CSP: Move 'worker-src' onto 'script-src'

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/Document.h"
 #include "core/dom/SecurityContext.h"
 #include "core/dom/SpaceSplitString.h"
+#include "core/frame/Deprecation.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/UseCounter.h"
 #include "core/html/HTMLScriptElement.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "platform/Crypto.h"
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
 #include "platform/weborigin/KURL.h"
 #include "wtf/text/Base64.h"
 #include "wtf/text/ParsingUtilities.h"
@@ skipping 764 matching lines @@
                       UseCounter::BaseWouldBeBlockedByDefaultSrc);
   }
 
   return result;
 }
 
 bool CSPDirectiveList::allowWorkerFromSource(
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     SecurityViolationReportingPolicy reportingPolicy) const {
-  // 'worker-src' overrides 'child-src', which overrides the default
   // sources. So, we do this nested set of calls to 'operativeDirective()' to
-  // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src'
-  // if neither are available.
-  SourceListDirective* whichDirective = operativeDirective(
-      m_workerSrc.get(), operativeDirective(m_childSrc.get()));
+  // grab 'worker-src' if it exists, 'script-src' if it doesn't, and
+  // 'defaut-src' if neither are available.
+  SourceListDirective* workerSrc = operativeDirective(
+      m_workerSrc.get(), operativeDirective(m_scriptSrc.get()));
+
+  // In CSP2, workers are controlled via 'child-src'. CSP3 moves them to
+  // 'script-src'. In order to avoid breaking sites that allowed workers via
+  // 'child-src' that would have been blocked via 'script-src', we'll
+  // temporarily check whether a worker blocked via 'script-src' would have been
+  // allowed under 'child-src'. If the new 'worker-src' directive is present,
+  // however, we'll assume that the developer knows what they're asking for, and
+  // skip the extra fallback.
+  //
+  // That is, we'll block 'https://example.com/worker' given the policy
+  // "worker-src 'none'", "worker-src 'none'; child-src https://example.com",
+  // but we'll allow it given the policy
+  // "script-src https://not-example.com; child-src https://example.com"
+  // (because 'child-src' allows it) or "child-src https://not-example.com"
+  // (because the absent 'script-src' allows it).
+  //
+  // TODO(mkwst): Remove this once other vendors follow suit.
+  // https://crbug.com/662930
+  if (!checkSource(workerSrc, url, redirectStatus) && !m_workerSrc &&
+      m_childSrc && checkSource(m_childSrc, url, redirectStatus)) {
+    Deprecation::countDeprecation(
+        m_policy->document(),
+        UseCounter::ChildSrcAllowedWorkerThatScriptSrcBlocked);
+    return true;
+  }
 
   return reportingPolicy == SecurityViolationReportingPolicy::Report
              ? checkSourceAndReportViolation(
-                   whichDirective, url,
+                   workerSrc, url,
                    ContentSecurityPolicy::DirectiveType::WorkerSrc,
                    redirectStatus)
-             : checkSource(whichDirective, url, redirectStatus);
+             : checkSource(workerSrc, url, redirectStatus);
 }
 
 bool CSPDirectiveList::allowAncestors(
     LocalFrame* frame,
     const KURL& url,
     SecurityViolationReportingPolicy reportingPolicy) const {
   return reportingPolicy == SecurityViolationReportingPolicy::Report
              ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame,
                                                 url)
              : checkAncestors(m_frameAncestors.get(), frame);
@@ skipping 336 matching lines @@
   } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
   } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) {
     applySandboxPolicy(name, value);
   } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) {
     parseReportURI(name, value);
   } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) {
     setCSPDirective<SourceListDirective>(name, value, m_baseURI);
   } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_childSrc);
-  } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc &&
-             m_policy->experimentalFeaturesEnabled()) {
+  } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc) {
     setCSPDirective<SourceListDirective>(name, value, m_workerSrc);
   } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) {
     setCSPDirective<SourceListDirective>(name, value, m_formAction);
   } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) {
     setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
   } else if (type ==
              ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) {
     enableInsecureRequestsUpgrade(name, value);
   } else if (type ==
              ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) {
@@ skipping 35 matching lines @@
     case ContentSecurityPolicy::DirectiveType::ManifestSrc:
       return operativeDirective(m_manifestSrc.get());
     case ContentSecurityPolicy::DirectiveType::MediaSrc:
       return operativeDirective(m_mediaSrc.get());
     case ContentSecurityPolicy::DirectiveType::ObjectSrc:
       return operativeDirective(m_objectSrc.get());
     case ContentSecurityPolicy::DirectiveType::ScriptSrc:
       return operativeDirective(m_scriptSrc.get());
     case ContentSecurityPolicy::DirectiveType::StyleSrc:
       return operativeDirective(m_styleSrc.get());
-    // Directives that default to child-src, which defaults to default-src.
+    // Directives that default to 'child-src' (which defaults to 'default-src')
     case ContentSecurityPolicy::DirectiveType::FrameSrc:
       return operativeDirective(m_frameSrc.get(),
                                 operativeDirective(m_childSrc.get()));
-    // TODO(mkwst): Reevaluate this.
+    // Directives that default to 'script-src' (which defaults to 'default-src')
     case ContentSecurityPolicy::DirectiveType::WorkerSrc:
       return operativeDirective(m_workerSrc.get(),
-                                operativeDirective(m_childSrc.get()));
+                                operativeDirective(m_scriptSrc.get()));
     default:
       return nullptr;
   }
 }
 
 SourceListDirectiveVector CSPDirectiveList::getSourceVector(
     const ContentSecurityPolicy::DirectiveType& type,
     const CSPDirectiveListVector& policies) {
   SourceListDirectiveVector sourceListDirectives;
   for (const auto& policy : policies) {
@@ skipping 92 matching lines @@
   visitor->trace(m_imgSrc);
   visitor->trace(m_mediaSrc);
   visitor->trace(m_manifestSrc);
   visitor->trace(m_objectSrc);
   visitor->trace(m_scriptSrc);
   visitor->trace(m_styleSrc);
   visitor->trace(m_workerSrc);
 }
 
 }  // namespace blink