CSP3: Implement 'worker-src'.

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/Document.h"
 #include "core/dom/SecurityContext.h"
 #include "core/dom/SpaceSplitString.h"
@@ skipping 415 matching lines @@
   if (!directive)
     return true;
 
   // We ignore URL-based whitelists if we're allowing dynamic script injection.
   if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive))
     return true;
 
   String prefix;
   if (ContentSecurityPolicy::BaseURI == effectiveDirective)
     prefix = "Refused to set the document's base URI to '";
-  else if (ContentSecurityPolicy::ChildSrc == effectiveDirective)
-    prefix = "Refused to create a child context containing '";
+  else if (ContentSecurityPolicy::WorkerSrc == effectiveDirective)

[estark, 2016/11/09 06:16:32]

Are you intentionally not handling child-src here? Not obvious to me why.

[Mike West, 2016/11/09 08:37:21]

Yes. There's now no case in which `child-src` would be the effective directive,
as `frame-src` is the effective directive for nested contexts, and `worker-src`
is the effective directive for workers.

[estark, 2016/11/09 16:48:05]

Ah, gotcha, thanks for the explanation. In that case, I'll optionally nit that
you could add a DCHECK_NE(ChildSrc, effectiveDirective).

+    prefix = "Refused to create a worker from '";
   else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective)
     prefix = "Refused to connect to '";
   else if (ContentSecurityPolicy::FontSrc == effectiveDirective)
     prefix = "Refused to load the font '";
   else if (ContentSecurityPolicy::FormAction == effectiveDirective)
     prefix = "Refused to send form data to '";
   else if (ContentSecurityPolicy::FrameSrc == effectiveDirective)
     prefix = "Refused to frame '";
   else if (ContentSecurityPolicy::ImgSrc == effectiveDirective)
     prefix = "Refused to load the image '";
@@ skipping 171 matching lines @@
   if (url.protocolIsAbout())
     return true;
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkSourceAndReportViolation(
                    operativeDirective(m_objectSrc.get()), url,
                    ContentSecurityPolicy::ObjectSrc, redirectStatus)
              : checkSource(operativeDirective(m_objectSrc.get()), url,
                            redirectStatus);
 }
 
-bool CSPDirectiveList::allowChildFrameFromSource(
+bool CSPDirectiveList::allowFrameFromSource(
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
   if (url.protocolIsAbout())
     return true;
 
-  // 'frame-src' is the only directive which overrides something other than the
-  // default sources.  It overrides 'child-src', which overrides the default
+  // 'frame-src' overrides 'child-src', which overrides the default
   // sources. So, we do this nested set of calls to 'operativeDirective()' to
   // grab 'frame-src' if it exists, 'child-src' if it doesn't, and 'defaut-src'
   // if neither are available.
   SourceListDirective* whichDirective = operativeDirective(
       m_frameSrc.get(), operativeDirective(m_childSrc.get()));
 
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkSourceAndReportViolation(whichDirective, url,
                                              ContentSecurityPolicy::FrameSrc,
                                              redirectStatus)
@@ skipping 90 matching lines @@
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkSourceAndReportViolation(m_baseURI.get(), url,
                                              ContentSecurityPolicy::BaseURI,
                                              redirectStatus)
              : checkSource(m_baseURI.get(), url, redirectStatus);
 }
 
-bool CSPDirectiveList::allowChildContextFromSource(
+bool CSPDirectiveList::allowWorkerFromSource(
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
+  if (url.protocolIsAbout())

[estark, 2016/11/09 16:48:05]

Is this necessary? I see why we need it for allowFrameFromSource() (to allow
newly added frames with about:blank) but don't see why for workers.

+    return true;
+
+  // 'worker-src' overrides 'child-src', which overrides the default
+  // sources. So, we do this nested set of calls to 'operativeDirective()' to
+  // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src'
+  // if neither are available.
+  SourceListDirective* whichDirective = operativeDirective(
+      m_workerSrc.get(), operativeDirective(m_childSrc.get()));
+
   return reportingStatus == ContentSecurityPolicy::SendReport
-             ? checkSourceAndReportViolation(
-                   operativeDirective(m_childSrc.get()), url,
-                   ContentSecurityPolicy::ChildSrc, redirectStatus)
-             : checkSource(operativeDirective(m_childSrc.get()), url,
-                           redirectStatus);
+             ? checkSourceAndReportViolation(whichDirective, url,
+                                             ContentSecurityPolicy::WorkerSrc,
+                                             redirectStatus)
+             : checkSource(whichDirective, url, redirectStatus);
 }
 
 bool CSPDirectiveList::allowAncestors(
     LocalFrame* frame,
     const KURL& url,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame,
                                                 url)
              : checkAncestors(m_frameAncestors.get(), frame);
@@ skipping 331 matching lines @@
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) {
     setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) {
     applySandboxPolicy(name, value);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) {
     parseReportURI(name, value);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) {
     setCSPDirective<SourceListDirective>(name, value, m_baseURI);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) {
     setCSPDirective<SourceListDirective>(name, value, m_childSrc);
+  } else if (equalIgnoringCase(name, ContentSecurityPolicy::WorkerSrc)) {
+    setCSPDirective<SourceListDirective>(name, value, m_workerSrc);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) {
     setCSPDirective<SourceListDirective>(name, value, m_formAction);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) {
     setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
   } else if (equalIgnoringCase(
                  name, ContentSecurityPolicy::UpgradeInsecureRequests)) {
     enableInsecureRequestsUpgrade(name, value);
   } else if (equalIgnoringCase(name,
                                ContentSecurityPolicy::BlockAllMixedContent)) {
     enforceStrictMixedContentChecking(name, value);
@@ skipping 20 matching lines @@
   visitor->trace(m_fontSrc);
   visitor->trace(m_formAction);
   visitor->trace(m_frameAncestors);
   visitor->trace(m_frameSrc);
   visitor->trace(m_imgSrc);
   visitor->trace(m_mediaSrc);
   visitor->trace(m_manifestSrc);
   visitor->trace(m_objectSrc);
   visitor->trace(m_scriptSrc);
   visitor->trace(m_styleSrc);
+  visitor->trace(m_workerSrc);
 }
 
 }  // namespace blink