UMA data collector for cross-site documents(XSD)

content/child/site_isolation_policy.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/child/site_isolation_policy.h"
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "base/metrics/histogram.h"
+#include "base/strings/string_util.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "net/http/http_response_headers.h"
+#include "third_party/WebKit/public/platform/WebHTTPHeaderVisitor.h"
+#include "third_party/WebKit/public/platform/WebString.h"
+#include "third_party/WebKit/public/platform/WebURL.h"
+#include "third_party/WebKit/public/platform/WebURLRequest.h"
+#include "third_party/WebKit/public/platform/WebURLResponse.h"
+#include "third_party/WebKit/public/web/WebDocument.h"
+#include "third_party/WebKit/public/web/WebFrame.h"
+#include "third_party/WebKit/public/web/WebFrameClient.h"
+#include "third_party/WebKit/public/web/WebSecurityOrigin.h"
+#include "third_party/WebKit/public/web/WebView.h"
+
+using WebKit::WebDocument;
+using WebKit::WebString;
+using WebKit::WebURL;
+using WebKit::WebURLResponse;
+using WebKit::WebURLRequest;
+
+namespace content {
+
+namespace {
+
+// MIME types
+const char kTextHtml[] = "text/html";
+const char kTextXml[] = "text/xml";
+const char xAppRssXml[] = "application/rss+xml";
+const char kAppXml[] = "application/xml";
+const char kAppJson[] = "application/json";
+const char kTextJson[] = "text/json";
+const char kTextXjson[] = "text/x-json";
+const char kTextPlain[] = "text/plain";
+
+}  // anonymous namespace
+
+SiteIsolationPolicy::SiteIsolationPolicy(
+    webkit_glue::ResourceLoaderBridge::Peer* original_peer,
+    WebKit::WebString& frame_origin,
+    GURL& request_url,
+    int request_id,
+    ResourceType::Type resource_type)
+    : original_peer_(original_peer),
+      frame_origin_(frame_origin),
+      request_url_(request_url),
+      request_id_(request_id),
+      resource_type_(resource_type),
+      state_(INIT),
+      cross_site_document_header_(false),
+      confirmed_safe_(false) {
+  // TODO(dsjang): when SiteIsoloation is fully deployed in the browser process,
+  // |frame_origin| will be given from a trusted module.
+}
+
+void SiteIsolationPolicy::OnUploadProgress(uint64 position, uint64 size) {
+  original_peer_->OnUploadProgress(position, size);
+}
+
+void SiteIsolationPolicy::OnDownloadedData(int len) {
+  return original_peer_->OnDownloadedData(len);
+}
+
+void SiteIsolationPolicy::OnReceivedCachedMetadata(const char* data, int len) {
+  return original_peer_->OnReceivedCachedMetadata(data, len);
+}
+
+void SiteIsolationPolicy::OnCompletedRequest(
+    int error_code,
+    bool was_ignored_by_handler,
+    const std::string& security_info,
+    const base::TimeTicks& completion_time) {
+  state_ = COMPLETED;
+  original_peer_->OnCompletedRequest(
+      error_code, was_ignored_by_handler, security_info, completion_time);
+}
+
+bool SiteIsolationPolicy::OnReceivedRedirect(
+    const GURL& new_url,
+    const webkit_glue::ResourceResponseInfo& info,
+    bool* has_new_first_party_for_cookies,
+    GURL* new_first_party_for_cookies) {
+  DCHECK_EQ(state_, INIT);
+  request_url_ = new_url;
+  return original_peer_->OnReceivedRedirect(new_url,
+                                            info,
+                                            has_new_first_party_for_cookies,
+                                            new_first_party_for_cookies);
+}
+
+void SiteIsolationPolicy::OnReceivedResponse(
+    const webkit_glue::ResourceResponseInfo& info) {
+  DCHECK_EQ(state_, INIT);
+  state_ = RESPONSE_RECEIVED;
+
+  UMA_HISTOGRAM_COUNTS("SiteIsolation.AllResponses", 1);
+
+  original_peer_->OnReceivedResponse(info);
+
+  // See if this is for navigation. If it is, don't block it, under the
+  // assumption that we will put it in an appropriate process.
+  if (ResourceType::IsFrame(resource_type_))
+    return;
+
+  if (!IsBlockableScheme(request_url_))
+    return;
+
+  if (IsSameSite(frame_origin_, request_url_))
+    return;
+
+  SiteIsolationPolicy::CanonicalMimeType canonical_mime_type =
+      GetCanonicalMimeType(info.mime_type);
+
+  if (canonical_mime_type == SiteIsolationPolicy::Others)
+    return;
+
+  // Every CORS request should have the Access-Control-Allow-Origin header even
+  // if it is preceded by a pre-flight request. Therefore, if this is a CORS
+  // request, it has this header.  response.httpHeaderField() internally uses
+  // case-insensitive matching for the header name.
+  std::string access_control_origin;
+
+  // We can use a case-insensitive header name for EnumerateHeader().
+  info.headers->EnumerateHeader(
+      NULL, "access-control-allow-origin", &access_control_origin);
+  if (IsValidCorsHeaderSet(frame_origin_, request_url_, access_control_origin))
+    return;
+
+  // Real XSD data collection starts from here.
+  std::string no_sniff;
+  info.headers->EnumerateHeader(NULL, "x-content-type-options", &no_sniff);
+
+  canonical_mime_type_ = canonical_mime_type;
+  http_status_code_ = info.headers->response_code();
+  no_sniff_ = LowerCaseEqualsASCII(no_sniff, "nosniff");
+
+  cross_site_document_header_ = true;
+}
+
+// These macros are defined here so that we prevent code size bloat-up due to
+// the UMA_HISTOGRAM_* macros. Similar logic is used for recording UMA stats for
+// different MIME types, but we cannot create a helper function for this since
+// UMA_HISTOGRAM_* macros do not accept variables as their bucket names. As a
+// solution, macros are used instead to capture the repeated pattern for
+// recording UMA stats.  TODO(dsjang): this is only needed for collecting UMA
+// stat. Will be deleted when this class is used for actual blocking.
+
+#define SITE_ISOLATION_POLICY_COUNT_BLOCK(BUCKET_PREFIX) \
+    UMA_HISTOGRAM_COUNTS( BUCKET_PREFIX ".Blocked", 1); \
+    if (renderable_status_code) { \
+      UMA_HISTOGRAM_ENUMERATION( \
+          BUCKET_PREFIX ".Blocked.RenderableStatusCode", \
+          resource_type_, \
+          ResourceType::LAST_TYPE + 1); \
+    } else { \
+      UMA_HISTOGRAM_COUNTS(BUCKET_PREFIX ".Blocked.NonRenderableStatusCode",1);\
+    }
+
+#define SITE_ISOLATION_POLICY_COUNT_NO_SNIFF_BLOCK(BUCKET_PREFIX) \
+    UMA_HISTOGRAM_COUNTS( BUCKET_PREFIX ".NoSniffBlocked", 1); \
+    if (renderable_status_code) { \
+      UMA_HISTOGRAM_ENUMERATION( \
+          BUCKET_PREFIX ".NoSniffBlocked.RenderableStatusCode", \
+        resource_type_, \
+        ResourceType::LAST_TYPE + 1); \
+    } else { \
+      UMA_HISTOGRAM_ENUMERATION( \
+          BUCKET_PREFIX ".NoSniffBlocked.NonRenderableStatusCode", \
+        resource_type_, \
+        ResourceType::LAST_TYPE + 1); \
+    }
+
+#define SITE_ISOLATION_POLICY_COUNT_NOTBLOCK(BUCKET_PREFIX) \
+    UMA_HISTOGRAM_COUNTS(BUCKET_PREFIX ".NotBlocked", 1); \
+    if (is_sniffed_for_js) \
+      UMA_HISTOGRAM_COUNTS(BUCKET_PREFIX ".NotBlocked.MaybeJS", 1); \
+
+#define SITE_ISOLATION_POLICY_SNIFF_AND_COUNT(SNIFF_EXPR,BUCKET_PREFIX) \
+  if (SNIFF_EXPR) { \
+    SITE_ISOLATION_POLICY_COUNT_BLOCK(BUCKET_PREFIX) \
+  } else { \
+    if (no_sniff_) { \
+      SITE_ISOLATION_POLICY_COUNT_NO_SNIFF_BLOCK(BUCKET_PREFIX) \
+    } else { \
+      SITE_ISOLATION_POLICY_COUNT_NOTBLOCK(BUCKET_PREFIX) \
+    } \
+  }
+
+void SiteIsolationPolicy::OnReceivedData(const char* data,
+                                         int length,
+                                         int encoded_data_length) {
+  DCHECK(state_ == RESPONSE_RECEIVED || state_ == DATA_RECEIVED);
+
+  // The first packet has already been examined.
+  if (state_ == DATA_RECEIVED) {
+    if (!cross_site_document_header_ || confirmed_safe_)
+      original_peer_->OnReceivedData(data, length, encoded_data_length);
+    return;
+  }
+
+  state_ = DATA_RECEIVED;
+
+  // TODO(dsjang): we do not block any response data now. If this is set to
+  // false by any sniffing logic below, it will block all the following response
+  // data to this request.
+  confirmed_safe_ = true;
+
+  if (cross_site_document_header_) {
+    // Record the length of the first received network packet to see if it's
+    // enough for sniffing.
+    UMA_HISTOGRAM_COUNTS("SiteIsolation.XSD.DataLength", length);
+
+    // Record the number of cross-site document responses with a specific mime
+    // type (text/html, text/xml, etc).
+    UMA_HISTOGRAM_ENUMERATION(
+        "SiteIsolation.XSD.MimeType",
+        canonical_mime_type_,
+        MaxCanonicalMimeType);
+
+    // The content is blocked if it is sniffed for HTML/JSON/XML. When the
+    // blocked response is with an error status code, it is not disruptive by
+    // the following reasons : 1) the blocked content is not a binary object
+    // (such as an image) since it is sniffed for text; 2) then, this blocking
+    // only breaks the renderer behavior only if it is either JavaScript or
+    // CSS. However, the renderer doesn't use the contents of JS/CSS with
+    // unaffected status code (e.g, 404). 3) the renderer is expected not to use
+    // the cross-site document content for purposes other than JS/CSS (e.g,
+    // XHR).
+    bool renderable_status_code =
+        IsRenderableStatusCodeForDocument(http_status_code_);
+
+    // This is only used for false-negative analysis for non-blocked resources.
+    bool is_sniffed_for_js = SniffForJS(data, length);
+
+    // Record the number of responses whose content is sniffed for what its mime
+    // type claims it to be. For example, we apply a HTML sniffer for a document
+    // tagged with text/html here. Whenever this check becomes true, we'll block
+    // the response.
+    switch (canonical_mime_type_) {
+      case SiteIsolationPolicy::HTML:
+        SITE_ISOLATION_POLICY_SNIFF_AND_COUNT(SniffForHTML(data, length),
+                                              "SiteIsolation.XSD.HTML");
+        break;
+      case SiteIsolationPolicy::XML:
+        SITE_ISOLATION_POLICY_SNIFF_AND_COUNT(SniffForXML(data, length),
+                                              "SiteIsolation.XSD.XML");
+        break;
+      case SiteIsolationPolicy::JSON:
+        SITE_ISOLATION_POLICY_SNIFF_AND_COUNT(SniffForJSON(data, length),
+                                              "SiteIsolation.XSD.JSON");
+        break;
+      case SiteIsolationPolicy::Plain:
+        if (SniffForHTML(data, length)) {
+          SITE_ISOLATION_POLICY_COUNT_BLOCK("SiteIsolation.XSD.Plain.HTML");
+        } else if (SniffForXML(data, length)) {
+          SITE_ISOLATION_POLICY_COUNT_BLOCK("SiteIsolation.XSD.Plain.XML");
+        } else if (SniffForJSON(data, length)) {
+          SITE_ISOLATION_POLICY_COUNT_BLOCK("SiteIsolation.XSD.Plain.JSON");
+        } else if (is_sniffed_for_js) {
+          if (no_sniff_) {
+            SITE_ISOLATION_POLICY_COUNT_NO_SNIFF_BLOCK(
+                "SiteIsolation.XSD.Plain");
+          } else {
+            SITE_ISOLATION_POLICY_COUNT_NOTBLOCK("SiteIsolation.XSD.Plain");
+          }
+        }
+        break;
+      default:
+        NOTREACHED() << "Not a blockable mime type. This mime type shouldn't "
+                        "reach here.";
+        break;
+    }
+    original_peer_->OnReceivedData(data, length, encoded_data_length);
+  } else
+    original_peer_->OnReceivedData(data, length, encoded_data_length);
+}
+
+#undef SITE_ISOLATION_POLICY_COUNT_NOTBLOCK
+#undef SITE_ISOLATION_POLICY_SNIFF_AND_COUNT
+#undef SITE_ISOLATION_POLICY_COUNT_BLOCK
+
+SiteIsolationPolicy::CanonicalMimeType
+SiteIsolationPolicy::GetCanonicalMimeType(const std::string& mime_type) {
+  if (LowerCaseEqualsASCII(mime_type, kTextHtml)) {
+    return SiteIsolationPolicy::HTML;
+  }
+
+  if (LowerCaseEqualsASCII(mime_type, kTextPlain)) {
+    return SiteIsolationPolicy::Plain;
+  }
+
+  if (LowerCaseEqualsASCII(mime_type, kAppJson) ||
+      LowerCaseEqualsASCII(mime_type, kTextJson) ||
+      LowerCaseEqualsASCII(mime_type, kTextXjson)) {
+    return SiteIsolationPolicy::JSON;
+  }
+
+  if (LowerCaseEqualsASCII(mime_type, kTextXml) ||
+      LowerCaseEqualsASCII(mime_type, xAppRssXml) ||
+      LowerCaseEqualsASCII(mime_type, kAppXml)) {
+    return SiteIsolationPolicy::XML;
+  }
+
+ return SiteIsolationPolicy::Others;
+
+}
+
+WebKit::WebFrame* SiteIsolationPolicy::FindFrame(
+    WebKit::WebFrame* frame,
+    int frame_id) {
+  if (frame->identifier() == frame_id)
+    return frame;
+
+  WebKit::WebFrame* next = frame->traverseNext(false);
+  while (next) {
+    if (next->identifier() == frame_id)
+      return next;
+    next = frame->traverseNext(false);
+  }
+  NOTREACHED();
+  return NULL;
+}
+
+
+bool SiteIsolationPolicy::IsBlockableScheme(const GURL& url) {
+  // We exclude ftp:// from here. FTP doesn't provide a Content-Type
+  // header which our policy depends on, so we cannot protect any
+  // document from FTP servers.
+  return url.SchemeIs("http") || url.SchemeIs("https");
+}
+
+bool SiteIsolationPolicy::IsSameSite(const GURL& frame_origin,
+                                     const GURL& response_url) {
+
+  if (!frame_origin.is_valid() || !response_url.is_valid())
+    return false;
+
+  if (frame_origin.scheme() != response_url.scheme())
+    return false;
+
+  // SameDomainOrHost() extracts the effective domains (public suffix plus one)
+  // from the two URLs and compare them.
+  // TODO(dsjang): use INCLUDE_PRIVATE_REGISTRIES when http://crbug.com/7988 is
+  // fixed.
+  return net::registry_controlled_domains::SameDomainOrHost(
+      frame_origin,
+      response_url,
+      net::registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
+}
+
+// We don't use Webkit's existing CORS policy implementation since
+// their policy works in terms of origins, not sites. For example,
+// when frame is sub.a.com and it is not allowed to access a document
+// with sub1.a.com. But under Site Isolation, it's allowed.
+bool SiteIsolationPolicy::IsValidCorsHeaderSet(
+    GURL& frame_origin,
+    GURL& website_origin,
+    std::string access_control_origin) {
+  // Many websites are sending back "\"*\"" instead of "*". This is
+  // non-standard practice, and not supported by Chrome. Refer to
+  // CrossOriginAccessControl::passesAccessControlCheck().
+
+  // TODO(dsjang): * is not allowed for the response from a request
+  // with cookies. This allows for more than what the renderer will
+  // eventually be able to receive, so we won't see illegal cross-site
+  // documents allowed by this. We have to find a way to see if this
+  // response is from a cookie-tagged request or not in the future.
+  if (access_control_origin == "*")
+    return true;
+
+  // TODO(dsjang): The CORS spec only treats a fully specified URL, except for
+  // "*", but many websites are using just a domain for access_control_origin,
+  // and this is blocked by Webkit's CORS logic here :
+  // CrossOriginAccessControl::passesAccessControlCheck(). GURL is set
+  // is_valid() to false when it is created from a URL containing * in the
+  // domain part.
+
+  GURL cors_origin(access_control_origin);
+  return IsSameSite(frame_origin, cors_origin);
+}
+
+// This function is a slight modification of |net::SniffForHTML|.
+bool SiteIsolationPolicy::SniffForHTML(const char* data, size_t length) {
+  // The content sniffer used by Chrome and Firefox are using "<!--"
+  // as one of the HTML signatures, but it also appears in valid
+  // JavaScript, considered as well-formed JS by the browser.  Since
+  // we do not want to block any JS, we exclude it from our HTML
+  // signatures. This can weaken our document block policy, but we can
+  // break less websites.
+  // TODO(dsjang): parameterize |net::SniffForHTML| with an option
+  // that decides whether to include <!-- or not, so that we can
+  // remove this function.
+  const char* html_signatures[] = {"<!DOCTYPE html",  // HTML5 spec
+                                   "<script",         // HTML5 spec, Mozilla
+                                   "<html",           // HTML5 spec, Mozilla
+                                   "<head",           // HTML5 spec, Mozilla
+                                   "<iframe",         // Mozilla
+                                   "<h1",             // Mozilla
+                                   "<div",            // Mozilla
+                                   "<font",           // Mozilla
+                                   "<table",          // Mozilla
+                                   "<a",              // Mozilla
+                                   "<style",          // Mozilla
+                                   "<title",          // Mozilla
+                                   "<b",              // Mozilla
+                                   "<body",           // Mozilla
+                                   "<br", "<p"        // Mozilla
+  };
+
+  if (MatchesSignature(
+          data, length, html_signatures, arraysize(html_signatures)))
+    return true;
+
+  // "<!--" is specially treated since web JS can use "<!--" "-->" pair for
+  // comments.
+  const char* comment_begins[] = {"<!--" };
+
+  if (MatchesSignature(
+          data, length, comment_begins, arraysize(comment_begins))) {
+    // Search for --> and do SniffForHTML after that. If we can find the
+    // comment's end, we start HTML sniffing from there again.
+    const char end_comment[] = "-->";
+    const size_t end_comment_size = strlen(end_comment);
+
+    for (size_t i = 0; i <= length - end_comment_size; ++i) {
+      if (!strncmp(data + i, end_comment, end_comment_size)) {
+        size_t skipped = i + end_comment_size;
+        return SniffForHTML(data + skipped, length - skipped);
+      }
+    }
+  }
+
+  return false;
+}
+
+bool SiteIsolationPolicy::SniffForXML(const char* data, size_t length) {
+  // TODO(dsjang): Chrome's mime_sniffer is using strncasecmp() for
+  // this signature. However, XML is case-sensitive. Don't we have to
+  // be more lenient only to block documents starting with the exact
+  // string <?xml rather than <?XML ?
+  const char* xml_signatures[] = {"<?xml"  // Mozilla
+  };
+  return MatchesSignature(
+      data, length, xml_signatures, arraysize(xml_signatures));
+}
+
+bool SiteIsolationPolicy::SniffForJSON(const char* data, size_t length) {
+  // TODO(dsjang): We have to come up with a better way to sniff
+  // JSON. However, even RE cannot help us that much due to the fact
+  // that we don't do full parsing.  This DFA starts with state 0, and
+  // finds {, "/' and : in that order. We're avoiding adding a
+  // dependency on a regular expression library.
+  const int kInitState = 0;
+  const int kLeftBraceState = 1;
+  const int kLeftQuoteState = 2;
+  const int kColonState = 3;
+  const int kDeadState = 4;
+
+  int state = kInitState;
+  for (size_t i = 0; i < length && state < kColonState; ++i) {
+    const char c = data[i];
+    if (c == ' ' || c == '\t' || c == '\r' || c == '\n')
+      continue;
+
+    switch (state) {
+      case kInitState:
+        if (c == '{')
+          state = kLeftBraceState;
+        else
+          state = kDeadState;
+        break;
+      case kLeftBraceState:
+        if (c == '\"' || c == '\'')
+          state = kLeftQuoteState;
+        else
+          state = kDeadState;
+        break;
+      case kLeftQuoteState:
+        if (c == ':')
+          state = kColonState;
+        break;
+      default:
+        NOTREACHED();
+        break;
+    }
+  }
+  return state == kColonState;
+}
+
+bool SiteIsolationPolicy::MatchesSignature(const char* raw_data,
+                                           size_t raw_length,
+                                           const char* signatures[],
+                                           size_t arr_size) {
+  size_t start = 0;
+  // Skip white characters at the beginning of the document.
+  for (start = 0; start < raw_length; ++start) {
+    char c = raw_data[start];
+    if (!(c == ' ' || c == '\t' || c == '\r' || c == '\n'))
+      break;
+  }
+
+  // There is no not-whitespace character in this document.
+  if (!(start < raw_length))
+    return false;
+
+  const char* data = raw_data + start;
+  size_t length = raw_length - start;
+
+  for (size_t sig_index = 0; sig_index < arr_size; ++sig_index) {
+    const char* signature = signatures[sig_index];
+    size_t signature_length = strlen(signature);
+
+    if (length < signature_length)
+      continue;
+
+    if (!base::strncasecmp(signature, data, signature_length))
+      return true;
+  }
+  return false;
+}
+
+bool SiteIsolationPolicy::IsRenderableStatusCodeForDocument(int status_code) {
+  // Chrome only uses the content of a response with one of these status codes
+  // for CSS/JavaScript. For images, Chrome just ignores status code.
+  const int renderable_status_code[] = {200, 201, 202, 203, 206, 300, 301, 302,
+                                        303, 305, 306, 307};
+  for (size_t i = 0; i < arraysize(renderable_status_code); ++i) {
+    if (renderable_status_code[i] == status_code)
+      return true;
+  }
+  return false;
+}
+
+bool SiteIsolationPolicy::SniffForJS(const char* data, size_t length) {
+  // TODO(dsjang): This is a real hack. The only purpose of this function is to
+  // try to see if there's any possibility that this data can be JavaScript
+  // (superset of JS). This function will be removed once UMA stats are
+  // gathered.
+
+  // Search for "var " for JS detection.
+  for (size_t i = 0; i < length - 3; ++i) {
+    if (strncmp(data + i, "var ", 4) == 0)
+      return true;
+  }
+  return false;
+}
+
+}  // namespace content