Move 'frame-src' CSP checks into FrameFetchContext.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 290 matching lines @@
 
     // If the redirecting url is not allowed to display content from the target origin,
     // then block the redirect.
     const KURL& requestURL = m_request.url();
     RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
     if (!redirectingOrigin->canDisplay(requestURL)) {
         FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString());
         m_fetcher->stopFetching();
         return;
     }
-    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
+    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
         m_fetcher->stopFetching();
         return;
     }
 
     ASSERT(timing().fetchStart());
     timing().addRedirect(redirectResponse.url(), requestURL);
     appendRedirect(requestURL);
     frameLoader()->receivedMainResourceRedirect(requestURL);
 }
 
@@ skipping 279 matching lines @@
     if (!shouldLoadEmpty)
         return false;
 
     if (m_request.url().isEmpty() && !frameLoader()->stateMachine()->creatingInitialEmptyDocument())
         m_request.setURL(blankURL());
     m_response = ResourceResponse(m_request.url(), "text/html", 0, nullAtom, String());
     finishedLoading(monotonicallyIncreasingTime());
     return true;
 }
 
-void DocumentLoader::startLoadingMainResource()
+void DocumentLoader::loadUnique()
+{
+    m_request = ResourceRequest(SecurityOrigin::urlWithUniqueSecurityOrigin());
+    m_response = ResourceResponse(m_request.url(), "text/html", 0, nullAtom, String());
+    finishedLoading(monotonicallyIncreasingTime());
+}
+
+void DocumentLoader::startLoadingMainResource(ContentSecurityPolicyDisposition cspDisposition)
 {
     timing().markNavigationStart();
     ASSERT(!m_mainResource);
     ASSERT(m_state == NotStarted);
     m_state = Provisional;
 
     if (maybeLoadEmpty())
         return;
 
     ASSERT(timing().navigationStart());
     ASSERT(!timing().fetchStart());
     timing().markFetchStart();
 
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, mainResourceLoadOptions,
         (DoNotBufferData, AllowStoredCredentials, ClientRequestedCredentials, CheckContentSecurityPolicy, DocumentContext));
     FetchRequest fetchRequest(m_request, FetchInitiatorTypeNames::document, mainResourceLoadOptions);
+    fetchRequest.setContentSecurityCheck(cspDisposition);
+
     m_mainResource = RawResource::fetchMainResource(fetchRequest, fetcher(), m_substituteData);
     if (!m_mainResource) {
-        m_request = ResourceRequest(blankURL());
-        maybeLoadEmpty();
+        loadUnique();

[Yoav Weiss, 2016/06/02 14:13:37]

What's the reason for this change?

[Mike West, 2016/06/02 14:25:45]

Blocking the response ought to leave us with a document that appears
cross-origin to its embedder. We do this in the status quo by calling
`m_frame->document()->enforceSandboxFlags(SandboxOrigin)` in
`FrameLoader::shouldContinueForNavigationPolicy`. Since we're now actually
committing a navigation when a page is blocked, enforcing sandbox flags in
FrameFetchContext wouldn't be effective (as there's no Document yet). The
original patch forced sandboxing flags onto the FrameLoader, but alexmos@
correctly noted that that was a terrible idea.

This approach changes DocumentLoader to commit a navigation to a URL we'll treat
as unique. This is the same thing we do for the XSS auditor and XFO, so this
just aligns blockage in general with that mechanism.

[Yoav Weiss, 2016/06/02 14:28:07]

OK, cool!

[alexmos, 2016/06/02 22:21:07]

Probably not for this CL, but I'm curious if we should also use loadUnique() in
cancelLoadAfterXFrameOptionsOrCSPDenied().  It probably doesn't matter much
though, since you're moving that to the browser process.

[Mike West, 2016/06/06 08:40:10]

Makes sense. I'll reevaluate that once we re-land XFO in the browser.

         return;
     }
     // A bunch of headers are set when the underlying ResourceLoader is created, and m_request needs to include those.
     // Even when using a cached resource, we may make some modification to the request, e.g. adding the referer header.
     m_request = mainResourceLoader() ? m_mainResource->resourceRequest() : fetchRequest.resourceRequest();
     m_mainResource->addClient(this);
 }
 
 void DocumentLoader::endWriting(DocumentWriter* writer)
 {
@@ skipping 42 matching lines @@
 {
     m_writer = createWriterFor(init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 } // namespace blink