[HTML Import] Respect Content Security Policy Model

Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 2619 matching lines @@
         processHttpEquivXFrameOptions(content);
     else if (equalIgnoringCase(equiv, "content-security-policy")
         || equalIgnoringCase(equiv, "content-security-policy-report-only")
         || equalIgnoringCase(equiv, "x-webkit-csp")
         || equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
         processHttpEquivContentSecurityPolicy(equiv, content);
 }
 
 void Document::processHttpEquivContentSecurityPolicy(const String& equiv, const String& content)
 {
+    if (!this->frame())
+        return;
+
     if (equalIgnoringCase(equiv, "content-security-policy"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Enforce);
     else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Report);
     else if (equalIgnoringCase(equiv, "x-webkit-csp"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedEnforce);
     else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
         contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedReport);
     else
         ASSERT_NOT_REACHED();
@@ skipping 1550 matching lines @@
     initSecurityContext(DocumentInit(m_url, m_frame, m_import));
 }
 
 void Document::initSecurityContext(const DocumentInit& initializer)
 {
     if (haveInitializedSecurityOrigin()) {
         ASSERT(securityOrigin());
         return;
     }
 
-    if (!initializer.frame()) {
+    if (!initializer.hasSecurityContext()) {
         // No source for a security context.
         // This can occur via document.implementation.createDocument().

[abarth-chromium, 2013/07/24 18:39:19]

Does this occur for HTML import too?  If so, it would be good to explain that in
the comment.

         m_cookieURL = KURL(ParsedURLString, emptyString());
         setSecurityOrigin(SecurityOrigin::createUnique());
         setContentSecurityPolicy(ContentSecurityPolicy::create(this));
         return;
     }
 
     // In the common case, create the security context from the currently
     // loading URL with a fresh content security policy.
     m_cookieURL = m_url;
     enforceSandboxFlags(initializer.sandboxFlags());
@@ skipping 51 matching lines @@
     }
 
     m_cookieURL = ownerFrame->document()->cookieURL();
     // We alias the SecurityOrigins to match Firefox, see Bug 15313
     // https://bugs.webkit.org/show_bug.cgi?id=15313
     setSecurityOrigin(ownerFrame->document()->securityOrigin());
 }
 
 void Document::initContentSecurityPolicy()
 {
-    if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
-        return;
-
-    contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+    if (m_frame && m_frame->tree()->parent() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))
+        contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+    if (HTMLImport* import = this->import())
+        contentSecurityPolicy()->copyStateFrom(import->master()->contentSecurityPolicy());

[abarth-chromium, 2013/07/24 18:39:19]

This looks great.  My only question is about this line of code.  Rather than
taking the CSP from the master document, we're probably better off if we take
the CSP from the Content-Security-Policy header that came with the imported
Document.

Consider: Most people who use CSP will disable inline script (because that's how
you get the XSS protection).  Even if you disable inline script in your main
document, there might not be a security risk in using inline script the HTML you
import.

I'm going to say LGTM to unblock you, but please change the CL so that the
imported document gets its CSP from its own HTTP headers rather than copying it
from the master document.

 }
 
 void Document::didUpdateSecurityOrigin()
 {
     if (!m_frame)
         return;
     m_frame->script()->updateSecurityOrigin();
 }
 
 bool Document::isContextThread() const
@@ skipping 790 matching lines @@
 {
     return DocumentLifecycleNotifier::create(this);
 }
 
 DocumentLifecycleNotifier* Document::lifecycleNotifier()
 {
     return static_cast<DocumentLifecycleNotifier*>(ScriptExecutionContext::lifecycleNotifier());
 }
 
 } // namespace WebCore