CSP/Trusted Types: No trusted-types policy means CSP allows all policies.

It's possible to use Trusted Types without the trusted-types CSP directive. In that case, all policies are allowed. (The current code will just crash.) Bug: 739170 Change-Id: I0a832be30f97f7401db221038119af491e418521 Reviewed-on: https://chromium-review.googlesource.com/1245781 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#594313}

CSP/Trusted Types: No trusted-types policy means CSP allows all policies.
It's possible to use Trusted Types without the trusted-types CSP directive. In that case, all policies are allowed. (The current code will just crash.) Bug: 739170 Change-Id: I0a832be30f97f7401db221038119af491e418521 Reviewed-on: https://chromium-review.googlesource.com/1245781 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#594313}
f492353d · Daniel Vogelheim · Commit Bot · 04c5a83e · f492353d · f492353d
Commit f492353d authored Sep 26, 2018 by Daniel Vogelheim Committed by Commit Bot Sep 26, 2018
2 changed files
--- a/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
@@ -1383,4 +1383,30 @@ TEST_F(ContentSecurityPolicyTest, IsValidCSPAttrTest) {
      "\rbase-uri http://example.com", ""));
 }
+TEST_F(ContentSecurityPolicyTest, TrustedTypesNoDirective) {
+  csp->BindToExecutionContext(execution_context.Get());
+  csp->DidReceiveHeader("", kContentSecurityPolicyHeaderTypeEnforce,
+                        kContentSecurityPolicyHeaderSourceHTTP);
+  EXPECT_TRUE(csp->AllowTrustedTypePolicy("somepolicy"));
+}
+TEST_F(ContentSecurityPolicyTest, TrustedTypesSimpleDirective) {
+  csp->BindToExecutionContext(execution_context.Get());
+  csp->DidReceiveHeader("trusted-types one two three",
+                        kContentSecurityPolicyHeaderTypeEnforce,
+                        kContentSecurityPolicyHeaderSourceHTTP);
+  EXPECT_TRUE(csp->AllowTrustedTypePolicy("one"));
+  EXPECT_TRUE(csp->AllowTrustedTypePolicy("two"));
+  EXPECT_TRUE(csp->AllowTrustedTypePolicy("three"));
+  EXPECT_FALSE(csp->AllowTrustedTypePolicy("four"));
+}
+TEST_F(ContentSecurityPolicyTest, TrustedTypesEmpty) {
+  csp->BindToExecutionContext(execution_context.Get());
+  csp->DidReceiveHeader("trusted-types",
+                        kContentSecurityPolicyHeaderTypeEnforce,
+                        kContentSecurityPolicyHeaderSourceHTTP);
+  EXPECT_TRUE(csp->AllowTrustedTypePolicy("somepolicy"));
+}
 }  // namespace blink
--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
@@ -963,7 +963,7 @@ bool CSPDirectiveList::AllowBaseURI(
 }
 bool CSPDirectiveList::AllowTrustedTypePolicy(const String& policy_name) const {
-  if (trusted_types_->Allows(policy_name))
+  if (!trusted_types_ || trusted_types_->Allows(policy_name))
    return true;
  ReportViolation(