[code-inclusion] Remove "whitelist" from core/frame/csp*

As above - there should be no behaviour change. Bug: 842296 Change-Id: I2ff9cbc2472c074ccb78ce141016cb2427c2594a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2261481 Auto-Submit: Ian Kilpatrick <ikilpatrick@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#781717}

[code-inclusion] Remove "whitelist" from core/frame/csp*
As above - there should be no behaviour change. Bug: 842296 Change-Id: I2ff9cbc2472c074ccb78ce141016cb2427c2594a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2261481 Auto-Submit: Ian Kilpatrick <ikilpatrick@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#781717}
2b8d29c5 · Ian Kilpatrick · Commit Bot · 3ccd3f7c · 2b8d29c5 · 2b8d29c5
Commit 2b8d29c5 authored Jun 24, 2020 by Ian Kilpatrick Committed by Commit Bot Jun 24, 2020
3 changed files
--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
@@ -552,7 +552,7 @@ bool ContentSecurityPolicy::AllowInline(
  // Step 3. For each policy in element’s Document's global object’s CSP list:
  // [spec text]
  for (const auto& policy : policies_) {
-    // May be whitelisted by hash, if 'unsafe-hashes' is present in a policy.
+    // May be allowed by hash, if 'unsafe-hashes' is present in a policy.
    // Check against the digest of the |content| and also check whether inline
    // script is allowed.
    is_allowed &=

--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
@@ -521,7 +521,7 @@ bool CSPDirectiveList::CheckSourceAndReportViolation(
  if (!directive)
    return true;
-  // We ignore URL-based whitelists if we're allowing dynamic script injection.
+  // We ignore URL-based allowlists if we're allowing dynamic script injection.
  if (CheckSource(directive, url, redirect_status) && !CheckDynamic(directive))
    return true;
@@ -562,9 +562,10 @@ bool CSPDirectiveList::CheckSourceAndReportViolation(
    prefix = prefix + "navigate to '";
  String suffix = String();
-  if (CheckDynamic(directive))
+  if (CheckDynamic(directive)) {
    suffix =
-        " 'strict-dynamic' is present, so host-based whitelisting is disabled.";
+        " 'strict-dynamic' is present, so host-based allowlisting is disabled.";
+  }
  String directive_name = directive->GetName();
  String effective_directive_name =
@@ -1442,7 +1443,7 @@ SourceListDirectiveVector CSPDirectiveList::GetSourceVector(
 }
 bool CSPDirectiveList::Subsumes(const CSPDirectiveListVector& other) {
-  // A white-list of directives that we consider for subsumption.
+  // A list of directives that we consider for subsumption.
  // See more about source lists here:
  // https://w3c.github.io/webappsec-csp/#framework-directive-source-list
  static ContentSecurityPolicy::DirectiveType directives[] = {

--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list_test.cc
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list_test.cc
@@ -248,7 +248,7 @@ TEST_F(CSPDirectiveListTest, AllowFromSourceWithNonce) {
      {"https://example.com", "https://not.example.com/file", "boo", false},
      {"https://example.com", "https://not.example.com/file", "", false},
-      // Doesn't affect URLs that match the whitelist.
+      // Doesn't affect URLs that match the allowlist.
      {"https://example.com 'nonce-yay'", "https://example.com/file", "yay",
       true},
      {"https://example.com 'nonce-yay'", "https://example.com/file", "boo",
@@ -363,7 +363,7 @@ TEST_F(CSPDirectiveListTest, AllowScriptFromSourceWithHash) {
       false},
      {"https://example.com", "https://not.example.com/file", "", false},
-      // Doesn't affect URLs that match the whitelist.
+      // Doesn't affect URLs that match the allowlist.
      {"https://example.com 'sha256-yay'", "https://example.com/file",
       "sha256-yay", true},
      {"https://example.com 'sha256-yay'", "https://example.com/file",
@@ -371,7 +371,7 @@ TEST_F(CSPDirectiveListTest, AllowScriptFromSourceWithHash) {
      {"https://example.com 'sha256-yay'", "https://example.com/file", "",
       true},
-      // Does affect URLs that don't match the whitelist.
+      // Does affect URLs that don't match the allowlist.
      {"https://example.com 'sha256-yay'", "https://not.example.com/file",
       "sha256-yay", true},
      {"https://example.com 'sha256-yay'", "https://not.example.com/file",
@@ -393,7 +393,7 @@ TEST_F(CSPDirectiveListTest, AllowScriptFromSourceWithHash) {
      // But they also don't interfere.
      {"'sha256-yay'", "https://a.com/file", "sha256-yay asdf256-boo", true},
-      // Additional whitelisted hashes in the CSP don't interfere.
+      // Additional allowlisted hashes in the CSP don't interfere.
      {"'sha256-yay' 'sha384-boo'", "https://a.com/file", "sha256-yay", true},
      {"'sha256-yay' 'sha384-boo'", "https://a.com/file", "sha384-boo", true},