Implement the `require-sri-for` CSP directive

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 13 matching lines @@
  */
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/DOMStringList.h"
 #include "core/dom/Document.h"
 #include "core/dom/SandboxFlags.h"
 #include "core/events/SecurityPolicyViolationEvent.h"
+#include "core/fetch/IntegrityMetadata.h"
 #include "core/frame/FrameClient.h"
 #include "core/frame/LocalDOMWindow.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/UseCounter.h"
 #include "core/frame/csp/CSPDirectiveList.h"
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/CSPSourceList.h"
 #include "core/frame/csp/MediaListDirective.h"
 #include "core/frame/csp/SourceListDirective.h"
 #include "core/inspector/ConsoleMessage.h"
@@ skipping 51 matching lines @@
 // Mixed Content Directive
 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
 const char ContentSecurityPolicy::BlockAllMixedContent[] = "block-all-mixed-content";
 
 // https://w3c.github.io/webappsec/specs/upgrade/
 const char ContentSecurityPolicy::UpgradeInsecureRequests[] = "upgrade-insecure-requests";
 
 // https://mikewest.github.io/cors-rfc1918/#csp
 const char ContentSecurityPolicy::TreatAsPublicAddress[] = "treat-as-public-address";
 
+// https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for
+const char ContentSecurityPolicy::RequireSRIFor[] = "require-sri-for";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
         || equalIgnoringCase(name, DefaultSrc)
         || equalIgnoringCase(name, FontSrc)
         || equalIgnoringCase(name, FrameSrc)
         || equalIgnoringCase(name, ImgSrc)
         || equalIgnoringCase(name, MediaSrc)
         || equalIgnoringCase(name, ObjectSrc)
         || equalIgnoringCase(name, ReportURI)
         || equalIgnoringCase(name, Sandbox)
         || equalIgnoringCase(name, ScriptSrc)
         || equalIgnoringCase(name, StyleSrc)
         || equalIgnoringCase(name, BaseURI)
         || equalIgnoringCase(name, ChildSrc)
         || equalIgnoringCase(name, FormAction)
         || equalIgnoringCase(name, FrameAncestors)
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
         || equalIgnoringCase(name, BlockAllMixedContent)
         || equalIgnoringCase(name, UpgradeInsecureRequests)
-        || equalIgnoringCase(name, TreatAsPublicAddress));
+        || equalIgnoringCase(name, TreatAsPublicAddress)
+        || equalIgnoringCase(name, RequireSRIFor));
 }
 
 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
 {
     switch (type) {
     case ContentSecurityPolicyHeaderTypeEnforce:
         return UseCounter::ContentSecurityPolicy;
     case ContentSecurityPolicyHeaderTypeReport:
         return UseCounter::ContentSecurityPolicyReportOnly;
     }
@@ skipping 414 matching lines @@
 bool ContentSecurityPolicy::allowScriptWithHash(const String& source, InlineType type) const
 {
     return checkDigest<&CSPDirectiveList::allowScriptHash>(source, type, m_scriptHashAlgorithmsUsed, m_policies);
 }
 
 bool ContentSecurityPolicy::allowStyleWithHash(const String& source, InlineType type) const
 {
     return checkDigest<&CSPDirectiveList::allowStyleHash>(source, type, m_styleHashAlgorithmsUsed, m_policies);
 }
 
-bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context, const KURL& url, const String& nonce, RedirectStatus redirectStatus, ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::checkIntegrityMetadataPresence(WebURLRequest::RequestContext context, const KURL& url, const IntegrityMetadataSet& integrityMetedata, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+    for (const auto& policy : m_policies) {
+        if (!policy->allowRequestWithoutMetadata(context, url, integrityMetedata, reportingStatus))

[Mike West, 2016/06/10 09:25:15]

I don't understand the naming choices here. Why is is named one thing on
ContentSecurityPolicy and another on CSPDirectiveList? I think it makes sense to
name both `allowRequestWithoutIntegrity`, and only to call in if the
IntegrityMetadataSet is empty. See the comments in `::allowRequest`.

WDYT?

[Sergey Shekyan, 2016/06/20 07:12:00]

totally agree. Much clearer.

+            return false;
+    }
+    return true;
+}
+
+bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context, const KURL& url, const String& nonce, const IntegrityMetadataSet& integrityMetedata, RedirectStatus redirectStatus, ReportingStatus reportingStatus) const

[Mike West, 2016/06/10 09:25:15]

Nit: s/Metedata/Metadata/

[Sergey Shekyan, 2016/06/20 07:12:00]

Acknowledged.

 {
     switch (context) {

[Mike West, 2016/06/10 09:25:15]

Rather than calling `checkIntegrityMetadataPresence` inline with the call to
`allowWhateverFromSource`, it might make things clearer to do something like the
following right at the top:

```
if (integrityMetadata.isEmpty() && !allowRequestWithoutIntegrity(context, url,
redirectStatus, reportingStatus))
    return false;
```

[Sergey Shekyan, 2016/06/20 07:12:00]

Acknowledged.

     case WebURLRequest::RequestContextAudio:
     case WebURLRequest::RequestContextTrack:
     case WebURLRequest::RequestContextVideo:
         return allowMediaFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextBeacon:
     case WebURLRequest::RequestContextEventSource:
     case WebURLRequest::RequestContextFetch:
     case WebURLRequest::RequestContextXMLHttpRequest:
         return allowConnectToSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextEmbed:
     case WebURLRequest::RequestContextObject:
         return allowObjectFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextFavicon:
     case WebURLRequest::RequestContextImage:
     case WebURLRequest::RequestContextImageSet:
         return allowImageFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextFont:
         return allowFontFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextForm:
         return allowFormAction(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextFrame:
     case WebURLRequest::RequestContextIframe:
         return allowChildFrameFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextImport:
     case WebURLRequest::RequestContextScript:
+        return checkIntegrityMetadataPresence(WebURLRequest::RequestContextScript, url, integrityMetedata, reportingStatus)
+            && allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);

[Mike West, 2016/06/10 09:25:15]

Please add tests for the kinds of script creation that SRI doesn't yet support.
I'm thinking specifically of https://twitter.com/Qab/status/741077446179618816
and imports, but please feel free to be creative. :)

     case WebURLRequest::RequestContextXSLT:
         return allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextManifest:
         return allowManifestFromSource(url, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextServiceWorker:
     case WebURLRequest::RequestContextSharedWorker:
     case WebURLRequest::RequestContextWorker:
         return allowWorkerContextFromSource(url, redirectStatus, reportingStatus);

[Mike West, 2016/06/10 09:25:15]

Here too, along with layout tests for worker creation.

     case WebURLRequest::RequestContextStyle:
-        return allowStyleFromSource(url, nonce, redirectStatus, reportingStatus);
+        return checkIntegrityMetadataPresence(WebURLRequest::RequestContextStyle, url, integrityMetedata, reportingStatus)
+            && allowStyleFromSource(url, nonce, redirectStatus, reportingStatus);
     case WebURLRequest::RequestContextCSPReport:
     case WebURLRequest::RequestContextDownload:
     case WebURLRequest::RequestContextHyperlink:
     case WebURLRequest::RequestContextInternal:
     case WebURLRequest::RequestContextLocation:
     case WebURLRequest::RequestContextPing:
     case WebURLRequest::RequestContextPlugin:
     case WebURLRequest::RequestContextPrefetch:
     case WebURLRequest::RequestContextSubresource:
     case WebURLRequest::RequestContextUnspecified:
@@ skipping 378 matching lines @@
 void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags)
 {
     logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
 }
 
 void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue)
 {
     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
 }
 
+void ContentSecurityPolicy::reportInvalidRequireSRIForTokens(const String& invalidTokens)
+{
+    logToConsole("Error while parsing the 'require-sri-for' Content Security Policy directive: " + invalidTokens);
+}
+
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value)
 {
     String message = "The value for Content Security Policy directive '" + directiveName + "' contains an invalid character: '" + value + "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.";
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportInvalidPathCharacter(const String& directiveName, const String& value, const char invalidChar)
 {
     ASSERT(invalidChar == '#' || invalidChar == '?');
 
@@ skipping 87 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink