Update frame-ancestor directive to match Content Security Policy Level 3
[WebKit-https.git] / Source / WebCore / page / csp / ContentSecurityPolicyDirectiveList.cpp
1 /*
2  * Copyright (C) 2011 Google, Inc. All rights reserved.
3  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
15  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
18  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26
27 #include "config.h"
28 #include "ContentSecurityPolicyDirectiveList.h"
29
30 #include "ContentSecurityPolicyDirectiveNames.h"
31 #include "Document.h"
32 #include "Frame.h"
33 #include "ParsingUtilities.h"
34 #include "SecurityContext.h"
35
36 namespace WebCore {
37
38 static bool isDirectiveNameCharacter(UChar c)
39 {
40     return isASCIIAlphanumeric(c) || c == '-';
41 }
42
43 static bool isDirectiveValueCharacter(UChar c)
44 {
45     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
46 }
47
48 static inline bool checkEval(ContentSecurityPolicySourceListDirective* directive)
49 {
50     return !directive || directive->allowEval();
51 }
52
53 static inline bool checkInline(ContentSecurityPolicySourceListDirective* directive)
54 {
55     return !directive || directive->allowInline();
56 }
57
58 static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, bool didReceiveRedirectResponse = false, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
59 {
60     return !directive || directive->allows(url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty);
61 }
62
63 static inline bool checkHash(ContentSecurityPolicySourceListDirective* directive, const ContentSecurityPolicyHash& hash)
64 {
65     return !directive || directive->allows(hash);
66 }
67
68 static inline bool checkNonce(ContentSecurityPolicySourceListDirective* directive, const String& nonce)
69 {
70     return !directive || directive->allows(nonce);
71 }
72
73 static inline bool checkFrameAncestors(ContentSecurityPolicySourceListDirective* directive, const Frame& frame)
74 {
75     if (!directive)
76         return true;
77     bool didReceiveRedirectResponse = false;
78     for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
79         URL origin { URL { }, current->document()->securityOrigin().toString() };
80         if (!origin.isValid() || !directive->allows(origin, didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
81             return false;
82     }
83     return true;
84 }
85
86 static inline bool checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute)
87 {
88     if (!directive)
89         return true;
90     if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
91         return false;
92     return directive->allows(type);
93 }
94
95 ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
96     : m_policy(policy)
97     , m_headerType(type)
98 {
99     m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
100 }
101
102 std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom from)
103 {
104     auto directives = std::make_unique<ContentSecurityPolicyDirectiveList>(policy, type);
105     directives->parse(header, from);
106
107     if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
108         String evalDisabledMessage = makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
109         directives->setEvalDisabledErrorMessage(evalDisabledMessage);
110         String webAssemblyDisabledMessage = makeString("Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
111         directives->setWebAssemblyDisabledErrorMessage(webAssemblyDisabledMessage);
112     }
113
114     if (directives->isReportOnly() && directives->reportURIs().isEmpty())
115         policy.reportMissingReportURI(header);
116
117     return directives;
118 }
119
120 ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirective(ContentSecurityPolicySourceListDirective* directive) const
121 {
122     return directive ? directive : m_defaultSrc.get();
123 }
124
125 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval() const
126 {
127     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
128     if (checkEval(operativeDirective))
129         return nullptr;
130     return operativeDirective;
131 }
132
133 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript() const
134 {
135     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
136     if (checkInline(operativeDirective))
137         return nullptr;
138     return operativeDirective;
139 }
140
141 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle() const
142 {
143     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
144     if (checkInline(operativeDirective))
145         return nullptr;
146     return operativeDirective;
147 }
148
149 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash(const ContentSecurityPolicyHash& hash) const
150 {
151     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
152     if (checkHash(operativeDirective, hash))
153         return nullptr;
154     return operativeDirective;
155 }
156
157 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash(const ContentSecurityPolicyHash& hash) const
158 {
159     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
160     if (checkHash(operativeDirective, hash))
161         return nullptr;
162     return operativeDirective;
163 }
164
165 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptNonce(const String& nonce) const
166 {
167     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
168     if (checkNonce(operativeDirective, nonce))
169         return nullptr;
170     return operativeDirective;
171 }
172
173 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleNonce(const String& nonce) const
174 {
175     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
176     if (checkNonce(operativeDirective, nonce))
177         return nullptr;
178     return operativeDirective;
179 }
180
181 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI(const URL& url) const
182 {
183     if (checkSource(m_baseURI.get(), url))
184         return nullptr;
185     return m_baseURI.get();
186 }
187
188 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url, bool didReceiveRedirectResponse) const
189 {
190     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
191     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
192         return nullptr;
193     return operativeDirective;
194 }
195
196 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url, bool didReceiveRedirectResponse) const
197 {
198     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
199     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
200         return nullptr;
201     return operativeDirective;
202 }
203
204 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url, bool didReceiveRedirectResponse) const
205 {
206     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
207     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
208         return nullptr;
209     return operativeDirective;
210 }
211
212 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url, bool didReceiveRedirectResponse) const
213 {
214     if (checkSource(m_formAction.get(), url, didReceiveRedirectResponse))
215         return nullptr;
216     return m_formAction.get();
217 }
218
219 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url, bool didReceiveRedirectResponse) const
220 {
221     if (url.isBlankURL())
222         return nullptr;
223
224     // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
225     // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
226     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
227     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
228         return nullptr;
229     return operativeDirective;
230 }
231
232 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor(const Frame& frame) const
233 {
234     if (checkFrameAncestors(m_frameAncestors.get(), frame))
235         return nullptr;
236     return m_frameAncestors.get();
237 }
238
239 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url, bool didReceiveRedirectResponse) const
240 {
241     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
242     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
243         return nullptr;
244     return operativeDirective;
245 }
246
247 #if ENABLE(APPLICATION_MANIFEST)
248 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest(const URL& url, bool didReceiveRedirectResponse) const
249 {
250     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_manifestSrc.get());
251     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
252         return nullptr;
253     return operativeDirective;
254 }
255 #endif // ENABLE(APPLICATION_MANIFEST)
256
257 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url, bool didReceiveRedirectResponse) const
258 {
259     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
260     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
261         return nullptr;
262     return operativeDirective;
263 }
264
265 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
266 {
267     if (url.isBlankURL())
268         return nullptr;
269     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
270     if (checkSource(operativeDirective, url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty))
271         return nullptr;
272     return operativeDirective;
273 }
274
275 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const
276 {
277     if (checkMediaType(m_pluginTypes.get(), type, typeAttribute))
278         return nullptr;
279     return m_pluginTypes.get();
280 }
281
282 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
283 {
284     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
285     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
286         return nullptr;
287     return operativeDirective;
288 }
289
290 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
291 {
292     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
293     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
294         return nullptr;
295     return operativeDirective;
296 }
297
298 // policy            = directive-list
299 // directive-list    = [ directive *( ";" [ directive ] ) ]
300 //
301 void ContentSecurityPolicyDirectiveList::parse(const String& policy, ContentSecurityPolicy::PolicyFrom policyFrom)
302 {
303     m_header = policy;
304     if (policy.isEmpty())
305         return;
306
307     auto characters = StringView(policy).upconvertedCharacters();
308     const UChar* position = characters;
309     const UChar* end = position + policy.length();
310
311     while (position < end) {
312         const UChar* directiveBegin = position;
313         skipUntil<UChar>(position, end, ';');
314
315         String name, value;
316         if (parseDirective(directiveBegin, position, name, value)) {
317             ASSERT(!name.isEmpty());
318             if (policyFrom == ContentSecurityPolicy::PolicyFrom::Inherited) {
319                 if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
320                     continue;
321             } else if (policyFrom == ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta) {
322                 if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox)
323                     || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI)
324                     || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameAncestors)) {
325                     m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
326                     continue;
327                 }
328             }
329             addDirective(name, value);
330         }
331
332         ASSERT(position == end || *position == ';');
333         skipExactly<UChar>(position, end, ';');
334     }
335 }
336
337 // directive         = *WSP [ directive-name [ WSP directive-value ] ]
338 // directive-name    = 1*( ALPHA / DIGIT / "-" )
339 // directive-value   = *( WSP / <VCHAR except ";"> )
340 //
341 bool ContentSecurityPolicyDirectiveList::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
342 {
343     ASSERT(name.isEmpty());
344     ASSERT(value.isEmpty());
345
346     const UChar* position = begin;
347     skipWhile<UChar, isASCIISpace>(position, end);
348
349     // Empty directive (e.g. ";;;"). Exit early.
350     if (position == end)
351         return false;
352
353     const UChar* nameBegin = position;
354     skipWhile<UChar, isDirectiveNameCharacter>(position, end);
355
356     // The directive-name must be non-empty.
357     if (nameBegin == position) {
358         skipWhile<UChar, isNotASCIISpace>(position, end);
359         m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
360         return false;
361     }
362
363     name = String(nameBegin, position - nameBegin);
364
365     if (position == end)
366         return true;
367
368     if (!skipExactly<UChar, isASCIISpace>(position, end)) {
369         skipWhile<UChar, isNotASCIISpace>(position, end);
370         m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
371         return false;
372     }
373
374     skipWhile<UChar, isASCIISpace>(position, end);
375
376     const UChar* valueBegin = position;
377     skipWhile<UChar, isDirectiveValueCharacter>(position, end);
378
379     if (position != end) {
380         m_policy.reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
381         return false;
382     }
383
384     // The directive-value may be empty.
385     if (valueBegin == position)
386         return true;
387
388     value = String(valueBegin, position - valueBegin);
389     return true;
390 }
391
392 void ContentSecurityPolicyDirectiveList::parseReportURI(const String& name, const String& value)
393 {
394     if (!m_reportURIs.isEmpty()) {
395         m_policy.reportDuplicateDirective(name);
396         return;
397     }
398
399     auto characters = StringView(value).upconvertedCharacters();
400     const UChar* position = characters;
401     const UChar* end = position + value.length();
402
403     while (position < end) {
404         skipWhile<UChar, isASCIISpace>(position, end);
405
406         const UChar* urlBegin = position;
407         skipWhile<UChar, isNotASCIISpace>(position, end);
408
409         if (urlBegin < position)
410             m_reportURIs.append(value.substring(urlBegin - characters, position - urlBegin));
411     }
412 }
413
414
415 template<class CSPDirectiveType>
416 void ContentSecurityPolicyDirectiveList::setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>& directive)
417 {
418     if (directive) {
419         m_policy.reportDuplicateDirective(name);
420         return;
421     }
422     directive = std::make_unique<CSPDirectiveType>(*this, name, value);
423 }
424
425 void ContentSecurityPolicyDirectiveList::applySandboxPolicy(const String& name, const String& sandboxPolicy)
426 {
427     if (m_reportOnly) {
428         m_policy.reportInvalidDirectiveInReportOnlyMode(name);
429         return;
430     }
431     if (m_haveSandboxPolicy) {
432         m_policy.reportDuplicateDirective(name);
433         return;
434     }
435     m_haveSandboxPolicy = true;
436     String invalidTokens;
437     m_policy.enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
438     if (!invalidTokens.isNull())
439         m_policy.reportInvalidSandboxFlags(invalidTokens);
440 }
441
442 void ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests(const String& name)
443 {
444     if (m_reportOnly) {
445         m_policy.reportInvalidDirectiveInReportOnlyMode(name);
446         return;
447     }
448     if (m_upgradeInsecureRequests) {
449         m_policy.reportDuplicateDirective(name);
450         return;
451     }
452     m_upgradeInsecureRequests = true;
453     m_policy.setUpgradeInsecureRequests(true);
454 }
455
456 void ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled(const String& name)
457 {
458     if (m_hasBlockAllMixedContentDirective) {
459         m_policy.reportDuplicateDirective(name);
460         return;
461     }
462     m_hasBlockAllMixedContentDirective = true;
463 }
464
465 void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
466 {
467     ASSERT(!name.isEmpty());
468
469     if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::defaultSrc)) {
470         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_defaultSrc);
471         m_policy.addHashAlgorithmsForInlineScripts(m_defaultSrc->hashAlgorithmsUsed());
472         m_policy.addHashAlgorithmsForInlineStylesheets(m_defaultSrc->hashAlgorithmsUsed());
473     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::scriptSrc)) {
474         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_scriptSrc);
475         m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrc->hashAlgorithmsUsed());
476     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc)) {
477         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_styleSrc);
478         m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrc->hashAlgorithmsUsed());
479     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::objectSrc))
480         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_objectSrc);
481     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameSrc)) {
482         // FIXME: Log to console "The frame-src directive is deprecated. Use the child-src directive instead."
483         // See <https://bugs.webkit.org/show_bug.cgi?id=155773>.
484         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameSrc);
485     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::imgSrc))
486         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_imgSrc);
487     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::fontSrc))
488         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_fontSrc);
489 #if ENABLE(APPLICATION_MANIFEST)
490     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::manifestSrc))
491         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_manifestSrc);
492 #endif
493     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::mediaSrc))
494         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_mediaSrc);
495     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::connectSrc))
496         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_connectSrc);
497     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::childSrc))
498         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
499     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::formAction))
500         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
501     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::baseURI))
502         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
503     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameAncestors)) {
504         if (m_reportOnly) {
505             m_policy.reportInvalidDirectiveInReportOnlyMode(name);
506             return;
507         }
508         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameAncestors);
509     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::pluginTypes))
510         setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
511     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox))
512         applySandboxPolicy(name, value);
513     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
514         parseReportURI(name, value);
515     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
516         setUpgradeInsecureRequests(name);
517     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::blockAllMixedContent))
518         setBlockAllMixedContentEnabled(name);
519     else
520         m_policy.reportUnsupportedDirective(name);
521 }
522
523 } // namespace WebCore