CSP: group policies in didAddContentSecurityPolicy.

content/common/content_security_policy/content_security_policy.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <sstream>
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "content/common/content_security_policy/csp_context.h"
 
 namespace content {
@@ skipping 33 matching lines @@
                      const GURL& url,
                      bool is_redirect) {
   // We should never have a violation against `child-src` or `default-src`
   // directly; the effective directive should always be one of the explicit
   // fetch directives.
   DCHECK_NE(directive_name, CSPDirective::DefaultSrc);
   DCHECK_NE(directive_name, CSPDirective::ChildSrc);
 
   std::stringstream message;
 
-  if (policy.disposition == blink::WebContentSecurityPolicyTypeReport)
+  if (policy.header.type == blink::WebContentSecurityPolicyTypeReport)
     message << "[Report Only] ";
 
   if (directive_name == CSPDirective::FormAction)
     message << "Refused to send form data to '";
   else if (directive_name == CSPDirective::FrameSrc)
     message << "Refused to frame '";
 
   message << ElideURLForReportViolation(url)
           << "' because it violates the following Content Security Policy "
              "directive: \""
           << directive.ToString() << "\".";
 
   if (directive.name != directive_name)
     message << " Note that '" << CSPDirective::NameToString(directive_name)
             << "' was not explicitly set, so '"
             << CSPDirective::NameToString(directive.name)
             << "' is used as a fallback.";
 
   message << "\n";
 
   context->LogToConsole(message.str());
 
   context->ReportContentSecurityPolicyViolation(CSPViolationParams(
       CSPDirective::NameToString(directive.name),
       CSPDirective::NameToString(directive_name), message.str(), url,
-      policy.report_endpoints, policy.header, policy.disposition, is_redirect));
+      policy.report_endpoints, policy.header.header_value, policy.header.type,
+      is_redirect));
 }
 
 bool AllowDirective(CSPContext* context,
                     const ContentSecurityPolicy& policy,
                     const CSPDirective& directive,
                     CSPDirective::Name directive_name,
                     const GURL& url,
                     bool is_redirect) {
   if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect))
     return true;
 
   ReportViolation(context, policy, directive, directive_name, url, is_redirect);
   return false;
 }
 
 }  // namespace
 
 ContentSecurityPolicy::ContentSecurityPolicy()
-    : disposition(blink::WebContentSecurityPolicyTypeEnforce),
-      source(blink::WebContentSecurityPolicySourceHTTP) {}
+    : header(std::string(),
+             blink::WebContentSecurityPolicyTypeEnforce,
+             blink::WebContentSecurityPolicySourceHTTP) {}
 
 ContentSecurityPolicy::ContentSecurityPolicy(
-    blink::WebContentSecurityPolicyType disposition,
-    blink::WebContentSecurityPolicySource source,
+    const ContentSecurityPolicyHeader& header,
     const std::vector<CSPDirective>& directives,
-    const std::vector<std::string>& report_endpoints,
-    const std::string& header)
-    : disposition(disposition),
-      source(source),
+    const std::vector<std::string>& report_endpoints)
+    : header(header),
       directives(directives),
-      report_endpoints(report_endpoints),
-      header(header) {}
+      report_endpoints(report_endpoints) {}
 
 ContentSecurityPolicy::ContentSecurityPolicy(const ContentSecurityPolicy&) =
     default;
 ContentSecurityPolicy::~ContentSecurityPolicy() = default;
 
 // static
 bool ContentSecurityPolicy::Allow(const ContentSecurityPolicy& policy,
                                   CSPDirective::Name directive_name,
                                   const GURL& url,
                                   CSPContext* context,
                                   bool is_redirect) {
   CSPDirective::Name current_directive_name = directive_name;
   do {
     for (const CSPDirective& directive : policy.directives) {
       if (directive.name == current_directive_name) {
         bool allowed = AllowDirective(context, policy, directive,
                                       directive_name, url, is_redirect);
         return allowed ||
-               policy.disposition == blink::WebContentSecurityPolicyTypeReport;
+               policy.header.type == blink::WebContentSecurityPolicyTypeReport;
       }
     }
     current_directive_name = CSPFallback(current_directive_name);
   } while (current_directive_name != CSPDirective::Unknown);
   return true;
 }
 
 std::string ContentSecurityPolicy::ToString() const {
   std::stringstream text;
   bool is_first_policy = true;
@@ skipping 10 matching lines @@
     is_first_policy = false;
     text << "report-uri";
     for (const std::string& endpoint : report_endpoints)
       text << " " << endpoint;
   }
 
   return text.str();
 }
 
 }  // namespace content