CSP: Move 'worker-src' onto 'script-src'

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/Document.h"
 #include "core/dom/SecurityContext.h"
 #include "core/dom/SpaceSplitString.h"
@@ skipping 751 matching lines @@
                    m_baseURI.get(), url,
                    ContentSecurityPolicy::DirectiveType::BaseURI,
                    redirectStatus)
              : checkSource(m_baseURI.get(), url, redirectStatus);
 }
 
 bool CSPDirectiveList::allowWorkerFromSource(
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
-  // 'worker-src' overrides 'child-src', which overrides the default
+  // 'worker-src' overrides 'script-src', which overrides the default
   // sources. So, we do this nested set of calls to 'operativeDirective()' to
-  // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src'
+  // grab 'worker-src' if it exists, 'script-src' if it doesn't, and
+  // 'defaut-src'

[estark, 2016/11/29 22:01:16]

nit: wrapping is weird

[Mike West, 2016/11/30 12:34:30]

I blame clang format. :)

   // if neither are available.
-  SourceListDirective* whichDirective = operativeDirective(
-      m_workerSrc.get(), operativeDirective(m_childSrc.get()));
+  SourceListDirective* workerSrc = operativeDirective(
+      m_workerSrc.get(), operativeDirective(m_scriptSrc.get()));
+
+  // Workers used to be controlled via 'child-src'; for the moment, we'll check
+  // 'child-src' if 'worker-src' is not present, and a check against
+  // 'script-src'
+  // fails (e.g. we'll block 'https://example.com/worker' given

[estark, 2016/11/29 22:01:16]

nit: unclosed parenthesis *twitch*

But more importantly, I can't parse this comment and can't seem to figure out
exactly what's going on and why. Is the goal to prevent breakage by allowing
workers that are prohibited by script-src if they're allowed by child-src?

[Mike West, 2016/11/30 12:34:30]

I've rewritten it in the hopes of being a little clearer about what I'm
planning.

+  // "worker-src 'none'" or "worker-src 'none'; child-src https://example.com",
+  // but we'll allow it given
+  // "script-src https://not-example.com; child-src https://example.com".
+  //
+  // TODO(mkwst): Remove this once other vendors follow suit.
+  // http://crbug.com/662930

[estark, 2016/11/29 22:01:16]

nit: https

[Mike West, 2016/11/30 12:34:30]

Arg!

+  if (!checkSource(workerSrc, url, redirectStatus) && !m_workerSrc) {

[Mike West, 2016/11/29 17:05:14]

Bah. This should include `&& m_childSrc`. :(

[estark, 2016/11/29 22:01:16]

And shouldn't call operativeDirective on line 791?

[Mike West, 2016/11/30 12:34:30]

Hrm. Yeah, I think you're right.

+    SourceListDirective* childSrc = operativeDirective(m_childSrc.get());
+    if (checkSource(childSrc, url, redirectStatus))
+      return true;
+  }
 
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkSourceAndReportViolation(
-                   whichDirective, url,
+                   workerSrc, url,
                    ContentSecurityPolicy::DirectiveType::WorkerSrc,
                    redirectStatus)
-             : checkSource(whichDirective, url, redirectStatus);
+             : checkSource(workerSrc, url, redirectStatus);
 }
 
 bool CSPDirectiveList::allowAncestors(
     LocalFrame* frame,
     const KURL& url,
     ContentSecurityPolicy::ReportingStatus reportingStatus) const {
   return reportingStatus == ContentSecurityPolicy::SendReport
              ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame,
                                                 url)
              : checkAncestors(m_frameAncestors.get(), frame);
@@ skipping 336 matching lines @@
   } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
   } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) {
     applySandboxPolicy(name, value);
   } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) {
     parseReportURI(name, value);
   } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) {
     setCSPDirective<SourceListDirective>(name, value, m_baseURI);
   } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_childSrc);
-  } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc &&
-             m_policy->experimentalFeaturesEnabled()) {

[estark, 2016/11/29 22:01:16]

Was this an intentional change? Not clear why we don't need the experimental
flag here anymore

[Mike West, 2016/11/30 12:34:30]

Yes. This is something I want to ship (hence going back to blink-dev with an
update to the intent to ship).

[estark, 2016/12/01 05:16:56]

Oh, sorry, missed that! Makes sense now

+  } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_workerSrc);
   } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) {
     setCSPDirective<SourceListDirective>(name, value, m_formAction);
   } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) {
     setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
   } else if (type ==
              ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) {
     enableInsecureRequestsUpgrade(name, value);
   } else if (type ==
              ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) {
@@ skipping 35 matching lines @@
     case ContentSecurityPolicy::DirectiveType::ManifestSrc:
       return operativeDirective(m_manifestSrc.get());
     case ContentSecurityPolicy::DirectiveType::MediaSrc:
       return operativeDirective(m_mediaSrc.get());
     case ContentSecurityPolicy::DirectiveType::ObjectSrc:
       return operativeDirective(m_objectSrc.get());
     case ContentSecurityPolicy::DirectiveType::ScriptSrc:
       return operativeDirective(m_scriptSrc.get());
     case ContentSecurityPolicy::DirectiveType::StyleSrc:
       return operativeDirective(m_styleSrc.get());
-    // Directives that default to child-src, which defaults to default-src.
+    // Directives that default to 'child-src' (which defaults to 'default-src')
     case ContentSecurityPolicy::DirectiveType::FrameSrc:
       return operativeDirective(m_frameSrc,
                                 operativeDirective(m_childSrc.get()));
-    // TODO(mkwst): Reevaluate this
+    // Directives that default to 'script-src' (which defaults to 'default-src')
     case ContentSecurityPolicy::DirectiveType::WorkerSrc:
       return operativeDirective(m_workerSrc.get(),
-                                operativeDirective(m_childSrc.get()));
+                                operativeDirective(m_scriptSrc.get()));
     default:
       return nullptr;
   }
 }
 
 SourceListDirectiveVector CSPDirectiveList::getSourceVector(
     const ContentSecurityPolicy::DirectiveType& type,
     const CSPDirectiveListVector& policies) {
   SourceListDirectiveVector sourceListDirectives;
   for (const auto& policy : policies) {
@@ skipping 59 matching lines @@
   visitor->trace(m_imgSrc);
   visitor->trace(m_mediaSrc);
   visitor->trace(m_manifestSrc);
   visitor->trace(m_objectSrc);
   visitor->trace(m_scriptSrc);
   visitor->trace(m_styleSrc);
   visitor->trace(m_workerSrc);
 }
 
 }  // namespace blink