CSP: 'self' should be handled correctly in sandboxes.

CSP: 'self' should be handled correctly in sandboxes.

Currently, we're checking against the SecurityOrigin rather than the
document's URL. Normally this is perfectly fine, but if the document is
sandboxed, then the null security origin breaks the behavior of 'self'
in source expression lists.

This patch changes 'self' to refer to the URL of the protected resource,
and in the special case of srcdoc documents, to the URL of the protected
resource's parent browsing context's URL.

BUG=326806

[Mike West, 2014-02-07 09:59:09]

Adam, WDYT about this change? It aligns us with the spec (step 5.1 of section
3.2.2.2 reads "Return does match if the URI has the same scheme, host, and port
as the protected resource's URI ...") for sandboxed frames, and adds what seems
like reasonable behavior for srcdoc documents.

I considered just using SecurityOrigin directly for srcdoc documents, but that
would have broken sandboxed srcdoc documents. Walking the frame tree up to the
first non-srcdoc parent seems like the cleanest solution, but maybe there's a
better way I'm missing?

Thanks!

-mike

[1]:
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specificatio...

[Mike West, 2014-02-07 09:59:55]

On 2014/02/07 09:59:09, Mike West wrote:
> Adam, WDYT about this change? It aligns us with the spec (step 5.1 of section
> 3.2.2.2 reads "Return does match if the URI has the same scheme, host, and
port
> as the protected resource's URI ...") for sandboxed frames, and adds what
seems
> like reasonable behavior for srcdoc documents.
> 
> I considered just using SecurityOrigin directly for srcdoc documents, but that
> would have broken sandboxed srcdoc documents. Walking the frame tree up to the
> first non-srcdoc parent seems like the cleanest solution, but maybe there's a
> better way I'm missing?
> 
> Thanks!
> 
> -mike
> 
> [1]:
>
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specificatio...

(note that this patch relies on https://codereview.chromium.org/134863007/ which
is in the CQ. Once that lands, I'll hand this to the bots)

[abarth-chromium, 2014-02-07 18:42:32]

Breaks the behavior in what sense?  What should 'self' resolve to in sandboxed
documents?  I guess the question is whether it's relative to the document's URL
or the document's origin...

[abarth-chromium, 2014-02-07 18:44:18]

It's not clear to me whether we should change the implementation or the spec. 
The spec text doesn't make much sense for about:blank or about:srcdoc documents.
 IMHO, we should probably change the spec.  Folks can still whitelist resources
by being explicit about what URLs a sandboxed iframe can load.  It seems better
to be explicit about that sort of thing.