Forward CSP violation reporting from RenderFrameProxy to RenderFrameImpl.

content/browser/frame_host/render_frame_proxy_host.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_proxy_host.h"
 
 #include <utility>
 
 #include "base/lazy_instance.h"
 #include "content/browser/bad_message.h"
@@ skipping 117 matching lines @@
 
 bool RenderFrameProxyHost::OnMessageReceived(const IPC::Message& msg) {
   if (cross_process_frame_connector_.get() &&
       cross_process_frame_connector_->OnMessageReceived(msg))
     return true;
 
   bool handled = true;
   IPC_BEGIN_MESSAGE_MAP(RenderFrameProxyHost, msg)
     IPC_MESSAGE_HANDLER(FrameHostMsg_Detach, OnDetach)
     IPC_MESSAGE_HANDLER(FrameHostMsg_OpenURL, OnOpenURL)
+    IPC_MESSAGE_HANDLER(FrameHostMsg_ForwardContentSecurityPolicyViolation,
+                        OnForwardContentSecurityPolicyViolation)
     IPC_MESSAGE_HANDLER(FrameHostMsg_RouteMessageEvent, OnRouteMessageEvent)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener)
     IPC_MESSAGE_HANDLER(FrameHostMsg_AdvanceFocus, OnAdvanceFocus)
     IPC_MESSAGE_HANDLER(FrameHostMsg_FrameFocused, OnFrameFocused)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
 }
 
 bool RenderFrameProxyHost::InitRenderFrameProxy() {
@@ skipping 113 matching lines @@
 
   // TODO(alexmos, creis): Figure out whether |params.user_gesture| needs to be
   // passed in as well.
   frame_tree_node_->navigator()->RequestTransferURL(
       current_rfh, validated_url, site_instance_.get(), std::vector<GURL>(),
       params.referrer, ui::PAGE_TRANSITION_LINK, GlobalRequestID(),
       params.should_replace_current_entry, params.uses_post ? "POST" : "GET",
       params.resource_request_body);
 }
 
+bool RenderFrameProxyHost::CanForwardViolationToCurrentDocument(
+    const url::Origin& origin_declaring_violated_csp,
+    const std::string& violated_csp_header) {
+  RenderFrameHostImpl* current_rfh = frame_tree_node_->current_frame_host();
+  if (!origin_declaring_violated_csp.IsSameOriginWith(
+          current_rfh->GetLastCommittedOrigin())) {
+    return false;
+  }
+
+  if (!current_rfh->frame_tree_node()->ContainsContentSecurityPolicyHeader(
+          violated_csp_header)) {
+    return false;
+  }
+
+  return true;
+}
+
+// TODO(lukasza): http://crbug.com/376522: Forwarding should not be needed once
+// processing of frame-src, plugin-types and similar CSP directives is done in
+// the browser process.
+void RenderFrameProxyHost::OnForwardContentSecurityPolicyViolation(
+    const url::Origin& origin_declaring_violated_csp,
+    const ContentSecurityPolicyViolation& violation) {
+  // Try to verify that the CSP violation will be reported in the same document
+  // as the one that declared the violated CSP (i.e. that navigation of
+  // |current_rfh| didn't win a race with ForwardContentSecurityPolicyViolation
+  // IPC message).
+  //
+  // The checks made by CanForwardViolationToCurrentDocument are not 100%
+  // accurate, but a mistake should be safe to make until we can get rid of
+  // forwarding as part of moving CSP processing to the browser process
+  // (http://crbug.com/376522).  The mistake should be safe, because:
+  // 1. We check that we don't disclose information cross-origin.
+  // 2. |violation.report_endpoints| works from any document of the right origin
+  // 3. It should be fine to write a console message as long as it reaches the
+  //    console associated with the frame that used to host the document
+  //    declaring the violated CSP.
+  // 4. In case of a race, an incorrect "securitypolicyviolation" event can be
+  //    raised but this should be mitigated by:
+  //    - low likelyhood of this happening (repro requires 1) different document
+  //      from the same origin, 2) with the same csp header present, 3)
+  //      navigated in a racey way with the csp check [e.g. navigating parent
+  //      frame while checking child frame doesn't have the race - the child
+  //      RFPH will be torn down before the violation-forwarding-ipc reaches
+  //      it]).
+  //    - low likelyhood of adverse effects (a page is unlikely to change its
+  //      core behavior in response to a csp violation event)
+  if (!CanForwardViolationToCurrentDocument(origin_declaring_violated_csp,
+                                            violation.header)) {
+    return;
+  }
+
+  // Forward CSP violation report to the frame that declared the CSP.
+  RenderFrameHostImpl* current_rfh = frame_tree_node_->current_frame_host();
+  current_rfh->Send(new FrameMsg_ReportContentSecurityPolicyViolation(
+      current_rfh->GetRoutingID(), violation));
+}
+
 void RenderFrameProxyHost::OnRouteMessageEvent(
     const FrameMsg_PostMessage_Params& params) {
   RenderFrameHostImpl* target_rfh = frame_tree_node()->current_frame_host();
 
   // Only deliver the message if the request came from a RenderFrameHost in the
   // same BrowsingInstance or if this WebContents is dedicated to a browser
   // plugin guest.
   //
   // TODO(alexmos, lazyboy):  The check for browser plugin guest currently
   // requires going through the delegate.  It should be refactored and
@@ skipping 88 matching lines @@
   target_rfh->Send(new FrameMsg_AdvanceFocus(target_rfh->GetRoutingID(), type,
                                              source_proxy_routing_id));
 }
 
 void RenderFrameProxyHost::OnFrameFocused() {
   frame_tree_node_->current_frame_host()->delegate()->SetFocusedFrame(
       frame_tree_node_, GetSiteInstance());
 }
 
 }  // namespace content