Implementation of script hashes for CSP.

Source/core/frame/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 31 matching lines @@
 #include "core/page/UseCounter.h"
 #include "core/platform/ParsingUtilities.h"
 #include "core/platform/network/FormData.h"
 #include "core/platform/network/ResourceResponse.h"
 #include "platform/JSONValues.h"
 #include "weborigin/KURL.h"
 #include "weborigin/KnownPorts.h"
 #include "weborigin/SchemeRegistry.h"
 #include "weborigin/SecurityOrigin.h"
 #include "wtf/HashSet.h"
+#include "wtf/SHA1.h"
+#include "wtf/text/Base64.h"
+#include "wtf/text/StringBuilder.h"
 #include "wtf/text/TextPosition.h"
 #include "wtf/text/WTFString.h"
 
 namespace WebCore {
 
 // Normally WebKit uses "static" for internal linkage, but using "static" for
 // these functions causes a compile error because these functions are used as
 // template parameters.
 namespace {
 
 bool isDirectiveNameCharacter(UChar c)
 {
     return isASCIIAlphanumeric(c) || c == '-';
 }
 
 bool isDirectiveValueCharacter(UChar c)
 {
     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
 }
 
-bool isNonceCharacter(UChar c)
+// Only checks for general Base64 encoded chars, not '=' chars since '=' is
+// positional and may only appear at the end of a Base64 encoded string.
+bool isBase64EncodedCharacter(UChar c)
 {
     return isASCIIAlphanumeric(c) || c == '+' || c == '/';
 }
 
 bool isSourceCharacter(UChar c)
 {
     return !isASCIISpace(c);
 }
 
 bool isPathComponentCharacter(UChar c)
@@ skipping 38 matching lines @@
 static const char sandbox[] = "sandbox";
 static const char scriptSrc[] = "script-src";
 static const char styleSrc[] = "style-src";
 
 // CSP 1.1 Directives
 static const char baseURI[] = "base-uri";
 static const char formAction[] = "form-action";
 static const char pluginTypes[] = "plugin-types";
 static const char reflectedXSS[] = "reflected-xss";
 
+// Supported script hashes and their prefix name
+static const char sha1Label[] = "sha1";
+static const char sha256Label[] = "sha256";
+
 bool isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, connectSrc)
         || equalIgnoringCase(name, defaultSrc)
         || equalIgnoringCase(name, fontSrc)
         || equalIgnoringCase(name, frameSrc)
         || equalIgnoringCase(name, imgSrc)
         || equalIgnoringCase(name, mediaSrc)
         || equalIgnoringCase(name, objectSrc)
         || equalIgnoringCase(name, reportURI)
@@ skipping 131 matching lines @@
 class CSPSourceList {
 public:
     CSPSourceList(ContentSecurityPolicy*, const String& directiveName);
 
     void parse(const UChar* begin, const UChar* end);
 
     bool matches(const KURL&);
     bool allowInline() const { return m_allowInline; }
     bool allowEval() const { return m_allowEval; }
     bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_nonces.contains(nonce); }
+    bool allowHash(const String& hash) const { return !hash.isNull() && m_hashes.contains(hash); }
 
 private:
     bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard);
     bool parseScheme(const UChar* begin, const UChar* end, String& scheme);
     bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hostHasWildcard);
     bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
     bool parsePath(const UChar* begin, const UChar* end, String& path);
     bool parseNonce(const UChar* begin, const UChar* end, String& nonce);
+    bool parseHash(const UChar* begin, const UChar* end, String& hash);
 
     void addSourceSelf();
     void addSourceStar();
     void addSourceUnsafeInline();
     void addSourceUnsafeEval();
     void addSourceNonce(const String& nonce);
+    void addSourceHash(const String& hash);
 
     ContentSecurityPolicy* m_policy;
     Vector<CSPSource> m_list;
     String m_directiveName;
     bool m_allowStar;
     bool m_allowInline;
     bool m_allowEval;
     HashSet<String> m_nonces;
+    HashSet<String> m_hashes;
 };
 
 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& directiveName)
     : m_policy(policy)
     , m_directiveName(directiveName)
     , m_allowStar(false)
     , m_allowInline(false)
     , m_allowEval(false)
 {
 }
@@ skipping 88 matching lines @@
 
     if (m_policy->experimentalFeaturesEnabled()) {
         String nonce;
         if (!parseNonce(begin, end, nonce))
             return false;
 
         if (!nonce.isNull()) {
             addSourceNonce(nonce);
             return true;
         }
+
+        String hash;
+        if (!parseHash(begin, end, hash))
+            return false;
+
+        if (!hash.isNull()) {
+            addSourceHash(hash);
+            return true;
+        }
     }
 
     const UChar* position = begin;
     const UChar* beginHost = begin;
     const UChar* beginPath = end;
     const UChar* beginPort = 0;
 
     skipWhile<UChar, isNotColonOrSlash>(position, end);
 
     if (position == end) {
@@ skipping 69 matching lines @@
 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& nonce)
 {
     DEFINE_STATIC_LOCAL(const String, noncePrefix, ("'nonce-"));
 
     if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length()))
         return true;
 
     const UChar* position = begin + noncePrefix.length();
     const UChar* nonceBegin = position;
 
-    skipWhile<UChar, isNonceCharacter>(position, end);
+    skipWhile<UChar, isBase64EncodedCharacter>(position, end);
     ASSERT(nonceBegin <= position);
 
     if (((position + 1) != end  && *position != '\'') || !(position - nonceBegin))
         return false;
 
     nonce = String(nonceBegin, position - nonceBegin);
     return true;
 }
 
+// hash-source       = "'" hash-algorithm "-" hash-value "'"
+// hash-algorithm    = "sha1" / "sha256"
+// hash-value        = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
+//
+bool CSPSourceList::parseHash(const UChar* begin, const UChar* end, String& hash)
+{
+    // TODO(jww) For now, we are not supporting SHA-256 (or any hashes other
+    // than SHA-1), so we need to put in a log message here to indicate that.
+    StringBuilder sha1Prefix;
+    sha1Prefix.append("'");
+    sha1Prefix.append(sha1Label);
+    sha1Prefix.append("-");

[abarth-chromium, 2013/10/17 02:28:09]

There's no reason to use a StringBuilder here.  You can just pass the constant
"'sha1-" to equalIgnoringCase.

[jww, 2013/10/18 22:58:04]

Done.

+    bool isSha1 = equalIgnoringCase(sha1Prefix.toString().characters8(), begin, sha1Prefix.length());
+    StringBuilder sha256Prefix;
+    sha256Prefix.append("'");
+    sha256Prefix.append(sha256Label);
+    sha256Prefix.append("-");
+    bool isSha256 = equalIgnoringCase(sha256Prefix.toString().characters8(), begin, sha256Prefix.length());

[abarth-chromium, 2013/10/17 02:28:09]

Ditto

[jww, 2013/10/18 22:58:04]

Done.

+
+    if (!isSha1)
+        return true;

[abarth-chromium, 2013/10/17 02:28:09]

You should call notImplemented() for the isSha256 case.

[jww, 2013/10/18 22:58:04]

Done.

+
+    const UChar* position = begin + (isSha1 ? sha1Prefix.length() : sha256Prefix.length());
+    const UChar* hashBegin = position;
+
+    skipWhile<UChar, isBase64EncodedCharacter>(position, end);
+    ASSERT(hashBegin <= position);
+
+    // Base64 encodings may end with exactly one or two '=' characters
+    for (size_t i = 0; i < 2 && position != end; i++) {
+        if (*position != '=')
+            break;
+        position = position + 1;
+    }
+
+    if (((position + 1) != end  && *position != '\'') || !(position - hashBegin))
+        return false;
+
+    hash = String(begin + 1, position - begin - 1);
+    return true;
+}
+
 //                     ; <scheme> production from RFC 3986
 // scheme      = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
 //
 bool CSPSourceList::parseScheme(const UChar* begin, const UChar* end, String& scheme)
 {
     ASSERT(begin <= end);
     ASSERT(scheme.isEmpty());
 
     if (begin == end)
         return false;
@@ skipping 122 matching lines @@
 void CSPSourceList::addSourceUnsafeEval()
 {
     m_allowEval = true;
 }
 
 void CSPSourceList::addSourceNonce(const String& nonce)
 {
     m_nonces.add(nonce);
 }
 
+void CSPSourceList::addSourceHash(const String& hash)
+{
+    m_hashes.add(hash);
+}
+
 class CSPDirective {
 public:
     CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
         : m_name(name)
         , m_text(name + ' ' + value)
         , m_policy(policy)
     {
     }
 
     const String& text() const { return m_text; }
@@ skipping 96 matching lines @@
     }
 
     bool allows(const KURL& url)
     {
         return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
     bool allowEval() const { return m_sourceList.allowEval(); }
     bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(nonce.stripWhiteSpace()); }
+    bool allowHash(const String& hash) const { return m_sourceList.allowHash(hash); }
 
 private:
     CSPSourceList m_sourceList;
 };
 
 class CSPDirectiveList {
     WTF_MAKE_FAST_ALLOCATED;
 public:
     static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const UChar* begin, const UChar* end, ContentSecurityPolicy::HeaderType);
 
@@ skipping 14 matching lines @@
     bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowScriptNonce(const String&) const;
     bool allowStyleNonce(const String&) const;
+    bool allowHash(const String&) const;
 
     void gatherReportURIs(DOMStringList&) const;
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<KURL>& reportURIs() const { return m_reportURIs; }
 
 private:
     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
 
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     void parseReportURI(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 
     template <class CSPDirectiveType>
     void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
 
     SourceListDirective* operativeDirective(SourceListDirective*) const;
     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const;
     void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptState*) const;
 
     bool checkEval(SourceListDirective*) const;
     bool checkInline(SourceListDirective*) const;
     bool checkNonce(SourceListDirective*, const String&) const;
+    bool checkHash(SourceListDirective*, const String&) const;
     bool checkSource(SourceListDirective*, const KURL&) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
 
     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
 
     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*) const;
     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
 
     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
@@ skipping 82 matching lines @@
 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 {
     return !directive || directive->allowInline();
 }
 
 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
 {
     return !directive || directive->allowNonce(nonce);
 }
 
+bool CSPDirectiveList::checkHash(SourceListDirective* directive, const String& hash) const
+{
+    return !directive || directive->allowHash(hash);
+}
+
 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url) const
 {
     return !directive || directive->allows(url);
 }
 
 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const String& type, const String& typeAttribute) const
 {
     if (!directive)
         return true;
     if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
@@ skipping 225 matching lines @@
 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const
 {
     return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
 }
 
 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const
 {
     return checkNonce(operativeDirective(m_styleSrc.get()), nonce);
 }
 
+bool CSPDirectiveList::allowHash(const String& hash) const
+{
+    return checkHash(operativeDirective(m_scriptSrc.get()), hash);

[abarth-chromium, 2013/10/17 02:28:09]

Notice the m_scriptSrc here.

[jww, 2013/10/18 22:58:04]

Ah, right, that's why we have separate script and style functions...

+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
 void CSPDirectiveList::parse(const UChar* begin, const UChar* end)
 {
     m_header = String(begin, end - begin);
 
     if (begin == end)
         return;
 
@@ skipping 329 matching lines @@
 
 template<bool (CSPDirectiveList::*allowed)(const String&) const>
 bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowed)(nonce))
             return false;
     }
     return true;
 }
+
+template<bool (CSPDirectiveList::*allowed)(const String&) const>
+bool isAllowedByAllWithHash(const CSPDirectiveListVector& policies, const String& hash)
+{
+    for (size_t i = 0; i < policies.size(); ++i) {
+        if (!(policies[i].get()->*allowed)(hash))
+            return false;
+    }
+    return true;
+}
+
 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
 {
     if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
         return true;
 
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowFromURL)(url, reportingStatus))
             return false;
     }
@@ skipping 53 matching lines @@
 bool ContentSecurityPolicy::allowScriptNonce(const String& nonce) const
 {
     return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce);
 }
 
 bool ContentSecurityPolicy::allowStyleNonce(const String& nonce) const
 {
     return isAllowedByAllWithNonce<&CSPDirectiveList::allowStyleNonce>(m_policies, nonce);
 }
 
+bool ContentSecurityPolicy::allowHash(const String& source) const
+{
+    // TODO(jww) We don't currently have a WTF SHA256 implementation. Once we
+    // have that, we should implement a proper check for sha256 hash values here.
+    SHA1 sourceSha1;
+    sourceSha1.addBytes(source.utf8());

[abarth-chromium, 2013/10/17 02:28:09]

Woah there cowboy.  There are a couple of important details to worry about here:

1) What do we do with unencodable code units?
2) Do we want NFC, NFD, NFKC, or NFKD normalization?

Basically, we need to call a lower-level unicode API that makes these things
explicit.  Specifically, you want to call UTF8Encoding()'s functions.

Given that this is the web, we probably want NFC normalization and
EntitiesForUnencodables, which means calling:

UTF8Encoding().normalizeAndEncode(..., EntitiesForUnencodables);

Please make sure to include these details in the spec and to test these tricky
cases.

[jww, 2013/10/18 22:58:04]

Done.

+    Vector<uint8_t, 20> digest;
+    sourceSha1.computeHash(digest);
+
+    StringBuilder hash;

[abarth-chromium, 2013/10/17 02:28:09]

Please call |hash.reserveCapacity(...)| with the exact number of characters
you'll need.

[jww, 2013/10/18 22:58:04]

Done.

+    hash.append(sha1Label);
+    hash.append("-");
+    hash.append(base64Encode(reinterpret_cast<char*>(digest.data()), 20));

[abarth-chromium, 2013/10/17 02:28:09]

20 -> digest.size()

[jww, 2013/10/18 22:58:04]

Done.

+    return isAllowedByAllWithHash<&CSPDirectiveList::allowHash>(m_policies, hash.toString());
+}
+
 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
 }
 
@@ skipping 234 matching lines @@
 {
     ASSERT(invalidChar == '#' || invalidChar == '?');
 
     String ignoring = "The fragment identifier, including the '#', will be ignored.";
     if (invalidChar == '?')
         ignoring = "The query component, including the '?', will be ignored.";
     String message = "The source list for Content Security Policy directive '" + directiveName + "' contains a source with an invalid path: '" + value + "'. " + ignoring;
     logToConsole(message);
 }
 
-void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
-{
-    String message = "Ignoring invalid Content Security Policy script nonce: '" + nonce + "'.\n";
-    logToConsole(message);
-}
-
 void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
 {
     String message = "The source list for Content Security Policy directive '" + directiveName + "' contains an invalid source: '" + source + "'. It will be ignored.";
     if (equalIgnoringCase(source, "'none'"))
         message = message + " Note that 'none' has no effect unless it is the only expression in the source list.";
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportMissingReportURI(const String& policy) const
 {
@@ skipping 30 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace WebCore