CSP: Enable plugin-types directive by default
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Feb 2016 18:51:58 +0000 (18:51 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Feb 2016 18:51:58 +0000 (18:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=154420
<rdar://problem/24730322>

Reviewed by Brent Fulgham.

Source/WebCore:

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isExperimentalDirectiveName): Move plugin-types from the directives considered
experimental to...
(WebCore::isCSPDirectiveName): ...the list of standard directives.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the plugin-types
directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.

LayoutTests:

* TestExpectations: Mark http/tests/security/contentSecurityPolicy/1.1/plugintypes*.html tests as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt: Update expected result.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html: Call runTests() following changes to multiple-iframe-plugin-test.js.
Also add closing tags for <body> and <html> to make the document well-formed.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html: Substitute "Content-Security-Policy" for "X-WebKit-CSP";
no behavior change.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-url.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt: Update expected result.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url.html: Substitute "Content-Security-Policy" for "X-WebKit-CSP";
no behavior change.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-allowed.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html: Call runTests() following changes to multiple-iframe-plugin-test.js.
Also add closing tags for <body> and <html> to make the document well-formed.
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html: Ditto.
* http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Remove logic to support Content Security Policy header X-WebKit-CSP
as it is sufficient to make use of the standardized header Content-Security-Policy.
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js: Simplify code now that we do not pass query string parameter
experimental to script echo-object-data.pl.
(runTests): Runs all the sub-tests.
(runNextTest.iframe.onload): Formerly named testImpl.iframe.onload.
(runNextTest): Formerly named testImpl. Runs the next sub-test.
(testExperimentalPolicy): Deleted.
(test): Deleted.
(testImpl.iframe.onload): Deleted.
(testImpl): Deleted.
(finishTesting): Deleted.
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
a console warning when plugin-types is used as a source expression.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197038 268f45cc-cd09-0410-ab3c-d52691b4dbfc

19 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-url.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

index 14efe9b..da9f71f 100644 (file)
@@ -1,3 +1,43 @@
+2016-02-24  Daniel Bates  <dabates@apple.com>
+
+        CSP: Enable plugin-types directive by default
+        https://bugs.webkit.org/show_bug.cgi?id=154420
+        <rdar://problem/24730322>
+
+        Reviewed by Brent Fulgham.
+
+        * TestExpectations: Mark http/tests/security/contentSecurityPolicy/1.1/plugintypes*.html tests as PASS so that we run them.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid-expected.txt: Update expected result.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html: Call runTests() following changes to multiple-iframe-plugin-test.js.
+        Also add closing tags for <body> and <html> to make the document well-formed.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html: Substitute "Content-Security-Policy" for "X-WebKit-CSP";
+        no behavior change.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-url.html: Ditto.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data.html: Ditto.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt: Update expected result.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url.html: Substitute "Content-Security-Policy" for "X-WebKit-CSP";
+        no behavior change.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-allowed.html: Ditto.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html: Ditto.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html: Call runTests() following changes to multiple-iframe-plugin-test.js.
+        Also add closing tags for <body> and <html> to make the document well-formed.
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html: Ditto.
+        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Remove logic to support Content Security Policy header X-WebKit-CSP
+        as it is sufficient to make use of the standardized header Content-Security-Policy.
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js: Simplify code now that we do not pass query string parameter
+        experimental to script echo-object-data.pl.
+        (runTests): Runs all the sub-tests.
+        (runNextTest.iframe.onload): Formerly named testImpl.iframe.onload.
+        (runNextTest): Formerly named testImpl. Runs the next sub-test.
+        (testExperimentalPolicy): Deleted.
+        (test): Deleted.
+        (testImpl.iframe.onload): Deleted.
+        (testImpl): Deleted.
+        (finishTesting): Deleted.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
+        a console warning when plugin-types is used as a source expression.
+
 2016-02-24  Ryan Haddad  <ryanhaddad@apple.com>
 
         Rebaseline two W3C tests for ios-simulator after r197014
index e9bd7f2..010020e 100644 (file)
@@ -817,6 +817,16 @@ http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
 webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
 webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
 webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-url.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html [ Pass ]
 webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
 webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
 webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
index 049ded9..9fe53f6 100644 (file)
@@ -6,6 +6,10 @@ CONSOLE MESSAGE: 'plugin-types' Content Security Policy directive is empty; all
 
 CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types '.
 
+CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.
+
+CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types 'none''.
+
 CONSOLE MESSAGE: Invalid plugin type in 'plugin-types' Content Security Policy directive: 'text'.
 
 CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type 'application/x-webkit-test-netscape') because it violates the following Content Security Policy Directive: 'plugin-types text'.
@@ -70,6 +74,11 @@ Frame: '<!--framePath //<!--frame6-->-->'
 --------
 Frame: '<!--framePath //<!--frame7-->-->'
 --------
+
+
+--------
+Frame: '<!--framePath //<!--frame8-->-->'
+--------
 PASS.
 
 
index fcc861b..b8e91ea 100644 (file)
@@ -16,9 +16,11 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="testExperimentalPolicy()">
+<body onload="runTests()">
     <p>
         This tests our handling of invalid `plugin-types` CSP directives.
         Consider this test passing if each of the following frames contains
         either "PASS" or no text at all.
     </p>
+</body>
+</html>
index 4fea7d0..f49ede2 100644 (file)
@@ -7,7 +7,7 @@ if (window.testRunner) {
     testRunner.dumpChildFramesAsText();
 }
 </script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types application/x-invalid-type">
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-invalid-type">
 </head>
 <body>
     This tests that plugin content that doesn't match the declared type doesn't
index 4ea6f52..6054a02 100644 (file)
@@ -8,7 +8,7 @@ if (window.testRunner) {
 }
 </script>
 <script src="/plugins/resources/mock-plugin-logger.js"></script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types application/x-invalid-type">
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-invalid-type">
 </head>
 <body>
     This tests that plugin content that doesn't match the declared type doesn't
index 9542c47..a095be7 100644 (file)
@@ -11,7 +11,7 @@
     runAfterPluginLoad(null, NotifyDone);
 </script>
 <script src="/plugins/resources/mock-plugin-logger.js"></script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types application/x-invalid-type">
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-invalid-type">
 </head>
 <body>
     Given a `plugin-types` directive, plugins have to declare a type explicitly.
index 1f2007e..c5c7883 100644 (file)
@@ -1,8 +1,3 @@
 CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
 
 Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above.  
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-
index e36bda9..3cc09e3 100644 (file)
@@ -7,7 +7,7 @@ if (window.testRunner) {
     testRunner.dumpChildFramesAsText();
 }
 </script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types application/x-invalid-type">
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-invalid-type">
 </head>
 <body>
     Given a `plugin-types` directive, plugins have to declare a type explicitly.
index 17d6a0a..2a3b908 100644 (file)
@@ -5,7 +5,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types application/x-webkit-test-netscape">
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-webkit-test-netscape">
 </head>
 <body>
 This test passes if there isn't a console message saying the plugin was blocked.
index a0b8f5b..938145b 100644 (file)
@@ -8,7 +8,7 @@
 
     runAfterPluginLoad(null, NotifyDone);
 </script>
-<meta http-equiv="X-WebKit-CSP" content="plugin-types text/plain">
+<meta http-equiv="Content-Security-Policy" content="plugin-types text/plain">
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
index b3070ff..d49af11 100644 (file)
@@ -11,9 +11,11 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="testExperimentalPolicy()">
+<body onload='runTests()'>
     <p>
         This tests our handling of `data:` URLs, given a `plugin-types` CSP
         directive. Consider this test passing if each of the following frames
         contains "PASS" or no text at all, and no console warnings appear above.
     </p>
+</body>
+</html>
index 5c066c5..537360f 100644 (file)
@@ -10,9 +10,11 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="testExperimentalPolicy()">
+<body onload='runTests()'>
     <p>
         This tests our handling of non-`data:` URLs, given a `plugin-types` CSP
         directive. Consider this test passing if none of the following frames
         contains "FAIL" and four sets of console logs appear above.
     </p>
+</body>
+</html>
index 44123f1..1377e33 100755 (executable)
@@ -5,12 +5,7 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-my $experimental = $cgi->param('experimental') || "";
-if ($experimental eq 'true') {
-    print "X-WebKit-CSP: " . $cgi->param('csp') . "\n\n";
-} else {
-    print "Content-Security-Policy: " . $cgi->param('csp') . "\n\n";
-}
+print "Content-Security-Policy: " . $cgi->param('csp') . "\n\n";
 
 print "<!DOCTYPE html>\n";
 print "<html>\n";
index 8cd4acf..be80426 100644 (file)
@@ -4,51 +4,30 @@ if (window.testRunner) {
     testRunner.dumpChildFramesAsText();
 }
 
-function testExperimentalPolicy() {
-    testImpl(true);
+function runTests()
+{
+    runNextTest();
 }
 
-function test() {
-    testImpl(false);
-}
-
-function testImpl(experimental) {
-    if (tests.length === 0)
-        return finishTesting();
-    var baseURL = "/security/contentSecurityPolicy/";
-    var current = tests.shift();
-    var iframe = document.createElement("iframe");
-    iframe.src = baseURL + "resources/echo-object-data.pl?" +
-                 "experimental=" + (experimental ? "true" : "false") +
-                 "&csp=" + escape(current[1]);
-
-    if (current[0])
-        iframe.src += "&log=PASS.";
-    else
-        iframe.src += "&log=FAIL.";
-
-    if (current[2])
-        iframe.src += "&plugin=" + escape(current[2]);
-    else {
-        iframe.src += "&plugin=data:application/x-webkit-test-netscape,logifloaded";
+function runNextTest()
+{
+    var currentTest = tests.shift();
+    if (!currentTest) {
+        if (window.testRunner)
+            setTimeout("testRunner.notifyDone()", 0);
+        return;
     }
 
-    if (current[3] !== undefined)
-        iframe.src += "&type=" + escape(current[3]);
-    else
-        iframe.src += "&type=application/x-webkit-test-netscape";
-
+    var iframe = document.createElement("iframe");
     iframe.onload = function() {
         if (window.internals)
             internals.updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasks(iframe);
-        testImpl(experimental);
+        runNextTest();
     };
+    var url = "/security/contentSecurityPolicy/resources/echo-object-data.pl?csp=" + encodeURIComponent(currentTest[1]);
+    url += "&log=" + (currentTest[0] ? "PASS." : "FAIL.");
+    url += "&plugin=" + (currentTest[2] ? encodeURIComponent(currentTest[2]) : "data:application/x-webkit-test-netscape,logifloaded");
+    url += "&type=" + (currentTest[3] !== undefined ? encodeURIComponent(currentTest[3]) : "application/x-webkit-test-netscape");
+    iframe.src = url;
     document.body.appendChild(iframe);
 }
-
-function finishTesting() {
-    if (window.testRunner) {
-        setTimeout("testRunner.notifyDone()", 0);
-    }
-    return true;
-}
index cae9765..4c3a10a 100644 (file)
@@ -3,6 +3,7 @@ CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'ob
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source expression. Did you mean 'script-src ...; style-src...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source expression. Did you mean 'script-src ...; form-action...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'base-uri' as a source expression. Did you mean 'script-src ...; base-uri...' (note the semicolon)?
+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'plugin-types' as a source expression. Did you mean 'script-src ...; plugin-types...' (note the semicolon)?
 If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
 
 
index 184d9b8..2368184 100644 (file)
@@ -5,7 +5,7 @@
 <script>
 var tests = [
     ['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
-    ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self' base-uri 'self'", 'resources/script.js'],
+    ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self' base-uri 'self' plugin-types application/x-webkit-test-netscape", 'resources/script.js'],
 ];
 </script>
 </head>
index 0e3e51a..0b5d686 100644 (file)
@@ -1,3 +1,18 @@
+2016-02-24  Daniel Bates  <dabates@apple.com>
+
+        CSP: Enable plugin-types directive by default
+        https://bugs.webkit.org/show_bug.cgi?id=154420
+        <rdar://problem/24730322>
+
+        Reviewed by Brent Fulgham.
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::isExperimentalDirectiveName): Move plugin-types from the directives considered
+        experimental to...
+        (WebCore::isCSPDirectiveName): ...the list of standard directives.
+        (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the plugin-types
+        directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.
+
 2016-02-24  Ryan Haddad  <ryanhaddad@apple.com>
 
         Speculative fix for ios build.
index 001a621..01cfa51 100644 (file)
@@ -59,7 +59,7 @@ static const char reflectedXSS[] = "reflected-xss";
 
 static inline bool isExperimentalDirectiveName(const String& name)
 {
-    return equalLettersIgnoringASCIICase(name, pluginTypes) || equalLettersIgnoringASCIICase(name, reflectedXSS);
+    return equalLettersIgnoringASCIICase(name, reflectedXSS);
 }
 
 #else
@@ -82,6 +82,7 @@ bool isCSPDirectiveName(const String& name)
         || equalLettersIgnoringASCIICase(name, imgSrc)
         || equalLettersIgnoringASCIICase(name, mediaSrc)
         || equalLettersIgnoringASCIICase(name, objectSrc)
+        || equalLettersIgnoringASCIICase(name, pluginTypes)
         || equalLettersIgnoringASCIICase(name, reportURI)
         || equalLettersIgnoringASCIICase(name, sandbox)
         || equalLettersIgnoringASCIICase(name, scriptSrc)
@@ -602,15 +603,15 @@ void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const
         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
     else if (equalLettersIgnoringASCIICase(name, baseURI))
         setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
+    else if (equalLettersIgnoringASCIICase(name, pluginTypes))
+        setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
     else if (equalLettersIgnoringASCIICase(name, sandbox))
         applySandboxPolicy(name, value);
     else if (equalLettersIgnoringASCIICase(name, reportURI))
         parseReportURI(name, value);
 #if ENABLE(CSP_NEXT)
     else if (m_policy.experimentalFeaturesEnabled()) {
-        if (equalLettersIgnoringASCIICase(name, pluginTypes))
-            setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
-        else if (equalLettersIgnoringASCIICase(name, reflectedXSS))
+        if (equalLettersIgnoringASCIICase(name, reflectedXSS))
             parseReflectedXSS(name, value);
         else
             m_policy.reportUnsupportedDirective(name);