Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 293 matching lines @@
     ContentSecurityPolicyHeaderType type,
     ContentSecurityPolicyHeaderSource source) {
   addAndReportPolicyFromHeaderValue(header, type, source);
 
   // This might be called after we've been bound to an execution context. For
   // example, a <meta> element might be injected after page load.
   if (m_executionContext)
     applyPolicySideEffectsToExecutionContext();
 }
 
+bool ContentSecurityPolicy::checkAllowBlanketEnforcement(
+    const ResourceResponse& response,
+    const KURL& parentUrl) {
+  if (response.url().isEmpty() || response.url().protocolIsAbout() ||
+      response.url().protocolIsAbout() || response.url().protocolIs("blob") ||

[Mike West, 2016/10/13 11:01:42]

Nit: One of these `protocolIsAbout` should probably be `protocolIsData`.

+      response.url().protocolIs("filesystem")) {
+    return true;
+  }
+
+  if (parentUrl.protocol() == response.url().protocol() &&
+      parentUrl.host() == response.url().host() &&
+      parentUrl.port() == response.url().port()) {
+    return true;
+  }

[Mike West, 2016/10/13 11:01:42]

If you pass in an origin, you can change this to
`parentOrigin->canAccess(SecurityOrigin::create(childURL))`.

+
+  HTTPHeaderMap::const_iterator it =
+      response.httpHeaderFields().find(HTTPNames::Allow_CSP_From);
+
+  String header =
+      it != response.httpHeaderFields().end() ? it->value : nullAtom;

[Mike West, 2016/10/13 11:01:42]

You can simplify this check down to something like `String header =
response.httpHeaderField(HTTPNames::Allow_CSP_From)`;

+
+  if (header.isEmpty() || !header.containsOnlyASCII())
+    return false;
+
+  Vector<String> headers;
+  header.split(',', headers);

[Mike West, 2016/10/13 11:01:42]

I think we probably don't want to look at all the headers. Let's just grab the
first one. Would you mind filing a bug against the spec to make sure we record
that change?

+  for (size_t i = 0; i < headers.size(); i++) {
+    String currentHeader = headers[i].stripWhiteSpace();
+    if (equalIgnoringCase(currentHeader, "*")) {

[Mike West, 2016/10/13 11:01:42]

No need for case-folding here: `*` is not a cased character.

+      return true;
+    }
+    const KURL allowed(ParsedURLString, currentHeader);
+    if (allowed.isValid() && parentUrl.protocol() == allowed.protocol() &&
+        parentUrl.host() == allowed.host() &&
+        parentUrl.port() == allowed.port()) {
+      return true;
+    }

[Mike West, 2016/10/13 11:01:42]

This should also be an origin check. That is,
`parentOrigin->canAccess(SecurityOrigin::createFromString(currentHeader)` (which
does the URL parsing internally).

+  }
+
+  return false;
+}
+
 void ContentSecurityPolicy::addPolicyFromHeaderValue(
     const String& header,
     ContentSecurityPolicyHeaderType type,
     ContentSecurityPolicyHeaderSource source) {
   // If this is a report-only header inside a <meta> element, bail out.
   if (source == ContentSecurityPolicyHeaderSourceMeta &&
       type == ContentSecurityPolicyHeaderTypeReport) {
     reportReportOnlyInMeta(header);
     return;
   }
@@ skipping 1155 matching lines @@
   // Collisions have no security impact, so we can save space by storing only
   // the string's hash rather than the whole report.
   return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report) {
   m_violationReportsSent.add(report.impl()->hash());
 }
 
 }  // namespace blink