CSP: Remove state from blink::CSPDirectiveList

This is a small refactoring of the code in blink::CSPDirectiveList,
removing the property CSPDirectiveList::eval_disabled_error_message_.

This is part of a project to harmonize the CSP code in Blink and in
services/network, and will make it easier to synchronize Content
Security Policies between the two.

Bug: 1021462,1149272
Change-Id: If9994d3bda9bde47433fcc089acb74ef0fdb426e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2601746
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#844004}

third_party/blink/renderer/core/frame/csp/content_security_policy.cc

@@ -371,8 +371,10 @@ void ContentSecurityPolicy::AddPolicyFromHeaderValue(
     Member<CSPDirectiveList> policy =
         CSPDirectiveList::Create(this, begin, position, type, source);
 
-    if (policy->ShouldDisableEval() && disable_eval_error_message_.IsNull()) {
-      disable_eval_error_message_ = policy->EvalDisabledErrorMessage();
+    String disable_eval_message;
+    if (policy->ShouldDisableEval(disable_eval_message) &&
+        disable_eval_error_message_.IsNull()) {
+      disable_eval_error_message_ = disable_eval_message;
     }
 
     policies_.push_back(policy.Release());
@@ -584,8 +586,9 @@ bool ContentSecurityPolicy::AllowWasmEval(
 
 String ContentSecurityPolicy::EvalDisabledErrorMessage() const {
   for (const auto& policy : policies_) {
-    if (policy->ShouldDisableEval())
-      return policy->EvalDisabledErrorMessage();
+    String message;
+    if (policy->ShouldDisableEval(message))
+      return message;
   }
   return String();
 }

third_party/blink/renderer/core/frame/csp/csp_directive_list.cc

@@ -216,23 +216,6 @@ void CSPDirectiveList::ApplyParsedDirectives() {
         break;
     }
   }
-
-  CSPOperativeDirective directive =
-      OperativeDirective(CSPDirectiveName::ScriptSrc);
-
-  if (!CheckEval(directive.source_list)) {
-    String message =
-        "Refused to evaluate a string as JavaScript because 'unsafe-eval' is "
-        "not an allowed source of script in the following Content Security "
-        "Policy directive: \"" +
-        GetRawDirectiveForMessage(raw_directives_, directive.type) + "\".\n";
-    SetEvalDisabledErrorMessage(message);
-  } else if (RequiresTrustedTypes()) {
-    String message =
-        "Refused to evaluate a string as JavaScript because this document "
-        "requires 'Trusted Type' assignment.";
-    SetEvalDisabledErrorMessage(message);
-  }
 }
 
 void CSPDirectiveList::ReportViolation(
@@ -747,14 +730,23 @@ bool CSPDirectiveList::AllowWasmEval(
              OperativeDirective(CSPDirectiveName::ScriptSrc).source_list);
 }
 
-bool CSPDirectiveList::ShouldDisableEvalBecauseScriptSrc() const {
-  return !AllowEval(ReportingDisposition::kSuppressReporting,
-                    ContentSecurityPolicy::kWillNotThrowException,
-                    g_empty_string);
-}
-
-bool CSPDirectiveList::ShouldDisableEvalBecauseTrustedTypes() const {
-  return RequiresTrustedTypes();
+bool CSPDirectiveList::ShouldDisableEval(String& error_message) const {
+  CSPOperativeDirective directive =
+      OperativeDirective(CSPDirectiveName::ScriptSrc);
+  if (!CheckEval(directive.source_list)) {
+    error_message =
+        "Refused to evaluate a string as JavaScript because 'unsafe-eval' is "
+        "not an allowed source of script in the following Content Security "
+        "Policy directive: \"" +
+        GetRawDirectiveForMessage(raw_directives_, directive.type) + "\".\n";
+    return true;
+  } else if (RequiresTrustedTypes()) {
+    error_message =
+        "Refused to evaluate a string as JavaScript because this document "
+        "requires 'Trusted Type' assignment.";
+    return true;
+  }
+  return false;
 }
 
 bool CSPDirectiveList::AllowPluginType(

third_party/blink/renderer/core/frame/csp/csp_directive_list.h

@@ -104,15 +104,7 @@ class CORE_EXPORT CSPDirectiveList final
   void ReportMixedContent(const KURL& blocked_url,
                           ResourceRequest::RedirectStatus) const;
 
-  bool ShouldDisableEval() const {
-    return ShouldDisableEvalBecauseScriptSrc() ||
-           ShouldDisableEvalBecauseTrustedTypes();
-  }
-  bool ShouldDisableEvalBecauseScriptSrc() const;
-  bool ShouldDisableEvalBecauseTrustedTypes() const;
-  const String& EvalDisabledErrorMessage() const {
-    return eval_disabled_error_message_;
-  }
+  bool ShouldDisableEval(String& error_message) const;
   bool IsReportOnly() const {
     return header_->type == network::mojom::ContentSecurityPolicyType::kReport;
   }
@@ -228,10 +220,6 @@ class CORE_EXPORT CSPDirectiveList final
                       const String& type,
                       const String& type_attribute) const;
 
-  void SetEvalDisabledErrorMessage(const String& error_message) {
-    eval_disabled_error_message_ = error_message;
-  }
-
   bool CheckEvalAndReportViolation(const String& console_message,
                                    ContentSecurityPolicy::ExceptionStatus,
                                    const String& script_content) const;
@@ -300,8 +288,6 @@ class CORE_EXPORT CSPDirectiveList final
   Vector<String> report_endpoints_;
   bool use_reporting_api_;
 
-  String eval_disabled_error_message_;
-
   DISALLOW_COPY_AND_ASSIGN(CSPDirectiveList);
 };