Changeset 125817 in webkit

Timestamp:

Aug 16, 2012 3:44:07 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Refactor CSPDirective to support non-sourcelist types.
​https://bugs.webkit.org/show_bug.cgi?id=94252

Patch by Mike West <​mkwst@chromium.org> on 2012-08-16
Reviewed by Adam Barth.

Source/WebCore:

The 'CSPDirective' was built to support source list Content Security
Policy directives like 'script-src' or 'object-src'. It doesn't support
new directive types like 'script-nonce' or 'plugin-types'. That
functionality has been implemented by hanging state off of
CSPDirectiveList, which isn't a great solution.

This patch pulls the source list functionality out of CSPDirective and
into SourceListDirective, and likewise pulls the nonce and media list
functionality into NonceDirective and MediaListDirective.

No new tests have been added; this refactoring should be externally
transparent, and the current CSP tests should continue to pass.

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirective::CSPDirective):
(CSPDirective):
(WebCore::CSPDirective::text):
(WebCore::CSPDirective::policy):

CSPDirective is now a parent class for NonceDirective,
MediaListDirective, and SourceListDirective. It stores a pointer
to the ContentSecurityPolicy object in order to facilitate logging,
which now needs to happen at this level, rather than higher up in
CSPDirectiveList.

(WebCore):
(NonceDirective):
(WebCore::NonceDirective::NonceDirective):
(WebCore::NonceDirective::allows):
(WebCore::NonceDirective::parse):

Pull the nonce parsing code and state out of CSPDirectiveList
and into this new class.

(MediaListDirective):
(WebCore::MediaListDirective::MediaListDirective):
(WebCore::MediaListDirective::allows):
(WebCore::MediaListDirective::parse):

Pull the media list parsing code and state out of CSPDirectiveList
and into this new class.

(SourceListDirective):
(WebCore::SourceListDirective::SourceListDirective):
(WebCore::SourceListDirective::allows):

Pull the source list functionality out of CSPDirective
and into this new class.

(CSPDirectiveList):
(WebCore::CSPDirectiveList::checkEval):
(WebCore::CSPDirectiveList::checkInline):
(WebCore::CSPDirectiveList::checkNonce):
(WebCore::CSPDirectiveList::checkSource):
(WebCore::CSPDirectiveList::checkMediaType):
(WebCore::CSPDirectiveList::operativeDirective):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::checkNonceAndReportViolation):
(WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkSourceAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowScriptNonce):
(WebCore::CSPDirectiveList::allowPluginType):
(WebCore::CSPDirectiveList::setCSPDirective):
(WebCore::CSPDirectiveList::addDirective):

Use the new classes rather than CSPDirective (or no directive
at all, in the case of nonces and plugin types).

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:

This test was buggy. Now it writes out the full directive text as it
ought to.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (16 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-16  Mike West  <mkwst@chromium.org>
+
+        Refactor CSPDirective to support non-sourcelist types.
+        https://bugs.webkit.org/show_bug.cgi?id=94252
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt:
+            This test was buggy. Now it writes out the full directive text as it
+            ought to.
+
 2012-08-16  Kiran Muppala  <cmuppala@apple.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt

@@ -13 +13 @@
 CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: 'nonces have no spaces'.
 
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
+CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce nonces have no spaces".
 
 None of these scripts should execute, as all the nonces are invalid.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-16  Mike West  <mkwst@chromium.org>
+
+        Refactor CSPDirective to support non-sourcelist types.
+        https://bugs.webkit.org/show_bug.cgi?id=94252
+
+        Reviewed by Adam Barth.
+
+        The 'CSPDirective' was built to support source list Content Security
+        Policy directives like 'script-src' or 'object-src'. It doesn't support
+        new directive types like 'script-nonce' or 'plugin-types'. That
+        functionality has been implemented by hanging state off of
+        CSPDirectiveList, which isn't a great solution.
+
+        This patch pulls the source list functionality out of CSPDirective and
+        into SourceListDirective, and likewise pulls the nonce and media list
+        functionality into NonceDirective and MediaListDirective.
+
+        No new tests have been added; this refactoring should be externally
+        transparent, and the current CSP tests should continue to pass.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirective::CSPDirective):
+        (CSPDirective):
+        (WebCore::CSPDirective::text):
+        (WebCore::CSPDirective::policy):
+            CSPDirective is now a parent class for NonceDirective,
+            MediaListDirective, and SourceListDirective. It stores a pointer
+            to the ContentSecurityPolicy object in order to facilitate logging,
+            which now needs to happen at this level, rather than higher up in
+            CSPDirectiveList.
+        (WebCore):
+        (NonceDirective):
+        (WebCore::NonceDirective::NonceDirective):
+        (WebCore::NonceDirective::allows):
+        (WebCore::NonceDirective::parse):
+            Pull the nonce parsing code and state out of CSPDirectiveList
+            and into this new class.
+        (MediaListDirective):
+        (WebCore::MediaListDirective::MediaListDirective):
+        (WebCore::MediaListDirective::allows):
+        (WebCore::MediaListDirective::parse):
+            Pull the media list parsing code and state out of CSPDirectiveList
+            and into this new class.
+        (SourceListDirective):
+        (WebCore::SourceListDirective::SourceListDirective):
+        (WebCore::SourceListDirective::allows):
+            Pull the source list functionality out of CSPDirective
+            and into this new class.
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::checkEval):
+        (WebCore::CSPDirectiveList::checkInline):
+        (WebCore::CSPDirectiveList::checkNonce):
+        (WebCore::CSPDirectiveList::checkSource):
+        (WebCore::CSPDirectiveList::checkMediaType):
+        (WebCore::CSPDirectiveList::operativeDirective):
+        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+        (WebCore::CSPDirectiveList::checkNonceAndReportViolation):
+        (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
+        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+        (WebCore::CSPDirectiveList::allowScriptNonce):
+        (WebCore::CSPDirectiveList::allowPluginType):
+        (WebCore::CSPDirectiveList::setCSPDirective):
+        (WebCore::CSPDirectiveList::addDirective):
+            Use the new classes rather than CSPDirective (or no directive
+            at all, in the case of nonces and plugin types).
+
 2012-08-16  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -537 +537 @@
 public:
     CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
-        : m_sourceList(policy, name)
+        : m_name(name)
         , m_text(name + ' ' + value)
-        , m_selfURL(policy->url())
+        , m_policy(policy)
+    {
+    }
+
+    const String& text() const { return m_text; }
+
+protected:
+    const ContentSecurityPolicy* policy() const { return m_policy; }
+
+private:
+    String m_name;
+    String m_text;
+    ContentSecurityPolicy* m_policy;
+};
+
+class NonceDirective : public CSPDirective {
+public:
+    NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+        : CSPDirective(name, value, policy)
+    {
+        parse(value);
+    }
+
+    bool allows(const String& nonce) const
+    {
+        return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);
+    }
+
+private:
+    void parse(const String& value)
+    {
+        String nonce;
+        const UChar* position = value.characters();
+        const UChar* end = position + value.length();
+
+        skipWhile<isASCIISpace>(position, end);
+        const UChar* nonceBegin = position;
+        if (position == end) {
+            policy()->reportInvalidNonce(String());
+            m_scriptNonce = "";
+            return;
+        }
+        skipWhile<isNonceCharacter>(position, end);
+        if (nonceBegin < position)
+            nonce = String(nonceBegin, position - nonceBegin);
+
+        // Trim off trailing whitespace: If we're not at the end of the string, log
+        // an error.
+        skipWhile<isASCIISpace>(position, end);
+        if (position < end) {
+            policy()->reportInvalidNonce(value);
+            m_scriptNonce = "";
+        } else
+            m_scriptNonce = nonce;
+    }
+
+    String m_scriptNonce;
+};
+
+class MediaListDirective : public CSPDirective {
+public:
+    MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+        : CSPDirective(name, value, policy)
+    {
+        parse(value);
+    }
+
+    bool allows(const String& type)
+    {
+        return m_pluginTypes.contains(type);
+    }
+
+private:
+    void parse(const String& value)
+    {
+        const UChar* begin = value.characters();
+        const UChar* position = begin;
+        const UChar* end = begin + value.length();
+
+        // 'plugin-types ____;' OR 'plugin-types;'
+        if (value.isEmpty()) {
+            policy()->reportInvalidPluginTypes(value);
+            return;
+        }
+
+        while (position < end) {
+            // _____ OR _____mime1/mime1
+            // ^        ^
+            skipWhile<isASCIISpace>(position, end);
+            if (position == end)
+                return;
+
+            // mime1/mime1 mime2/mime2
+            // ^
+            begin = position;
+            if (!skipExactly<isMediaTypeCharacter>(position, end)) {
+                skipWhile<isNotASCIISpace>(position, end);
+                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                continue;
+            }
+            skipWhile<isMediaTypeCharacter>(position, end);
+
+            // mime1/mime1 mime2/mime2
+            //      ^
+            if (!skipExactly(position, end, '/')) {
+                skipWhile<isNotASCIISpace>(position, end);
+                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                continue;
+            }
+
+            // mime1/mime1 mime2/mime2
+            //       ^
+            if (!skipExactly<isMediaTypeCharacter>(position, end)) {
+                skipWhile<isNotASCIISpace>(position, end);
+                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                continue;
+            }
+            skipWhile<isMediaTypeCharacter>(position, end);
+
+            // mime1/mime1 mime2/mime2 OR mime1/mime1  OR mime1/mime1/error
+            //            ^                          ^               ^
+            if (position < end && isNotASCIISpace(*position)) {
+                skipWhile<isNotASCIISpace>(position, end);
+                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                continue;
+            }
+            m_pluginTypes.add(String(begin, position - begin));
+
+            ASSERT(position == end || isASCIISpace(*position));
+        }
+    }
+
+    HashSet<String> m_pluginTypes;
+};
+
+class SourceListDirective : public CSPDirective {
+public:
+    SourceListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+        : CSPDirective(name, value, policy)
+        , m_sourceList(policy, name)
     {
         m_sourceList.parse(value);
@@ -546 +685 @@
     bool allows(const KURL& url)
     {
-        return m_sourceList.matches(url.isEmpty() ? m_selfURL : url);
+        return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
     }
 
@@ -552 +691 @@
     bool allowEval() const { return m_sourceList.allowEval(); }
 
-    const String& text() { return m_text; }
-
 private:
     CSPSourceList m_sourceList;
-    String m_text;
-    KURL m_selfURL;
 };
 
@@ -599 +734 @@
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 
-    void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirective>&);
-
-    CSPDirective* operativeDirective(CSPDirective*) const;
+    template <class CSPDirectiveType>
+    void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
+
+    SourceListDirective* operativeDirective(SourceListDirective*) const;
     void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
 
-    bool checkEval(CSPDirective*) const;
-    bool checkInline(CSPDirective*) const;
-    bool checkNonce(const String&) const;
-    bool checkSource(CSPDirective*, const KURL&) const;
-    bool checkPluginType(const String& type, const String& typeAttribute) const;
-
-    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
-    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
-    bool checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
-    bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
-    bool checkPluginTypeAndReportViolation(const String& type, const String& typeAttribute, const String& consoleMessage) const;
+    bool checkEval(SourceListDirective*) const;
+    bool checkInline(SourceListDirective*) const;
+    bool checkNonce(NonceDirective*, const String&) const;
+    bool checkSource(SourceListDirective*, const KURL&) const;
+    bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
+
+    bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
+    bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type) const;
+    bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
 
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
@@ -624 +760 @@
     bool m_haveSandboxPolicy;
 
-    OwnPtr<CSPDirective> m_defaultSrc;
-    OwnPtr<CSPDirective> m_scriptSrc;
-    OwnPtr<CSPDirective> m_objectSrc;
-    OwnPtr<CSPDirective> m_frameSrc;
-    OwnPtr<CSPDirective> m_imgSrc;
-    OwnPtr<CSPDirective> m_styleSrc;
-    OwnPtr<CSPDirective> m_fontSrc;
-    OwnPtr<CSPDirective> m_mediaSrc;
-    OwnPtr<CSPDirective> m_connectSrc;
-    OwnPtr<CSPDirective> m_formAction;
+    OwnPtr<MediaListDirective> m_pluginTypes;
+    OwnPtr<NonceDirective> m_scriptNonce;
+    OwnPtr<SourceListDirective> m_connectSrc;
+    OwnPtr<SourceListDirective> m_defaultSrc;
+    OwnPtr<SourceListDirective> m_fontSrc;
+    OwnPtr<SourceListDirective> m_formAction;
+    OwnPtr<SourceListDirective> m_frameSrc;
+    OwnPtr<SourceListDirective> m_imgSrc;
+    OwnPtr<SourceListDirective> m_mediaSrc;
+    OwnPtr<SourceListDirective> m_objectSrc;
+    OwnPtr<SourceListDirective> m_scriptSrc;
+    OwnPtr<SourceListDirective> m_styleSrc;
 
     Vector<KURL> m_reportURIs;
-    HashSet<String> m_pluginTypes;
-    String m_pluginTypesDirective;
-    String m_scriptNonce;
 };
 
@@ -672 +807 @@
 }
 
-bool CSPDirectiveList::checkEval(CSPDirective* directive) const
+bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
 {
     return !directive || directive->allowEval();
 }
 
-bool CSPDirectiveList::checkInline(CSPDirective* directive) const
+bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 {
     return !directive || directive->allowInline();
 }
 
-bool CSPDirectiveList::checkNonce(const String& nonce) const
-{
-    return (m_scriptNonce.isNull()
-            || (!m_scriptNonce.isEmpty()
-                && nonce.stripWhiteSpace() == m_scriptNonce));
-}
-
-bool CSPDirectiveList::checkSource(CSPDirective* directive, const KURL& url) const
+bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const
+{
+    return !directive || directive->allows(nonce);
+}
+
+bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url) const
 {
     return !directive || directive->allows(url);
 }
 
-bool CSPDirectiveList::checkPluginType(const String& type, const String& typeAttribute) const
-{
-    if (m_pluginTypesDirective.isNull())
+bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const String& type, const String& typeAttribute) const
+{
+    if (!directive)
         return true;
     if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
         return false;
-    return m_pluginTypes.contains(type);
-}
-
-CSPDirective* CSPDirectiveList::operativeDirective(CSPDirective* directive) const
+    return directive->allows(type);
+}
+
+SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* directive) const
 {
     return directive ? directive : m_defaultSrc.get();
 }
 
-bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
+bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
 {
     if (checkEval(directive))
@@ -716 +849 @@
 }
 
-bool CSPDirectiveList::checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
-    if (checkNonce(nonce))
-        return true;
-    reportViolation(m_scriptNonce, consoleMessage + "\"script-nonce " + m_scriptNonce + "\".\n", KURL(), contextURL, contextLine);
-    return denyIfEnforcingPolicy();
-}
-
-bool CSPDirectiveList::checkPluginTypeAndReportViolation(const String& type, const String& typeAttribute, const String& consoleMessage) const
-{
-    if (checkPluginType(type, typeAttribute))
-        return true;
-
-    reportViolation(m_pluginTypesDirective, consoleMessage + "'plugin-types " + m_pluginTypesDirective + "'.\n", KURL());
-    return denyIfEnforcingPolicy();
-}
-
-bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
-    if (checkInline(directive))
+bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    if (checkNonce(directive, nonce))
         return true;
     reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
@@ -741 +857 @@
 }
 
-bool CSPDirectiveList::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
+bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const
+{
+    if (checkMediaType(directive, type, typeAttribute))
+        return true;
+
+    reportViolation(directive->text(), consoleMessage + "\'" + directive->text() + "\'.\n", KURL());
+    return denyIfEnforcingPolicy();
+}
+
+bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    if (checkInline(directive))
+        return true;
+    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
+    return denyIfEnforcingPolicy();
+}
+
+bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& type) const
 {
     if (checkSource(directive, url))
@@ -761 +894 @@
     if (reportingStatus == ContentSecurityPolicy::SendReport) {
         return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine)
-                && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine));
+                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
     } else {
         return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(String()));
+                && checkNonce(m_scriptNonce.get(), String()));
     }
 }
@@ -773 +906 @@
     if (reportingStatus == ContentSecurityPolicy::SendReport) {
         return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine)
-                && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine));
+                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
     } else {
         return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(String()));
+                && checkNonce(m_scriptNonce.get(), String()));
     }
 }
@@ -808 +941 @@
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute script because it violates the following Content Security Policy directive: "));
     if (url.isEmpty())
-        return checkNonceAndReportViolation(nonce, consoleMessage, contextURL, contextLine);
-    return checkNonceAndReportViolation(nonce, "Refused to load '" + url.string() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
+        return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);
+    return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.string() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
 }
 
@@ -815 +948 @@
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkPluginTypeAndReportViolation(type, typeAttribute, "Refused to load '" + url.string() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
-        checkPluginType(type, typeAttribute);
+        checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.string() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
+        checkMediaType(m_pluginTypes.get(), type, typeAttribute);
 }
 
@@ -1002 +1135 @@
 }
 
-void CSPDirectiveList::parseScriptNonce(const String& name, const String& value)
-{
-    if (!m_scriptNonce.isNull()) {
-        m_policy->reportDuplicateDirective(name);
-        return;
-    }
-
-    String nonce;
-    const UChar* position = value.characters();
-    const UChar* end = position + value.length();
-
-    skipWhile<isASCIISpace>(position, end);
-    const UChar* nonceBegin = position;
-    if (position == end) {
-        m_policy->reportInvalidNonce(String());
-        m_scriptNonce = "";
-        return;
-    }
-    skipWhile<isNonceCharacter>(position, end);
-    if (nonceBegin < position)
-        nonce = String(nonceBegin, position - nonceBegin);
-
-    // Trim off trailing whitespace: If we're not at the end of the string, log
-    // an error.
-    skipWhile<isASCIISpace>(position, end);
-    if (position < end) {
-        m_policy->reportInvalidNonce(value);
-        m_scriptNonce = "";
-    } else
-        m_scriptNonce = nonce;
-}
-
-void CSPDirectiveList::parsePluginTypes(const String& name, const String& value)
-{
-    if (!m_pluginTypesDirective.isNull()) {
-        m_policy->reportDuplicateDirective(name);
-        return;
-    }
-
-    const UChar* begin = value.characters();
-    const UChar* position = begin;
-    const UChar* end = begin + value.length();
-    m_pluginTypesDirective = value;
-
-    // 'plugin-types ____;' OR 'plugin-types;'
-    if (value.isEmpty()) {
-        m_policy->reportInvalidPluginTypes(value);
-        m_pluginTypesDirective = "";
-        return;
-    }
-
-    while (position < end) {
-        // _____ OR _____mime1/mime1
-        // ^        ^
-        skipWhile<isASCIISpace>(position, end);
-        if (position == end)
-            return;
-
-        // mime1/mime1 mime2/mime2
-        // ^
-        begin = position;
-        if (!skipExactly<isMediaTypeCharacter>(position, end)) {
-            skipWhile<isNotASCIISpace>(position, end);
-            m_policy->reportInvalidPluginTypes(String(begin, position - begin));
-            continue;
-        }
-        skipWhile<isMediaTypeCharacter>(position, end);
-
-        // mime1/mime1 mime2/mime2
-        //      ^
-        if (!skipExactly(position, end, '/')) {
-            skipWhile<isNotASCIISpace>(position, end);
-            m_policy->reportInvalidPluginTypes(String(begin, position - begin));
-            continue;
-        }
-
-        // mime1/mime1 mime2/mime2
-        //       ^
-        if (!skipExactly<isMediaTypeCharacter>(position, end)) {
-            skipWhile<isNotASCIISpace>(position, end);
-            m_policy->reportInvalidPluginTypes(String(begin, position - begin));
-            continue;
-        }
-        skipWhile<isMediaTypeCharacter>(position, end);
-
-        // mime1/mime1 mime2/mime2 OR mime1/mime1  OR mime1/mime1/error
-        //            ^                          ^               ^
-        if (position < end && isNotASCIISpace(*position)) {
-            skipWhile<isNotASCIISpace>(position, end);
-            m_policy->reportInvalidPluginTypes(String(begin, position - begin));
-            continue;
-        }
-        m_pluginTypes.add(String(begin, position - begin));
-
-        ASSERT(position == end || isASCIISpace(*position));
-    }
-}
-
-void CSPDirectiveList::setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirective>& directive)
+
+template<class CSPDirectiveType>
+void CSPDirectiveList::setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>& directive)
 {
     if (directive) {
@@ -1106 +1143 @@
         return;
     }
-    directive = adoptPtr(new CSPDirective(name, value, m_policy));
+    directive = adoptPtr(new CSPDirectiveType(name, value, m_policy));
 }
 
@@ -1141 +1178 @@
 
     if (equalIgnoringCase(name, defaultSrc))
-        setCSPDirective(name, value, m_defaultSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_defaultSrc);
     else if (equalIgnoringCase(name, scriptSrc))
-        setCSPDirective(name, value, m_scriptSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_scriptSrc);
     else if (equalIgnoringCase(name, objectSrc))
-        setCSPDirective(name, value, m_objectSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_objectSrc);
     else if (equalIgnoringCase(name, frameSrc))
-        setCSPDirective(name, value, m_frameSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_frameSrc);
     else if (equalIgnoringCase(name, imgSrc))
-        setCSPDirective(name, value, m_imgSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_imgSrc);
     else if (equalIgnoringCase(name, styleSrc))
-        setCSPDirective(name, value, m_styleSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_styleSrc);
     else if (equalIgnoringCase(name, fontSrc))
-        setCSPDirective(name, value, m_fontSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_fontSrc);
     else if (equalIgnoringCase(name, mediaSrc))
-        setCSPDirective(name, value, m_mediaSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_mediaSrc);
     else if (equalIgnoringCase(name, connectSrc))
-        setCSPDirective(name, value, m_connectSrc);
+        setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
     else if (equalIgnoringCase(name, sandbox))
         applySandboxPolicy(name, value);
@@ -1164 +1201 @@
 #if ENABLE(CSP_NEXT)
     else if (equalIgnoringCase(name, formAction))
-        setCSPDirective(name, value, m_formAction);
+        setCSPDirective<SourceListDirective>(name, value, m_formAction);
     else if (equalIgnoringCase(name, pluginTypes))
-        parsePluginTypes(name, value);
+        setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
     else if (equalIgnoringCase(name, scriptNonce))
-        parseScriptNonce(name, value);
+        setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
 #endif
     else