third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp - Issue 2536713002: Part 3.3: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp

Issue 2536713002: Part 3.3: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Using allowAllInline() Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« third_party/WebKit/Source/core/frame/csp/SourceListDirective.h ('K') | « third_party/WebKit/Source/core/frame/csp/SourceListDirective.h ('k') | third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/SourceListDirective.h"	5 #include "core/frame/csp/SourceListDirective.h"

6	6

7 #include "core/frame/csp/CSPSource.h"	7 #include "core/frame/csp/CSPSource.h"

8 #include "core/frame/csp/ContentSecurityPolicy.h"	8 #include "core/frame/csp/ContentSecurityPolicy.h"

9 #include "platform/network/ContentSecurityPolicyParsers.h"	9 #include "platform/network/ContentSecurityPolicyParsers.h"

10 #include "platform/weborigin/KURL.h"	10 #include "platform/weborigin/KURL.h"

(...skipping 561 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
572 const KURL& url,	572 const KURL& url,

573 ResourceRequest::RedirectStatus redirectStatus) const {	573 ResourceRequest::RedirectStatus redirectStatus) const {

574 for (size_t i = 0; i < m_list.size(); ++i) {	574 for (size_t i = 0; i < m_list.size(); ++i) {

575 if (m_list[i]->matches(url, redirectStatus))	575 if (m_list[i]->matches(url, redirectStatus))

576 return true;	576 return true;

577 }	577 }

578	578

579 return false;	579 return false;

580 }	580 }

581	581

	582 bool SourceListDirective::allowAllInline() {

	583 const ContentSecurityPolicy::DirectiveType& type =

	584 ContentSecurityPolicy::getDirectiveType(m_directiveName);

	585 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc &&
	amalika 2016/11/29 09:42:29 Added default-src since otherwise unspecified scri Added default-src since otherwise unspecified script-src will be failing.
	586 type != ContentSecurityPolicy::DirectiveType::StyleSrc &&

	587 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) {

	588 return false;

	589 }

	590 return m_allowInline && !isHashOrNoncePresent() &&

	591 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc \|\|

	592 !m_allowDynamic);

	593 }

	594

582 bool SourceListDirective::subsumes(	595 bool SourceListDirective::subsumes(

583 HeapVector<Member<SourceListDirective>> other) {	596 HeapVector<Member<SourceListDirective>> other) {

584 // TODO(amalika): Handle here special keywords.	597 // TODO(amalika): Handle here special keywords.

585 if (!m_list.size() \|\| !other.size())	598 if (!m_list.size() \|\| !other.size())

586 return !m_list.size();	599 return !m_list.size();

587	600

588 HeapVector<Member<CSPSource>> normalizedA = m_list;	601 HeapVector<Member<CSPSource>> normalizedA = m_list;

589 if (m_allowSelf)	602 if (m_allowSelf)

590 normalizedA.append(m_policy->getSelfSource());	603 normalizedA.append(m_policy->getSelfSource());

591	604

592 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list;	605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list;

593 if (other[0]->m_allowSelf)	606 if (other[0]->m_allowSelf)

594 normalizedB.append(other[0]->m_policy->getSelfSource());	607 normalizedB.append(other[0]->m_policy->getSelfSource());

595 for (size_t i = 1; i < other.size(); i++)	608

	609 bool allowInlineOther = other[0]->m_allowInline;
	Mike West 2016/11/29 12:00:50 Why do you need these three variables? Don't they Why do you need these three variables? Don't they boil down to calling `allowAllInline()` on all the items? amalika 2016/11/29 12:27:33 To call `allowAllInline()` is a method on SourceLi Show quoted text On 2016/11/29 at 12:00:50, Mike West (slow) wrote: > Why do you need these three variables? Don't they boil down to calling `allowAllInline()` on all the items? To call `allowAllInline()` is a method on SourceListDirective, so we can only call it on Embedding-CSP. For returned CSP, we create these variables to keep track of `normalized` values, i.e. normalized policy allows `unsafe-eval` only if all returned policies allow it. Then we check `allowAllInlineOther` for returned CSP on lin2 623 here. Mike West 2016/11/30 09:57:19 Hrm. Ok. But you only need them to check `allowAll Show quoted text On 2016/11/29 at 12:27:33, amalika wrote: > On 2016/11/29 at 12:00:50, Mike West (slow) wrote: > > Why do you need these three variables? Don't they boil down to calling `allowAllInline()` on all the items? > > To call `allowAllInline()` is a method on SourceListDirective, so we can only call it on Embedding-CSP. > For returned CSP, we create these variables to keep track of `normalized` values, i.e. normalized policy allows `unsafe-eval` only if all returned policies allow it. Then we check `allowAllInlineOther` for returned CSP on lin2 623 here. Hrm. Ok. But you only need them to check `allowAllInlineOther`, right? It seems like you could simplify this (maybe simpler?) with something like the following: ``` for (const auto& directive : other) { if (!allowAllInline() && (directive->m_allowInline && !((type == ContentSecurityPolicy::DirectiveType::ScriptSrc &&directive->m_allowDynamic) \|\| directive->isHashOrNoncePresent())) return false; ... } ``` WDYT? amalika 2016/11/30 10:06:06 I dont think this would give an expected behavior Show quoted text On 2016/11/30 at 09:57:19, Mike West (slow) wrote: > On 2016/11/29 at 12:27:33, amalika wrote: > > On 2016/11/29 at 12:00:50, Mike West (slow) wrote: > > > Why do you need these three variables? Don't they boil down to calling `allowAllInline()` on all the items? > > > > To call `allowAllInline()` is a method on SourceListDirective, so we can only call it on Embedding-CSP. > > For returned CSP, we create these variables to keep track of `normalized` values, i.e. normalized policy allows `unsafe-eval` only if all returned policies allow it. Then we check `allowAllInlineOther` for returned CSP on lin2 623 here. > > Hrm. Ok. But you only need them to check `allowAllInlineOther`, right? > > It seems like you could simplify this (maybe simpler?) with something like the following: > > ``` > for (const auto& directive : other) { > if (!allowAllInline() && (directive->m_allowInline && !((type == ContentSecurityPolicy::DirectiveType::ScriptSrc &&directive->m_allowDynamic) \|\| directive->isHashOrNoncePresent())) > return false; > > ... > } > ``` > > WDYT? I dont think this would give an expected behavior because we need to find `effective` allow() values? For example, if there are two policies in returned CSP: Content-Security-Policy: script-src 'unsafe-inline' http://example.com Content-Security-Policy: script-src 'strict-dynamic' http://example.com Then the `effective` policy should be Content-Security-Policy: script-src http://example.com (is that correct?) Then we can't judge allowAllInline() based on individual policies? Otherwise, we would return `false` after the first policy. So we have to iterate over all of them, saving if all of them allow() that attribute and then compare with the Embedding-CSP?
	610 bool allowDynamicOther = other[0]->m_allowDynamic;

	611 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent();

	612

	613 for (size_t i = 1; i < other.size(); i++) {

	614 allowInlineOther = allowInlineOther && other[i]->m_allowInline;

	615 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic;

	616 isHashOrNoncePresentOther =

	617 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent();

596 normalizedB = other[i]->getIntersectCSPSources(normalizedB);	618 normalizedB = other[i]->getIntersectCSPSources(normalizedB);

	619 }

	620

	621 const ContentSecurityPolicy::DirectiveType type =

	622 ContentSecurityPolicy::getDirectiveType(m_directiveName);

	623 bool allowAllInlineOther =

	624 allowInlineOther && !isHashOrNoncePresentOther &&

	625 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc \|\|

	626 !allowDynamicOther);

	627 if (!allowAllInline() && allowAllInlineOther)

	628 return false;

597	629

598 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB);	630 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB);

599 }	631 }

600	632

601 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly(	633 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly(

602 HeapVector<Member<CSPSource>> other) {	634 HeapVector<Member<CSPSource>> other) {

603 HashMap<String, CSPSource*> schemesA;	635 HashMap<String, CSPSource*> schemesA;

604 for (const auto& sourceA : m_list) {	636 for (const auto& sourceA : m_list) {

605 if (sourceA->isSchemeOnly())	637 if (sourceA->isSchemeOnly())

606 addSourceToMap(schemesA, sourceA);	638 addSourceToMap(schemesA, sourceA);

(...skipping 61 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
668 return normalized;	700 return normalized;

669 }	701 }

670	702

671 DEFINE_TRACE(SourceListDirective) {	703 DEFINE_TRACE(SourceListDirective) {

672 visitor->trace(m_policy);	704 visitor->trace(m_policy);

673 visitor->trace(m_list);	705 visitor->trace(m_list);

674 CSPDirective::trace(visitor);	706 CSPDirective::trace(visitor);

675 }	707 }

676	708

677 } // namespace blink	709 } // namespace blink

OLD	NEW