Implement CSP check for manifest fetching

Source/core/frame/csp/ContentSecurityPolicy.h

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 68 matching lines @@
 
     // CSP 1.1 Directives
     static const char BaseURI[];
     static const char ChildSrc[];
     static const char FormAction[];
     static const char FrameAncestors[];
     static const char PluginTypes[];
     static const char ReflectedXSS[];
     static const char Referrer[];
 
+    // Manifest Directives (to be merged into CSP 1.1)

[Mike West, 2014/09/29 11:00:46]

Nit: Can you change this and line 80 to refer to "CSP Level 2"? We changed the
versioning.

+    // https://w3c.github.io/manifest/#content-security-policy
+    static const char ManifestSrc[];
+
     enum ReportingStatus {
         SendReport,
         SuppressReport
     };
 
     static PassRefPtr<ContentSecurityPolicy> create()
     {
         return adoptRef(new ContentSecurityPolicy());
     }
     ~ContentSecurityPolicy();
@@ skipping 23 matching lines @@
     bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
     bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
     bool allowAncestors(LocalFrame*, const KURL&, ReportingStatus = SendReport) const;
     bool allowChildContextFromSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowWorkerContextFromSource(const KURL&, ReportingStatus = SendReport) const;
 
+    bool allowManifestFromSource(const KURL&, ReportingStatus = SendReport) const;
+
     // The nonce and hash allow functions are guaranteed to not have any side
     // effects, including reporting.
     // Nonce/Hash functions check all policies relating to use of a script/style
     // with the given nonce/hash and return true all CSP policies allow it.
     // If these return true, callers can then process the content or
     // issue a load and be safe disabling any further CSP checks.
     bool allowScriptWithNonce(const String& nonce) const;
     bool allowStyleWithNonce(const String& nonce) const;
     bool allowScriptWithHash(const String& source) const;
     bool allowStyleWithHash(const String& source) const;
@@ skipping 82 matching lines @@
     SandboxFlags m_sandboxMask;
     ReferrerPolicy m_referrerPolicy;
     String m_disableEvalErrorMessage;
 
     OwnPtr<CSPSource> m_selfSource;
 };
 
 }
 
 #endif