8ed3ac912eb0c9511064243ae04c4a04b00d1681
[WebKit-https.git] / Source / WebCore / page / csp / ContentSecurityPolicyDirectiveList.cpp
1 /*
2  * Copyright (C) 2011 Google, Inc. All rights reserved.
3  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
15  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
18  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26
27 #include "config.h"
28 #include "ContentSecurityPolicyDirectiveList.h"
29
30 #include "ContentSecurityPolicyDirectiveNames.h"
31 #include "Document.h"
32 #include "Frame.h"
33 #include "ParsingUtilities.h"
34 #include "SecurityContext.h"
35
36 namespace WebCore {
37
38 static bool isDirectiveNameCharacter(UChar c)
39 {
40     return isASCIIAlphanumeric(c) || c == '-';
41 }
42
43 static bool isDirectiveValueCharacter(UChar c)
44 {
45     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
46 }
47
48 static inline bool checkEval(ContentSecurityPolicySourceListDirective* directive)
49 {
50     return !directive || directive->allowEval();
51 }
52
53 static inline bool checkInline(ContentSecurityPolicySourceListDirective* directive)
54 {
55     return !directive || directive->allowInline();
56 }
57
58 static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, bool didReceiveRedirectResponse = false, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
59 {
60     return !directive || directive->allows(url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty);
61 }
62
63 static inline bool checkHash(ContentSecurityPolicySourceListDirective* directive, const ContentSecurityPolicyHash& hash)
64 {
65     return !directive || directive->allows(hash);
66 }
67
68 static inline bool checkNonce(ContentSecurityPolicySourceListDirective* directive, const String& nonce)
69 {
70     return !directive || directive->allows(nonce);
71 }
72
73 static inline bool checkFrameAncestors(ContentSecurityPolicySourceListDirective* directive, const Frame& frame)
74 {
75     if (!directive)
76         return true;
77     bool didReceiveRedirectResponse = false;
78     for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
79         if (!directive->allows(current->document()->url(), didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
80             return false;
81     }
82     return true;
83 }
84
85 static inline bool checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute)
86 {
87     if (!directive)
88         return true;
89     if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
90         return false;
91     return directive->allows(type);
92 }
93
94 ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
95     : m_policy(policy)
96     , m_headerType(type)
97 {
98     m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
99 }
100
101 std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom from)
102 {
103     auto directives = std::make_unique<ContentSecurityPolicyDirectiveList>(policy, type);
104     directives->parse(header, from);
105
106     if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
107         String evalDisabledMessage = makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
108         directives->setEvalDisabledErrorMessage(evalDisabledMessage);
109         String webAssemblyDisabledMessage = makeString("Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
110         directives->setWebAssemblyDisabledErrorMessage(webAssemblyDisabledMessage);
111     }
112
113     if (directives->isReportOnly() && directives->reportURIs().isEmpty())
114         policy.reportMissingReportURI(header);
115
116     return directives;
117 }
118
119 ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirective(ContentSecurityPolicySourceListDirective* directive) const
120 {
121     return directive ? directive : m_defaultSrc.get();
122 }
123
124 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval() const
125 {
126     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
127     if (checkEval(operativeDirective))
128         return nullptr;
129     return operativeDirective;
130 }
131
132 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript() const
133 {
134     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
135     if (checkInline(operativeDirective))
136         return nullptr;
137     return operativeDirective;
138 }
139
140 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle() const
141 {
142     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
143     if (checkInline(operativeDirective))
144         return nullptr;
145     return operativeDirective;
146 }
147
148 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash(const ContentSecurityPolicyHash& hash) const
149 {
150     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
151     if (checkHash(operativeDirective, hash))
152         return nullptr;
153     return operativeDirective;
154 }
155
156 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash(const ContentSecurityPolicyHash& hash) const
157 {
158     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
159     if (checkHash(operativeDirective, hash))
160         return nullptr;
161     return operativeDirective;
162 }
163
164 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptNonce(const String& nonce) const
165 {
166     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
167     if (checkNonce(operativeDirective, nonce))
168         return nullptr;
169     return operativeDirective;
170 }
171
172 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleNonce(const String& nonce) const
173 {
174     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
175     if (checkNonce(operativeDirective, nonce))
176         return nullptr;
177     return operativeDirective;
178 }
179
180 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI(const URL& url) const
181 {
182     if (checkSource(m_baseURI.get(), url))
183         return nullptr;
184     return m_baseURI.get();
185 }
186
187 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url, bool didReceiveRedirectResponse) const
188 {
189     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
190     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
191         return nullptr;
192     return operativeDirective;
193 }
194
195 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url, bool didReceiveRedirectResponse) const
196 {
197     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
198     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
199         return nullptr;
200     return operativeDirective;
201 }
202
203 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url, bool didReceiveRedirectResponse) const
204 {
205     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
206     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
207         return nullptr;
208     return operativeDirective;
209 }
210
211 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url, bool didReceiveRedirectResponse) const
212 {
213     if (checkSource(m_formAction.get(), url, didReceiveRedirectResponse))
214         return nullptr;
215     return m_formAction.get();
216 }
217
218 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url, bool didReceiveRedirectResponse) const
219 {
220     if (url.isBlankURL())
221         return nullptr;
222
223     // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
224     // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
225     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
226     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
227         return nullptr;
228     return operativeDirective;
229 }
230
231 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor(const Frame& frame) const
232 {
233     if (checkFrameAncestors(m_frameAncestors.get(), frame))
234         return nullptr;
235     return m_frameAncestors.get();
236 }
237
238 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url, bool didReceiveRedirectResponse) const
239 {
240     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
241     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
242         return nullptr;
243     return operativeDirective;
244 }
245
246 #if ENABLE(APPLICATION_MANIFEST)
247 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest(const URL& url, bool didReceiveRedirectResponse) const
248 {
249     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_manifestSrc.get());
250     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
251         return nullptr;
252     return operativeDirective;
253 }
254 #endif // ENABLE(APPLICATION_MANIFEST)
255
256 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url, bool didReceiveRedirectResponse) const
257 {
258     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
259     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
260         return nullptr;
261     return operativeDirective;
262 }
263
264 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
265 {
266     if (url.isBlankURL())
267         return nullptr;
268     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
269     if (checkSource(operativeDirective, url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty))
270         return nullptr;
271     return operativeDirective;
272 }
273
274 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const
275 {
276     if (checkMediaType(m_pluginTypes.get(), type, typeAttribute))
277         return nullptr;
278     return m_pluginTypes.get();
279 }
280
281 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
282 {
283     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
284     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
285         return nullptr;
286     return operativeDirective;
287 }
288
289 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
290 {
291     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
292     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
293         return nullptr;
294     return operativeDirective;
295 }
296
297 // policy            = directive-list
298 // directive-list    = [ directive *( ";" [ directive ] ) ]
299 //
300 void ContentSecurityPolicyDirectiveList::parse(const String& policy, ContentSecurityPolicy::PolicyFrom policyFrom)
301 {
302     m_header = policy;
303     if (policy.isEmpty())
304         return;
305
306     auto characters = StringView(policy).upconvertedCharacters();
307     const UChar* position = characters;
308     const UChar* end = position + policy.length();
309
310     while (position < end) {
311         const UChar* directiveBegin = position;
312         skipUntil<UChar>(position, end, ';');
313
314         String name, value;
315         if (parseDirective(directiveBegin, position, name, value)) {
316             ASSERT(!name.isEmpty());
317             if (policyFrom == ContentSecurityPolicy::PolicyFrom::Inherited) {
318                 if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
319                     continue;
320             } else if (policyFrom == ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta) {
321                 if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox)
322                     || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI)
323                     || equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameAncestors)) {
324                     m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
325                     continue;
326                 }
327             }
328             addDirective(name, value);
329         }
330
331         ASSERT(position == end || *position == ';');
332         skipExactly<UChar>(position, end, ';');
333     }
334 }
335
336 // directive         = *WSP [ directive-name [ WSP directive-value ] ]
337 // directive-name    = 1*( ALPHA / DIGIT / "-" )
338 // directive-value   = *( WSP / <VCHAR except ";"> )
339 //
340 bool ContentSecurityPolicyDirectiveList::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
341 {
342     ASSERT(name.isEmpty());
343     ASSERT(value.isEmpty());
344
345     const UChar* position = begin;
346     skipWhile<UChar, isASCIISpace>(position, end);
347
348     // Empty directive (e.g. ";;;"). Exit early.
349     if (position == end)
350         return false;
351
352     const UChar* nameBegin = position;
353     skipWhile<UChar, isDirectiveNameCharacter>(position, end);
354
355     // The directive-name must be non-empty.
356     if (nameBegin == position) {
357         skipWhile<UChar, isNotASCIISpace>(position, end);
358         m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
359         return false;
360     }
361
362     name = String(nameBegin, position - nameBegin);
363
364     if (position == end)
365         return true;
366
367     if (!skipExactly<UChar, isASCIISpace>(position, end)) {
368         skipWhile<UChar, isNotASCIISpace>(position, end);
369         m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
370         return false;
371     }
372
373     skipWhile<UChar, isASCIISpace>(position, end);
374
375     const UChar* valueBegin = position;
376     skipWhile<UChar, isDirectiveValueCharacter>(position, end);
377
378     if (position != end) {
379         m_policy.reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
380         return false;
381     }
382
383     // The directive-value may be empty.
384     if (valueBegin == position)
385         return true;
386
387     value = String(valueBegin, position - valueBegin);
388     return true;
389 }
390
391 void ContentSecurityPolicyDirectiveList::parseReportURI(const String& name, const String& value)
392 {
393     if (!m_reportURIs.isEmpty()) {
394         m_policy.reportDuplicateDirective(name);
395         return;
396     }
397
398     auto characters = StringView(value).upconvertedCharacters();
399     const UChar* position = characters;
400     const UChar* end = position + value.length();
401
402     while (position < end) {
403         skipWhile<UChar, isASCIISpace>(position, end);
404
405         const UChar* urlBegin = position;
406         skipWhile<UChar, isNotASCIISpace>(position, end);
407
408         if (urlBegin < position)
409             m_reportURIs.append(value.substring(urlBegin - characters, position - urlBegin));
410     }
411 }
412
413
414 template<class CSPDirectiveType>
415 void ContentSecurityPolicyDirectiveList::setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>& directive)
416 {
417     if (directive) {
418         m_policy.reportDuplicateDirective(name);
419         return;
420     }
421     directive = std::make_unique<CSPDirectiveType>(*this, name, value);
422 }
423
424 void ContentSecurityPolicyDirectiveList::applySandboxPolicy(const String& name, const String& sandboxPolicy)
425 {
426     if (m_reportOnly) {
427         m_policy.reportInvalidDirectiveInReportOnlyMode(name);
428         return;
429     }
430     if (m_haveSandboxPolicy) {
431         m_policy.reportDuplicateDirective(name);
432         return;
433     }
434     m_haveSandboxPolicy = true;
435     String invalidTokens;
436     m_policy.enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
437     if (!invalidTokens.isNull())
438         m_policy.reportInvalidSandboxFlags(invalidTokens);
439 }
440
441 void ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests(const String& name)
442 {
443     if (m_reportOnly) {
444         m_policy.reportInvalidDirectiveInReportOnlyMode(name);
445         return;
446     }
447     if (m_upgradeInsecureRequests) {
448         m_policy.reportDuplicateDirective(name);
449         return;
450     }
451     m_upgradeInsecureRequests = true;
452     m_policy.setUpgradeInsecureRequests(true);
453 }
454
455 void ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled(const String& name)
456 {
457     if (m_hasBlockAllMixedContentDirective) {
458         m_policy.reportDuplicateDirective(name);
459         return;
460     }
461     m_hasBlockAllMixedContentDirective = true;
462 }
463
464 void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
465 {
466     ASSERT(!name.isEmpty());
467
468     if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::defaultSrc)) {
469         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_defaultSrc);
470         m_policy.addHashAlgorithmsForInlineScripts(m_defaultSrc->hashAlgorithmsUsed());
471         m_policy.addHashAlgorithmsForInlineStylesheets(m_defaultSrc->hashAlgorithmsUsed());
472     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::scriptSrc)) {
473         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_scriptSrc);
474         m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrc->hashAlgorithmsUsed());
475     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::styleSrc)) {
476         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_styleSrc);
477         m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrc->hashAlgorithmsUsed());
478     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::objectSrc))
479         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_objectSrc);
480     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameSrc)) {
481         // FIXME: Log to console "The frame-src directive is deprecated. Use the child-src directive instead."
482         // See <https://bugs.webkit.org/show_bug.cgi?id=155773>.
483         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameSrc);
484     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::imgSrc))
485         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_imgSrc);
486     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::fontSrc))
487         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_fontSrc);
488 #if ENABLE(APPLICATION_MANIFEST)
489     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::manifestSrc))
490         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_manifestSrc);
491 #endif
492     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::mediaSrc))
493         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_mediaSrc);
494     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::connectSrc))
495         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_connectSrc);
496     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::childSrc))
497         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
498     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::formAction))
499         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
500     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::baseURI))
501         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
502     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::frameAncestors)) {
503         if (m_reportOnly) {
504             m_policy.reportInvalidDirectiveInReportOnlyMode(name);
505             return;
506         }
507         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameAncestors);
508     } else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::pluginTypes))
509         setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
510     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::sandbox))
511         applySandboxPolicy(name, value);
512     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
513         parseReportURI(name, value);
514     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
515         setUpgradeInsecureRequests(name);
516     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::blockAllMixedContent))
517         setBlockAllMixedContentEnabled(name);
518     else
519         m_policy.reportUnsupportedDirective(name);
520 }
521
522 } // namespace WebCore