Apply CSP default-src hash values to script-src and style-src.

This fixes a minor bug where we forgot to add hash values in the
default-src CSP directive to the list of hash algorithms seen. Thus,
when the hash whitelist was checked for inline styles and scripts, the
CSP potentially might believe that no algorithms have been seen, so the
whitelist check would skip all of the stored hash values.

This fixes the bug by adding the algorithms to the list of algorithms
seen when a default-src directive is reached.

BUG=534568
R=mkwst@chromium.org

Review URL: https://codereview.chromium.org/1360693002

git-svn-id: svn://svn.chromium.org/blink/trunk@202656 bbb929c8-8fbe-4397-9dbb-9b2b20218538
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
new file mode 100644
index 0000000..1c9c19d
--- /dev/null
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>Script Hash allow hash in default-src</title>
+    <script src="../../../resources/testharness.js"></script>
+    <script src="../../../resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="default-src * 'sha256-oS9uHuKPPT/hdBOV7e3D9Wa2G7yVuxbIPkahJ/26zEc='">
+    </head>
+
+    <script>
+    done();
+    </script>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
new file mode 100644
index 0000000..1c195ed
--- /dev/null
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>Style Hash allow hash in default-src</title>
+    <script src="../../../resources/testharness.js"></script>
+    <script src="../../../resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="default-src * 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'unsafe-inline'">
+    </head>
+
+    <body>
+    <p id="p"></p>
+    <style>p#p { color: green; }</style>
+    <script>
+    var color = window.getComputedStyle(document.querySelector('#p')).color;
+    assert_equals(color, "rgb(0, 128, 0)");
+    done();
+    </script>
+    </body>
+</html>
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index d88ffc3..b99bb28 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -748,6 +748,11 @@
 
     if (equalIgnoringCase(name, ContentSecurityPolicy::DefaultSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_defaultSrc);
+        // TODO(mkwst) It seems unlikely that developers would use different
+        // algorithms for scripts and styles. We may want to combine the
+        // usesScriptHashAlgorithms() and usesStyleHashAlgorithms.
+        m_policy->usesScriptHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed());
+        m_policy->usesStyleHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed());
     } else if (equalIgnoringCase(name, ContentSecurityPolicy::ScriptSrc)) {
         setCSPDirective<SourceListDirective>(name, value, m_scriptSrc);
         m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed());