatus, headerType, violationType,
+      std::move(sourceLocation), source);
 
   // TODO(mkwst): Obviously, we shouldn't hit this check, as extension-loaded
   // resources should be allowed regardless. We apparently do, however, so
   // we should at least stop spamming reporting endpoints. See
   // https://crbug.com/524356 for detail.
   if (!violationData.sourceFile().isEmpty() &&
       shouldBypassContentSecurityPolicy(
           KURL(ParsedURLString, violationData.sourceFile()))) {
     return;
   }
@@ skipping 485 matching lines @@
   if (SecurityOrigin::shouldUseInnerURL(url)) {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         SecurityOrigin::extractInnerURL(url).protocol(), area);
   } else {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         url.protocol(), area);
   }
 }
 
 }  // namespace blink