CSP: Move parsing a document's CSP to DocumentLoader::responseReceived.

Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 238 matching lines @@
         skipExactly<UChar>(position, end, ',');
         begin = position;
     }
 }
 
 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
 {
     m_overrideInlineStyleAllowed = value;
 }
 
+void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url)
+{
+    // Create a temporary CSPSource so that 'self' expressions can be resolved before we bind to
+    // an execution context (for 'frame-ancestor' resolution, for example). This CSPSource will
+    // be overwritten when we bind this object to an execution context.
+    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
+    m_selfSource = adoptPtr(new CSPSource(this, origin->protocol(), origin->host(), origin->port(), String(), false, false));

[jochen (gone - plz use gerrit), 2014/09/11 12:49:44]

bool parameters? sadness...

+}
+
 const String& ContentSecurityPolicy::deprecatedHeader() const
 {
     return m_policies.isEmpty() ? emptyString() : m_policies[0]->header();
 }
 
 ContentSecurityPolicyHeaderType ContentSecurityPolicy::deprecatedHeaderType() const
 {
     return m_policies.isEmpty() ? ContentSecurityPolicyHeaderTypeEnforce : m_policies[0]->headerType();
 }
 
@@ skipping 348 matching lines @@
     if (callFrame.lineNumber()) {
         KURL source = KURL(ParsedURLString, callFrame.sourceURL());
         init.sourceFile = stripURLForUseInReport(document, source);
         init.lineNumber = callFrame.lineNumber();
         init.columnNumber = callFrame.columnNumber();
     }
 }
 
 void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header)
 {
+    // FIXME: Support sending 'frame-ancestor' reports (which occur before we're bound to an execution context)
+    if (!m_executionContext)
+        return;
+
     // FIXME: Support sending reports from worker.
     Document* document = this->document();
     if (!document)
         return;
 
     LocalFrame* frame = document->frame();
     if (!frame)
         return;
 
     SecurityPolicyViolationEventInit violationData;
@@ skipping 203 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink