Allow CSP checkNonce and checkHash to pass with 'unsafe-inline' only.

There is a bug that a script will incorrectly not run when a nonce is
specified if 'unsafe-inline' is also specified in the policy and there's
a *second* policy that only specifies 'unsafe-inline'. This is due to a
cascading failure where the initial isAllowedByAllWithNonce check fails
because the second policy doesn't have a nonce, while the later
allowInlineScript check fails because the first policy's nonce
invalidates the 'unsafe-inline'.

This CL allows allowScriptNonce (and allowScriptHash) to pass if
'unsafe-inline' is present (and no hash or nonce is present). This also
adds tests to verify.

BUG=413482

Review URL: https://codereview.chromium.org/568583003

git-svn-id: svn://svn.chromium.org/blink/trunk@181939 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-with-unsafe-inline-expected.txt

+ALERT: PASS
+

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-with-unsafe-inline.html

+<!DOCTYPE html>
+<html>
+    <head>
+        <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+        <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'sha256-uxcCTJ1x+1cgRY+gX4jcYRLIyzt5oojPPbxUg49Ed6o='">
+    </head>
+    <body>
+        <script type="text/javascript">
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        alert("PASS");
+        </script>
+    </body>
+<html>

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-with-unsafe-inline-expected.txt

+ALERT: PASS
+

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-with-unsafe-inline.html

+<!DOCTYPE html>
+<html>
+    <head>
+        <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'">
+        <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'nonce-nonceynonce'">
+    </head>
+    <body>
+        <script type="text/javascript" nonce="nonceynonce">
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        alert("PASS");
+        </script>
+    </body>
+<html>

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

@@ -85,12 +85,12 @@ bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 
 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
 {
-    return !directive || directive->allowNonce(nonce);
+    return !directive || directive->allowNonce(nonce) || checkInline(directive);
 }
 
 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashValue& hashValue) const
 {
-    return !directive || directive->allowHash(hashValue);
+    return !directive || directive->allowHash(hashValue) || checkInline(directive);
 }
 
 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url) const