Implementation of W3C compliant CSP script-src nonce.

Source/core/loader/cache/CachedResourceLoader.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 128 matching lines @@
 Frame* CachedResourceLoader::frame() const
 {
     return m_documentLoader ? m_documentLoader->frame() : 0;
 }
 
 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResourceRequest& request)
 {
     if (Frame* f = frame()) {
         if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
             KURL requestURL = request.resourceRequest().url();
-            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, false))

[abarth-chromium, 2013/05/16 00:59:27]

If you use the enum rather than a bool, then call sites like this one are more
readable.

[jww, 2013/05/16 20:59:00]

Done.

                 PingLoader::loadImage(f, requestURL);
             return 0;
         }
     }
     request.setDefer(clientDefersImage(request.resourceRequest().url()) ? CachedResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer);
     return static_cast<CachedImage*>(requestResource(CachedResource::ImageResource, request).get());
 }
 
 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourceRequest& request)
 {
@@ skipping 25 matching lines @@
         memoryCache()->remove(existing);
     }
     if (url.string() != request.resourceRequest().url())
         request.mutableResourceRequest().setURL(url);
 
     CachedResourceHandle<CachedCSSStyleSheet> userSheet = new CachedCSSStyleSheet(request.resourceRequest(), request.charset());
 
     memoryCache()->add(userSheet.get());
     // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
 
-    userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
+    // This check is currently not used. However, it will be used once we
+    // implement nonce checks for style sheets.
+    ContentSecurityPolicyNonceCheck nonceCheck = NonceCheckNotValid;
+    if (checkNonceFromInitiatorElement(request.initiatorElement().get()))
+        nonceCheck = NonceCheckValid;

[abarth-chromium, 2013/05/16 00:59:27]

If this code isn't used, we shouldn't add it.  We can always add it later when
we implement that feature.

[jww, 2013/05/16 20:59:00]

Done.

+    userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck, nonceCheck));
     
     return userSheet;
 }
 
 CachedResourceHandle<CachedScript> CachedResourceLoader::requestScript(CachedResourceRequest& request)
 {
     return static_cast<CachedScript*>(requestResource(CachedResource::Script, request).get());
 }
 
 CachedResourceHandle<CachedXSLStyleSheet> CachedResourceLoader::requestXSLStyleSheet(CachedResourceRequest& request)
@@ skipping 55 matching lines @@
     }
     case CachedResource::MainResource:
     case CachedResource::LinkPrefetch:
     case CachedResource::LinkSubresource:
         // Prefetch cannot affect the current document.
         break;
     }
     return true;
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::checkNonceFromInitiatorElement(const Element* initiatorElement)
+{
+    return initiatorElement && m_document->contentSecurityPolicy()->allowNonce(initiatorElement->fastGetAttribute(HTMLNames::nonceAttr));

[abarth-chromium, 2013/05/16 00:59:27]

This isn't right.  Different types have different nonces, so there isn't a
global way to check whether a nonce is valid.  The code that prepares the
CachedResourceRequest needs to do this check.

[jww, 2013/05/16 20:59:00]

Okay, I think I've basically factored all of the checks into places where
CachedResourceRequests are created. However, I did have a confusion:

In HTMLResourcePreloader.cpp, there's a resourceRequest function that makes a
cachedResourceRequest. However, there doesn't seem to be an initiator element
(only an initiator name), therefore we can't extract a nonce to check. Thus, I'm
assuming that in this case, we will always assume no nonce. Is that right?

Similarly, it's unclear to me what the type of the documents being loaded in
DocumentThreadableLoader are. I suspect that it is HTML documents, not scripts,
but I haven't been able to figure it out.

On 2013/05/16 00:59:27, abarth wrote:

+}
+
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool validNonce, bool forPreload)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
         if (!forPreload)
             FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());
         LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
         return 0;
     }
 
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
     bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script()->shouldBypassMainWorldContentSecurityPolicy());
@@ skipping 21 matching lines @@
     case CachedResource::XSLStyleSheet:
         if (!m_document->securityOrigin()->canRequest(url)) {
             printAccessDeniedMessage(url);
             return false;
         }
         break;
     }
 
     switch (type) {
     case CachedResource::XSLStyleSheet:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, validNonce))
             return false;
         break;
     case CachedResource::Script:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, validNonce))
             return false;
 
         if (frame()) {
             Settings* settings = frame()->settings();
             if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) {
                 frame()->loader()->client()->didNotAllowScript();
                 return false;
             }
         }
         break;
@@ skipping 44 matching lines @@
     KURL url = request.resourceRequest().url();
     
     LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '%s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.charset().latin1().data(), request.priority(), request.forPreload());
     
     // If only the fragment identifiers differ, it is the same resource.
     url = MemoryCache::removeFragmentIdentifierIfNeeded(url);
 
     if (!url.isValid())
         return 0;
 
-    if (!canRequest(type, url, request.forPreload()))
+    if (!canRequest(type, url, checkNonceFromInitiatorElement(request.initiatorElement().get()), request.forPreload()))

[abarth-chromium, 2013/05/16 00:59:27]

This needs to be done in type-specific code because the nonces can be
type-specific.

[jww, 2013/05/16 20:59:00]

Done.

         return 0;
 
     if (Frame* f = frame())
         f->loader()->client()->dispatchWillRequestResource(&request);
 
     if (memoryCache()->disabled()) {
         DocumentResourceMap::iterator it = m_documentResources.find(url.string());
         if (it != m_documentResources.end()) {
             it->value->setOwningCachedResourceLoader(0);
             m_documentResources.remove(it);
@@ skipping 20 matching lines @@
         break;
     }
 
     if (!resource)
         return 0;
 
     if (!request.forPreload() || policy != Use)
         resource->setLoadPriority(request.priority());
 
     if ((policy != Use || resource->stillNeedsLoad()) && CachedResourceRequest::NoDefer == request.defer()) {
-        resource->load(this, request.options());
+        ResourceLoaderOptions options(request.options());
+        if (checkNonceFromInitiatorElement(request.initiatorElement().get()))
+            options.cspNonce = NonceCheckValid;
+        resource->load(this, options);
 
         // We don't support immediate loads, but we do support immediate failure.
         if (resource->errorOccurred()) {
             if (resource->inCache())
                 memoryCache()->remove(resource.get());
             return 0;
         }
     }
 
     // FIXME: Temporarily leave main resource caching disabled for chromium, see https://bugs.webkit.org/show_bug.cgi?id=107962
@@ skipping 488 matching lines @@
     info.addMember(m_validatedURLs, "validatedURLs");
     info.addMember(m_preloads, "preloads");
     info.addMember(m_pendingPreloads, "pendingPreloads");
     info.addMember(m_garbageCollectDocumentResourcesTimer, "garbageCollectDocumentResourcesTimer");
     // FIXME: m_initiatorMap has pointers to already deleted CachedResources
     info.ignoreMember(m_initiatorMap);
 }
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);
+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck, NonceCheckNotValid);
     return options;
 }
 
 }