CSP: "local schemes" should inherit policy when embedded.

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All
  * rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
@@ skipping 346 matching lines @@
     return false;
 
   // rule (d) above
   CharDecompositionType decompType = decompositionType(c);
   if (decompType == DecompositionFont || decompType == DecompositionCompat)
     return false;
 
   return true;
 }
 
-static bool shouldInheritSecurityOriginFromOwner(const KURL& url) {
-  // http://www.whatwg.org/specs/web-apps/current-work/#origin-0
-  //
-  // If a Document has the address "about:blank"
-  //     The origin of the Document is the origin it was assigned when its
-  //     browsing context was created.
-  //
-  // Note: We generalize this to all "blank" URLs and invalid URLs because we
-  // treat all of these URLs as about:blank.
-  //
-  return url.isEmpty() || url.protocolIsAbout();
-}
-
 static Widget* widgetForElement(const Element& focusedElement) {
   LayoutObject* layoutObject = focusedElement.layoutObject();
   if (!layoutObject || !layoutObject->isLayoutPart())
     return 0;
   return toLayoutPart(layoutObject)->widget();
 }
 
 static bool acceptsEditingFocus(const Element& element) {
   DCHECK(hasEditableStyle(element));
 
@@ skipping 5036 matching lines @@
     enforceSuborigin(*getSecurityOrigin()->suborigin());
 }
 
 void Document::initContentSecurityPolicy(ContentSecurityPolicy* csp) {
   setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());
   if (m_frame && m_frame->tree().parent() &&
       m_frame->tree().parent()->isLocalFrame()) {
     ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())
                                            ->document()
                                            ->contentSecurityPolicy();
-    if (shouldInheritSecurityOriginFromOwner(m_url)) {
+
+    // We inherit the parent frame's CSP for documents with "local" schemes:
+    // 'about', 'blob', 'data', and 'filesystem'. We also inherit the parent
+    // frame's CSP for documents with empty/invalid URLs because we treat
+    // those URLs as 'about:blank' in Blink.

[dcheng, 2016/11/04 18:11:28]

So I'm not sure what we /should/ do, but some interesting scenarios:

One thing Blink gets wrong is the origin of about:blank: it's supposed to be
inherited from the initiator, not the parent. I do plan on fixing this at some
point; at that point, does it make sense for CSP to inherit from the parent or
the initiator?

Similarly, for blob and filesystem URLs: they could be different origin from the
parent frame, right? So should they be inheriting the CSP from their creator or
their parent?

[Mike West, 2016/11/18 11:06:23]

As currently specified, I think we'd end up inheriting from the parent. I think
I agree with your implication that we ought instead inherit from the navigation
initiator.

Today, though, we inherit from neither: that's certainly wrong, and I'd like to
fix it, as it's a fairly straightforward bypass.
Can they? I thought we blocked navigation to cross-origin blob:/filesystem:
URLs.
Same answer as above.

+    //
+    // https://w3c.github.io/webappsec-csp/#initialize-document-csp
+    if (m_url.isEmpty() || m_url.protocolIsAbout() || m_url.protocolIsData() ||
+        m_url.protocolIs("blob") || m_url.protocolIs("data")) {

[dcheng, 2016/11/04 18:11:27]

I notice filesystem isn't in this list, though it's in the comment.

[Mike West, 2016/11/18 11:06:23]

I had `data:` twice, though, so that's got to count for something. :)

       contentSecurityPolicy()->copyStateFrom(parentCSP);
     } else if (isPluginDocument()) {
       // Per CSP2, plugin-types for plugin documents in nested browsing
       // contexts gets inherited from the parent.
       contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
     }
   }
   contentSecurityPolicy()->bindToExecutionContext(this);
 }
 
@@ skipping 1030 matching lines @@
 }
 
 void showLiveDocumentInstances() {
   WeakDocumentSet& set = liveDocumentSet();
   fprintf(stderr, "There are %u documents currently alive:\n", set.size());
   for (Document* document : set)
     fprintf(stderr, "- Document %p URL: %s\n", document,
             document->url().getString().utf8().data());
 }
 #endif