Move 'frame-src' CSP checks into FrameFetchContext.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 290 matching lines @@
 
     // If the redirecting url is not allowed to display content from the target origin,
     // then block the redirect.
     const KURL& requestURL = m_request.url();
     RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
     if (!redirectingOrigin->canDisplay(requestURL)) {
         FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString());
         m_fetcher->stopFetching();
         return;
     }
-    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
+    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
         m_fetcher->stopFetching();
         return;
     }
 
     ASSERT(timing().fetchStart());
     timing().addRedirect(redirectResponse.url(), requestURL);
     appendRedirect(requestURL);
     frameLoader()->receivedMainResourceRedirect(requestURL);
 }
 
@@ skipping 279 matching lines @@
     if (!shouldLoadEmpty)
         return false;
 
     if (m_request.url().isEmpty() && !frameLoader()->stateMachine()->creatingInitialEmptyDocument())
         m_request.setURL(blankURL());
     m_response = ResourceResponse(m_request.url(), "text/html", 0, nullAtom, String());
     finishedLoading(monotonicallyIncreasingTime());
     return true;
 }
 
-void DocumentLoader::startLoadingMainResource()
+void DocumentLoader::loadUnique()
+{
+    m_request = ResourceRequest(SecurityOrigin::urlWithUniqueSecurityOrigin());
+    m_response = ResourceResponse(m_request.url(), "text/html", 0, nullAtom, String());
+    finishedLoading(monotonicallyIncreasingTime());
+}
+
+void DocumentLoader::startLoadingMainResource(ContentSecurityPolicyDisposition cspDisposition)
 {
     timing().markNavigationStart();
     ASSERT(!m_mainResource);
     ASSERT(m_state == NotStarted);
     m_state = Provisional;
 
     if (maybeLoadEmpty())
         return;
 
     ASSERT(timing().navigationStart());
     ASSERT(!timing().fetchStart());
     timing().markFetchStart();
 
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, mainResourceLoadOptions,
         (DoNotBufferData, AllowStoredCredentials, ClientRequestedCredentials, CheckContentSecurityPolicy, DocumentContext));
     FetchRequest fetchRequest(m_request, FetchInitiatorTypeNames::document, mainResourceLoadOptions);
+    fetchRequest.setContentSecurityCheck(cspDisposition);
+
     m_mainResource = RawResource::fetchMainResource(fetchRequest, fetcher(), m_substituteData);
     if (!m_mainResource) {
-        m_request = ResourceRequest(blankURL());
-        maybeLoadEmpty();
+        // If we block a main resource request, ensure that the resulting frame's
+        // origin is unique, and that the redirect list is up-to-date with the
+        // resource we actually commit:
+        loadUnique();
+        appendRedirect(SecurityOrigin::urlWithUniqueSecurityOrigin());

[Mike West, 2016/06/06 08:40:10]

Charlie: It seems reasonable to me to treat blocking as a redirect of its own (I
can imagine that clients of the redirects array might actually want the URL that
we would have loaded if it hadn't been blocked). That approach also lends itself
to the current implementation (as we append a redirect in FrameLoader before we
have any idea whether or not we'll end up blocking the request.

Does this seem like a reasonable approach, or should we refactor the append
entirely?

[Charlie Reis, 2016/06/06 20:43:07]

Hmm, that feels weird/unfortunate to me, but maybe it works.  I thought the goal
was to act like the renderer never got to the blocked URL, but here we're making
it look like it went through the blocked URL to end up at about:blank.

That said, I don't know if anything looks at the intermediate hops of the
redirects array and infers that the renderer had access to them, and I don't
know this area well enough to recommend a better plan.  It certainly seems
better to do this than leave the blocked URL as the last item of the redirects
array, which we do assume to be equal to the committed URL in some places.  I'll
defer unless Nate has a better idea.

         return;
     }
     // A bunch of headers are set when the underlying ResourceLoader is created, and m_request needs to include those.
     // Even when using a cached resource, we may make some modification to the request, e.g. adding the referer header.
     m_request = mainResourceLoader() ? m_mainResource->resourceRequest() : fetchRequest.resourceRequest();
     m_mainResource->addClient(this);
 }
 
 void DocumentLoader::endWriting(DocumentWriter* writer)
 {
@@ skipping 42 matching lines @@
 {
     m_writer = createWriterFor(init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 } // namespace blink