CSP: Adding the 'upgrade-insecure-requests' directive.

Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 75 matching lines @@
 const char ContentSecurityPolicy::Referrer[] = "referrer";
 
 // Manifest Directives
 // https://w3c.github.io/manifest/#content-security-policy
 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
 
 // Mixed Content Directive
 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
 const char ContentSecurityPolicy::BlockAllMixedContent[] = "block-all-mixed-content";
 
+// https://w3c.github.io/webappsec/specs/upgrade/
+const char ContentSecurityPolicy::UpgradeInsecureRequests[] = "upgrade-insecure-requests";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
         || equalIgnoringCase(name, DefaultSrc)
         || equalIgnoringCase(name, FontSrc)
         || equalIgnoringCase(name, FrameSrc)
         || equalIgnoringCase(name, ImgSrc)
         || equalIgnoringCase(name, MediaSrc)
         || equalIgnoringCase(name, ObjectSrc)
         || equalIgnoringCase(name, ReportURI)
         || equalIgnoringCase(name, Sandbox)
         || equalIgnoringCase(name, ScriptSrc)
         || equalIgnoringCase(name, StyleSrc)
         || equalIgnoringCase(name, BaseURI)
         || equalIgnoringCase(name, ChildSrc)
         || equalIgnoringCase(name, FormAction)
         || equalIgnoringCase(name, FrameAncestors)
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
-        || equalIgnoringCase(name, BlockAllMixedContent));
+        || equalIgnoringCase(name, BlockAllMixedContent)
+        || equalIgnoringCase(name, UpgradeInsecureRequests));
 }
 
 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
 {
     switch (type) {
     case ContentSecurityPolicyHeaderTypeEnforce:
         return UseCounter::ContentSecurityPolicy;
     case ContentSecurityPolicyHeaderTypeReport:
         return UseCounter::ContentSecurityPolicyReportOnly;
     }
     ASSERT_NOT_REACHED();
     return UseCounter::NumberOfFeatures;
 }
 
 static ReferrerPolicy mergeReferrerPolicies(ReferrerPolicy a, ReferrerPolicy b)
 {
     if (a != b)
         return ReferrerPolicyNever;
     return a;
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy()
     : m_executionContext(nullptr)
     , m_overrideInlineStyleAllowed(false)
     , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_sandboxMask(0)
     , m_enforceStrictMixedContentChecking(false)
     , m_referrerPolicy(ReferrerPolicyDefault)
+    , m_insecureContentPolicy(SecurityContext::InsecureContentDoNotUpgrade)
 {
 }
 
 void ContentSecurityPolicy::bindToExecutionContext(ExecutionContext* executionContext)
 {
     m_executionContext = executionContext;
     applyPolicySideEffectsToExecutionContext();
 }
 
 void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
 {
     ASSERT(m_executionContext);
     // Ensure that 'self' processes correctly.
     m_selfProtocol = securityOrigin()->protocol();
     m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
 
     // If we're in a Document, set the referrer policy, mixed content checking, and sandbox
     // flags, then dump all the parsing error messages, then poke at histograms.
     if (Document* document = this->document()) {
         if (m_sandboxMask != SandboxNone) {
             UseCounter::count(document, UseCounter::SandboxViaCSP);
             document->enforceSandboxFlags(m_sandboxMask);
         }
         if (m_enforceStrictMixedContentChecking)
             document->enforceStrictMixedContentChecking();
         if (didSetReferrerPolicy())
             document->setReferrerPolicy(m_referrerPolicy);
+        if (m_insecureContentPolicy > document->insecureContentPolicy())
+            document->setInsecureContentPolicy(m_insecureContentPolicy);
 
         for (const auto& consoleMessage : m_consoleMessages)
             m_executionContext->addConsoleMessage(consoleMessage);
         m_consoleMessages.clear();
 
         for (const auto& policy : m_policies)
             UseCounter::count(*document, getUseCounterType(policy->headerType()));
     }
 
     // We disable 'eval()' even in the case of report-only policies, and rely on the check in the
@@ skipping 435 matching lines @@
 void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask)
 {
     m_sandboxMask |= mask;
 }
 
 void ContentSecurityPolicy::enforceStrictMixedContentChecking()
 {
     m_enforceStrictMixedContentChecking = true;
 }
 
+void ContentSecurityPolicy::setInsecureContentPolicy(SecurityContext::InsecureContentPolicy policy)
+{
+    if (policy > m_insecureContentPolicy)
+        m_insecureContentPolicy = policy;
+}
+
 static String stripURLForUseInReport(Document* document, const KURL& url)
 {
     if (!url.isValid())
         return String();
     if (!url.isHierarchical() || url.protocolIs("file"))
         return url.protocol();
     return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
 }
 
 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
@@ skipping 267 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink