Implement CSP check for manifest fetching

Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "core/dom/Document.h"
 #include "core/frame/LocalFrame.h"
 #include "core/inspector/ConsoleMessage.h"
@@ skipping 182 matching lines @@
     else if (ContentSecurityPolicy::FontSrc == effectiveDirective)
         prefix = "Refused to load the font '";
     else if (ContentSecurityPolicy::FormAction == effectiveDirective)
         prefix = "Refused to send form data to '";
     else if (ContentSecurityPolicy::FrameSrc == effectiveDirective)
         prefix = "Refused to frame '";
     else if (ContentSecurityPolicy::ImgSrc == effectiveDirective)
         prefix = "Refused to load the image '";
     else if (ContentSecurityPolicy::MediaSrc == effectiveDirective)
         prefix = "Refused to load media from '";
+    else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective)
+        prefix = "Refused to load manifest from '";
     else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective)
         prefix = "Refused to load plugin data from '";
     else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective)
         prefix = "Refused to load the script '";
     else if (ContentSecurityPolicy::StyleSrc == effectiveDirective)
         prefix = "Refused to load the stylesheet '";
 
     String suffix = String();
     if (directive == m_defaultSrc)
         suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback.";
@@ skipping 118 matching lines @@
         checkSource(operativeDirective(m_fontSrc.get()), url);
 }
 
 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) :
         checkSource(operativeDirective(m_mediaSrc.get()), url);
 }
 
+bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+    return reportingStatus == ContentSecurityPolicy::SendReport ?
+        checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), url, ContentSecurityPolicy::ManifestSrc) :
+        checkSource(operativeDirective(m_manifestSrc.get()), url);
+}
+
 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, ContentSecurityPolicy::ConnectSrc) :
         checkSource(operativeDirective(m_connectSrc.get()), url);
 }
 
 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
@@ skipping 295 matching lines @@
         setCSPDirective<SourceListDirective>(name, value, m_frameSrc);
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_imgSrc);
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_styleSrc);
         m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed());
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_fontSrc);
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_mediaSrc);
+    } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) {
+        setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);

[Mike West, 2014/09/16 11:46:20]

This needs to be gated on a runtime flag. I think you'll need to add one for
Manifest, as I think it was removed in an earlier commit.

     } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) {
         applySandboxPolicy(name, value);
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) {
         parseReportURI(name, value);
     } else if (m_policy->experimentalFeaturesEnabled()) {
         if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI))
             setCSPDirective<SourceListDirective>(name, value, m_baseURI);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc))
             setCSPDirective<SourceListDirective>(name, value, m_childSrc);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction))
             setCSPDirective<SourceListDirective>(name, value, m_formAction);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes))
             setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS))
             parseReflectedXSS(name, value);
         else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer))
             parseReferrer(name, value);
         else
             m_policy->reportUnsupportedDirective(name);
     } else {
         m_policy->reportUnsupportedDirective(name);
     }
 }
 
 
 } // namespace blink