Added validation of the policy specified in the 'csp' attribute

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
index 15c4761398dfd996f85385ff139212bbd6e84611..fc4297a5368f7c09abde5eee3c87d00590078fc0 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -957,7 +957,7 @@ void CSPDirectiveList::Parse(const UChar* begin, const UChar* end) {
     skipUntil<UChar>(position, end, ';');
 
     String name, value;
-    if (ParseDirective(directive_begin, position, name, value)) {
+    if (ParseDirective(directive_begin, position, name, value, policy_)) {
       DCHECK(!name.IsEmpty());
       AddDirective(name, value);
     }
@@ -967,14 +967,52 @@ void CSPDirectiveList::Parse(const UChar* begin, const UChar* end) {
   }
 }
 
+// static
+bool CSPDirectiveList::IsValid(const String& directive_list) {
+  Vector<UChar> characters;
+  directive_list.AppendTo(characters);
+  const UChar* begin = characters.data();
+  const UChar* end = begin + characters.size();
+
+  return IsValid(begin, end);
+}
+
+// static
+bool CSPDirectiveList::IsValid(const UChar* begin, const UChar* end) {
+  if (begin == end)
+    return false;
+
+  String name, value;
+  const UChar* position = begin;
+  while (position < end) {
+    const UChar* directive_begin = position;
+    skipUntil<UChar>(position, end, ';');
+
+    name = value = "";

[Mike West, 2017/05/23 19:21:36]

I don't think you actually need two strings. Something like

```
String unused;
...
if (!ParseDirective(directive_begin, position, unused, unused, nullptr))
```

should work.

[andypaicu, 2017/05/26 14:41:09]

I've modified this whole bit.

+    if (!ParseDirective(directive_begin, position, name, value, nullptr))

[Mike West, 2017/05/23 19:21:36]

This is doing to dump console messages that probably don't make sense. I'd
suggest adding something to ... oh. That's why you added the `nullptr`. I see.
Hrm. I think I'd prefer that to be an enum. You can reuse the existing
`SecurityViolationReportingPolicy` enum if you like, but that seems better to me
than passing in a policy at the other callsites.

Oh. Hrm. Nevermind. You made it static. So that doesn't work. Hrm.

Ok. I guess it's not _too_ magical. :/ Can you add a comment to the .h file so
that potential callers understand when reports are generated?

[andypaicu, 2017/05/26 14:41:09]

I've modified this whole bit.

+      return false;
+
+    if (ContentSecurityPolicy::GetDirectiveType(name) ==
+        ContentSecurityPolicy::DirectiveType::kUndefined)

[Mike West, 2017/05/23 19:21:36]

Style nit: {} after multi-line conditionals.

[andypaicu, 2017/05/26 14:41:09]

I've modified this whole bit.

+      return false;
+
+    DCHECK(position == end || *position == ';');
+    skipExactly<UChar>(position, end, ';');
+  }
+
+  return true;
+}
+
 // directive         = *WSP [ directive-name [ WSP directive-value ] ]
 // directive-name    = 1*( ALPHA / DIGIT / "-" )
 // directive-value   = *( WSP / <VCHAR except ";"> )
-//
+
+// static
 bool CSPDirectiveList::ParseDirective(const UChar* begin,
                                       const UChar* end,
                                       String& name,
-                                      String& value) {
+                                      String& value,
+                                      ContentSecurityPolicy* policy) {
   DCHECK(name.IsEmpty());
   DCHECK(value.IsEmpty());
 
@@ -991,8 +1029,10 @@ bool CSPDirectiveList::ParseDirective(const UChar* begin,
   // The directive-name must be non-empty.
   if (name_begin == position) {
     skipWhile<UChar, IsNotASCIISpace>(position, end);
-    policy_->ReportUnsupportedDirective(
-        String(name_begin, position - name_begin));
+    if (policy) {
+      policy->ReportUnsupportedDirective(
+          String(name_begin, position - name_begin));
+    }
     return false;
   }
 
@@ -1003,8 +1043,10 @@ bool CSPDirectiveList::ParseDirective(const UChar* begin,
 
   if (!skipExactly<UChar, IsASCIISpace>(position, end)) {
     skipWhile<UChar, IsNotASCIISpace>(position, end);
-    policy_->ReportUnsupportedDirective(
-        String(name_begin, position - name_begin));
+    if (policy) {
+      policy->ReportUnsupportedDirective(
+          String(name_begin, position - name_begin));
+    }
     return false;
   }
 
@@ -1014,8 +1056,10 @@ bool CSPDirectiveList::ParseDirective(const UChar* begin,
   skipWhile<UChar, IsCSPDirectiveValueCharacter>(position, end);
 
   if (position != end) {
-    policy_->ReportInvalidDirectiveValueCharacter(
-        name, String(value_begin, end - value_begin));
+    if (policy) {
+      policy->ReportInvalidDirectiveValueCharacter(
+          name, String(value_begin, end - value_begin));
+    }
     return false;
   }
 
@@ -1225,9 +1269,7 @@ void CSPDirectiveList::AddDirective(const String& name, const String& value) {
     policy_->UsesScriptHashAlgorithms(script_src_->HashAlgorithmsUsed());
   } else if (type == ContentSecurityPolicy::DirectiveType::kObjectSrc) {
     SetCSPDirective<SourceListDirective>(name, value, object_src_);
-  } else if (type ==
-
-             ContentSecurityPolicy::DirectiveType::kFrameAncestors) {
+  } else if (type == ContentSecurityPolicy::DirectiveType::kFrameAncestors) {
     SetCSPDirective<SourceListDirective>(name, value, frame_ancestors_);
   } else if (type == ContentSecurityPolicy::DirectiveType::kFrameSrc) {
     SetCSPDirective<SourceListDirective>(name, value, frame_src_);