Issue 2655463006: PlzNavigate: Enforce 'frame-src' CSP on the browser.

arthursonzogni

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 11 months ago (2017-01-25 08:58:43 UTC) #1

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-07 14:50:20 UTC) #2

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/80001

3 years, 10 months ago (2017-02-07 14:50:34 UTC) #3

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-07 17:47:16 UTC) #4

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/385215)

3 years, 10 months ago (2017-02-07 17:47:17 UTC) #5

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-09 13:36:30 UTC) #6

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/100001

3 years, 10 months ago (2017-02-09 13:36:43 UTC) #7

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-09 13:40:10 UTC) #8

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xcode-clang/builds/39620)

3 years, 10 months ago (2017-02-09 13:40:11 UTC) #9

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-09 15:02:24 UTC) #10

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/120001

3 years, 10 months ago (2017-02-09 15:02:42 UTC) #11

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-09 17:51:48 UTC) #18

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/387020)

3 years, 10 months ago (2017-02-09 17:51:49 UTC) #19

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-10 14:41:05 UTC) #20

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/140001

3 years, 10 months ago (2017-02-10 14:41:27 UTC) #21

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-10 14:44:39 UTC) #22

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: ios-device on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds/151204) mac_chromium_compile_dbg_ng on ...

3 years, 10 months ago (2017-02-10 14:44:40 UTC) #23

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-10 14:50:17 UTC) #24

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/160001

3 years, 10 months ago (2017-02-10 14:50:46 UTC) #25

arthursonzogni

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 10 months ago (2017-02-10 15:54:57 UTC) #26

arthursonzogni

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 10 months ago (2017-02-10 16:06:43 UTC) #27

arthursonzogni

arthursonzogni@chromium.org changed reviewers: + alexmos@chromium.org, nasko@chromium.org

3 years, 10 months ago (2017-02-10 16:42:20 UTC) #29

arthursonzogni

Hi nasko@, alexmos@ and the others(in CC) Please could you review this CL? It depends ...

3 years, 10 months ago (2017-02-10 16:42:22 UTC) #30

alexmos

Thanks, Arthur! I made a first, fairly high-level pass through this - a few questions ...

3 years, 10 months ago (2017-02-10 22:59:54 UTC) #31

nasko

Some preliminary comments from the two files I could get to. I will continue reviewing ...

3 years, 10 months ago (2017-02-11 00:01:23 UTC) #32

clamy

clamy@chromium.org changed reviewers: + clamy@chromium.org

3 years, 10 months ago (2017-02-13 13:23:27 UTC) #33

clamy

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/frame_tree_node.h File content/browser/frame_host/frame_tree_node.h (right): https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/frame_tree_node.h#newcode419 content/browser/frame_host/frame_tree_node.h:419: std::unique_ptr<CSPContext> csp_context_; On 2017/02/10 22:59:53, alexmos wrote: > I'm ...

3 years, 10 months ago (2017-02-13 13:23:28 UTC) #34

arthursonzogni

Thanks for the reviews! I fixed most of the issues. It remains the questions about: ...

3 years, 10 months ago (2017-02-13 16:33:21 UTC) #36

Thanks for the reviews!
I fixed most of the issues.
It remains the questions about:
* Could we make it works without PlzNavigate?
* Is there any race condition problems?
I am investigating on these questions.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/ancestor_throttle.cc:203: return
NavigationThrottle::BLOCK_REQUEST;
On 2017/02/10 22:59:53, alexmos wrote:
> Will this result in loading a regular error page?  I remember we discussed
> whether to load a blank page with a unique origin (data:,) temporarily until
we
> fix the error pages, because otherwise we can get the problems with the CWS
kill
> and more down the road as we tighten up CanCommitURL for OOPIFs
> (https://crbug.com/622385, https://crbug.com/689733).  Can you check if you
get
> the kill in 622385 with this approach, if a parent page declares a CSP that
> disallows the CWS URL?  Would the frame-src checks happen before XFO blocks it
> using BLOCK_RESPONSE, for which you used data:, when you moved XFO over to the
> browser?

Yes you are right. I forgot this.
XFO checks happens after 'frame-src'.
I will have to create a new ThrottleCheckResult for this.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:20:
frame_tree_node_->render_manager()->current_frame_host();
On 2017/02/11 00:01:23, nasko wrote:
> nit: No need to indirect through render_manager() call, the current host is
> exposed through the FrameTreeNode itself.

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:22: if (!current_frame_host)
On 2017/02/10 22:59:53, alexmos wrote:
> Is this null check needed?

It is probably not needed indeed for this case(i.e. frame-src)
Maybe in the future if we choose to handle frame-ancestor on the browser-side
and the response is 204-No-content?

Do you prefer to add a DCHECK for the moment to detect some edges cases we are
not aware of?

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:25:
current_frame_host->AddMessageToConsole(CONSOLE_MESSAGE_LEVEL_ERROR, message);
On 2017/02/11 00:01:23, nasko wrote:
> Is the log level always ERROR?

Yes, see all calls to ContentSecurityPolicy::logToConsole(..).

InfoMessageLevel is used one time, but it is for the message:
"The Content-Security-Policy directive {{directive}} is implemented behind a
flag which is currently disabled". We don't parse CSP on the browser-side for
the moment, so I think the log level will be always ERROR.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:34: bool
CSPContextImpl::SchemeShouldBypass(const base::StringPiece& scheme) {
On 2017/02/10 22:59:53, alexmos wrote:
> Perhaps name this SchemeShouldBypassCSP, so it's clear what the scheme should
> bypass?  (This is what the Blink version of this does.)

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:42: const auto& bypassing_scheme
= url::GetCSPBypassingSchemes();
On 2017/02/10 22:59:53, alexmos wrote:
> nit: s/bypassing_scheme/bypassing_schemes/

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:6: #define
CONTENT_BROWSER_FRAME_HOST_CSP_CONTEXT_H_
On 2017/02/11 00:01:23, nasko wrote:
> Missing _IMPL_ part in the include guard.

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:21: void ReportViolation(const
CSPViolationParams& violation_params) override;
On 2017/02/10 22:59:53, alexmos wrote:
> Just a heads-up that lukasza@ worked on some plumbing for CSP violations in
> https://codereview.chromium.org/2190183002/.  This will probably supercede
most
> of that CL, but might be good to look over that CL to compare approaches and
to
> see if any of the discussion applies here.  For example, do the races Lukasz
> discussed in RenderFrameProxyHost::OnForwardContentSecurityPolicyViolation no
> longer apply here?

Thanks! I don't know yet if a race could happens, I will try to understand.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:24: bool SchemeShouldBypass(const
base::StringPiece& scheme) override;
On 2017/02/10 22:59:53, alexmos wrote:
> Can this be static?  Doesn't look like it needs frame_tree_node_ for anything.

Yes, it doesn't need frame_tree_node_, but it's a virtual method, so it can't be
static.
In my previous patch:
https://codereview.chromium.org/2612793002/
The code in content/common/content_security_policy/* is in a way self-contained.
The behavior/state it depends on are implemented here in CSPContextImpl. It is
also implemented in a different way in tests.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:26: FrameTreeNode*
frame_tree_node_;  // Never nullptr.
On 2017/02/11 00:01:23, nasko wrote:
> nit: Comments like that usually go above the member variable.

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:28: }  // namespace content
On 2017/02/11 00:01:23, nasko wrote:
> nit: Empty line before end of namespace.

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:30: #endif  //
CONTENT_BROWSER_FRAME_HOST_CSP_CONTEXT_H_ */
On 2017/02/11 00:01:23, nasko wrote:
> Why is there "*/" at the end?

Oops, vim-snipmate + wrong conversion to the google coding style.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/frame_tree_node.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/frame_tree_node.h:181: const std::vector<CSPPolicy>&
ContentSecurityPolicies() const {
On 2017/02/11 00:01:23, nasko wrote:
> This should be hacker_case(), as it is a simple accessor.

Okay, I didn't know about this coding style rule.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/frame_tree_node.h:187: CSPContext*
ContentSecurityPolicyContext() { return csp_context_.get(); }
On 2017/02/11 00:01:23, nasko wrote:
> Same here, hacker_case().

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/render_frame_host_impl.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.h:560: // PlzNavigate
On 2017/02/10 22:59:53, alexmos wrote:
> Does this have to be specific to PlzNavigate?  I'm wondering if we can reuse
> this to fix https://bugs.chromium.org/p/chromium/issues/detail?id=611232 for
> OOPIFs as well.

I will probably need to forward the should_bypass_main_world from the renderer
to the NavigationThrottle. It sounds feasible.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/site_p...
File content/browser/site_per_process_browsertest.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/site_p...
content/browser/site_per_process_browsertest.cc:7162: // blocked page url.
On 2017/02/10 22:59:53, alexmos wrote:
> This isn't very intuitive, so perhaps explain why that is? (Errors currently
> commit with the URL of the original page.)

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/site_p...
content/browser/site_per_process_browsertest.cc:7171: EXPECT_EQ("",
frame_title);
On 2017/02/10 22:59:53, alexmos wrote:
> I'd also check RFHI::last_successful_url() to make sure that points back to
> old_subframe_url.  (In fact, that should be true regardless of whether
> PlzNavigate is enabled.)

RFHI::last_successful_url() returns the empty url with PlzNavigate. The
navigation is cross-origin, so we use another RFHI, not the previous one. There
is no last successful url.

https://codereview.chromium.org/2655463006/diff/200001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/common/content...
content/common/content_security_policy/csp_context.h:50: // Used in
CSPContext::ReportViolation()
On 2017/02/10 22:59:53, alexmos wrote:
> General note for these CLs: for the new CSP things in content/ that will end
up
> still having Blink equivalents, it might be useful to add a comment explaining
> what the correspondence is, and how we expect it to evolve over time.

Acknowledged.

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
File content/common/navigation_params.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
content/common/navigation_params.h:62: bool should_bypass_main_world_CSP);
On 2017/02/10 22:59:53, alexmos wrote:
> for style consistency, I'd favor lowercasing the CSP, i.e.,
> should_bypass_main_world_csp.

Done.

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
content/common/navigation_params.h:126: // surround it. It is actually used to
bypass the 'frame-src' and 'child-src'
On 2017/02/10 22:59:53, alexmos wrote:
> nit: drop "actually"

Done. I misunderstood what "main_world" means, it is simply the opposite of
"isolated_world". This comment is very bad, I will update it.
AFAIK, it is used for 'frame-src' and not for 'form-action'.

It is also used for others CSP, for instance 'style-src', 'script-src', ..., but
I only care about CSP when it can block a navigation.

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
content/common/navigation_params.h:129: bool should_bypass_main_world_CSP;
On 2017/02/10 22:59:53, alexmos wrote:
> Do we have tests that things work properly when this is true, with PlzNavigate
> enabled?

Yes, I did this to make this test work:
http/tests/security/isolatedWorld/bypass-main-world-csp-iframes.html

I was able to remove the failure expectation from:
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/loader/FrameLoader.cpp (right):

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoader.cpp:1644:
!browserSideNavigationEnabled) {
On 2017/02/10 22:59:53, alexmos wrote:
> On 2017/02/10 16:42:22, arthursonzogni wrote:
> > Note: It is possible to check the CSP with PlzNavigate on the browser-side
and
> > on the renderer-side at the same time, but I prevent this to happens because
> > 'shouldContinueForNavigationPolicy' is called two times with PlzNavigate:
> > * One for the initial request.
> > * A Second time when the request come back from the browser.
> > The problem is that 'shouldCheckMainWorldContentSecurityPolicy' is does not
> > correspond to reality the second time.
> 
> I might be fuzzy on how this part works with PlzNavigate, but could you
explain
> more about what's wrong with shouldCheckMainWorldContentSecurityPolicy the
> second time?

With PlzNavigate, we currently use a dirty hack to commit navigation inside
blink. It is temporarily. After the navigation has been done in the browser, it
is committed inside the renderer. The browser sends a request to the renderer,
but in a way, it is the response. It is essentially a request with a few
attributes that tells the renderer that it doesn't have to submit a new request
and where it can find the response.
So 2 requests are made, one for the request and one for the "response".

For the second request, the renderer doesn't know if the request was submitted
from an isolated world and it will block the request if we don't prevent it to
do so.

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
File third_party/WebKit/Source/web/WebLocalFrameImpl.cpp (right):

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:2065:
ContentSecurityPolicy::ViolationType::URLViolation); /* ViolationType */
On 2017/02/10 22:59:54, alexmos wrote:

> Do you need to forward the redirect status also, rather than relying on the
> default?
Yes, I completely ignored the redirect status. Thanks! I need to fix it.

> What about contextLine?  I saw you filed https://crbug.com/690946, but what
> would it take to fix it?
I don't know, it could be as easy as adding one more attribute to the navigation
params.

> Also, are we sure that violation type is always going to be
> ContentSecurityPolicy::URLViolation?
Yes, the violation type is always going to be a
ContentSecurityPolicy::URLViolation. The other choices are:
InlineViolation and EvalViolation.
As far as it is used only in PlzNavigate, it will be for blocking a navigation.

alexmos

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/frame_tree_node.h File content/browser/frame_host/frame_tree_node.h (right): https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/frame_tree_node.h#newcode419 content/browser/frame_host/frame_tree_node.h:419: std::unique_ptr<CSPContext> csp_context_; On 2017/02/13 13:23:28, clamy wrote: > On ...

3 years, 10 months ago (2017-02-14 05:44:28 UTC) #37

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/frame_tree_node.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/frame_tree_node.h:419: std::unique_ptr<CSPContext>
csp_context_;
On 2017/02/13 13:23:28, clamy wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > I'm wondering whether it'd be better to associate csp_context_ and
> csp_policies_
> > with RFH instead of FTN?  I'm concerned we could end up checking the wrong
> > frame's CSP.  E.g., if the current RFH has a CSP, then it becomes a pending
> > delete RFH and adds an iframe which needs to check frame-src, this might end
> up
> > checking the wrong RFH's CSP policy (current RFH's, rather than pending
delete
> > RFH's).  We've had this kind of issue with URLs and origins and ended up
> moving
> > both from FTN to RFH (see issues 590034, 590035, 663740).
> 
> Can the frame navigate while the RFH is in pending-delete mode? I thought we
> filtered navigation IPCs coming from it while it was in that mode (and if we
> don't we should). Considering we only check CSP when navigating, this should
be
> fine?

Yes, I wasn't sure how much was disallowed in unload handlers currently, but
after double-checking with dcheng@, unload handlers should not be able to create
new child frames or navigate.  So I agree this isn't a concern then.

I wonder if there could be other races though.  E.g., suppose we have A-embed-B
with B in an OOPIF, and A navigates to C.  In parallel with the commit for C, B
navigates to D (before B's process knows that its parent is about to go away),
with that IPC arriving just after C commits (and before A's children are cleaned
up).  In the browser, will we try to check frame-src for D (which presumably
would need A's CSP and not C's CSP), or will we recognize that its parent RFH A
is pending deletion and abort the navigation?  Not sure whether this is actually
possible today; if the navigation to D does make it to browser process, the
right thing to do is probably to abort it if any of the ancestor RFHs are
pending deletion to match what Blink does (i.e., we should ensure that we never
need to check CSP frame-src using a pending delete RFH).  And perhaps it might
be worthwhile to add something like
CHECK(navigating_rfh->GetParent()->is_active()) when enforcing frame-src?

alexmos

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/csp_context_impl.cc File content/browser/frame_host/csp_context_impl.cc (right): https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/csp_context_impl.cc#newcode22 content/browser/frame_host/csp_context_impl.cc:22: if (!current_frame_host) On 2017/02/13 16:33:20, arthursonzogni wrote: > On ...

3 years, 10 months ago (2017-02-14 06:57:20 UTC) #38

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:22: if (!current_frame_host)
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > Is this null check needed?
> 
> It is probably not needed indeed for this case(i.e. frame-src)
> Maybe in the future if we choose to handle frame-ancestor on the browser-side
> and the response is 204-No-content?
> 
> Do you prefer to add a DCHECK for the moment to detect some edges cases we are
> not aware of?

I haven't ever seen any code null-checking current_frame_host(), out of numerous
call sites, so my assumption is that something else will break very quickly if
it happens to be null.  You could add the DCHECK, but if it's null, we'll just
crash on the next line and we will get some crash reports anyway, so I don't
think it's really needed.

I'm not exactly sure how the 204 works, but that should keep the RFH created
initially (in RFHM::Init), no?

See also this comment in ~RFHM:
  // We should always have a current RenderFrameHost except in some tests.
  SetRenderFrameHost(std::unique_ptr<RenderFrameHostImpl>());

(not sure what tests it's talking about, but I'd rather only include the
null-check if any tests actually need it.)

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:24: bool SchemeShouldBypass(const
base::StringPiece& scheme) override;
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > Can this be static?  Doesn't look like it needs frame_tree_node_ for
anything.
> 
> Yes, it doesn't need frame_tree_node_, but it's a virtual method, so it can't
be
> static.
> In my previous patch:
> https://codereview.chromium.org/2612793002/
> The code in content/common/content_security_policy/* is in a way
self-contained.
> The behavior/state it depends on are implemented here in CSPContextImpl. It is
> also implemented in a different way in tests.

Acknowledged.

https://codereview.chromium.org/2655463006/diff/200001/content/browser/site_p...
File content/browser/site_per_process_browsertest.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/site_p...
content/browser/site_per_process_browsertest.cc:7171: EXPECT_EQ("",
frame_title);
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > I'd also check RFHI::last_successful_url() to make sure that points back to
> > old_subframe_url.  (In fact, that should be true regardless of whether
> > PlzNavigate is enabled.)
> 
> RFHI::last_successful_url() returns the empty url with PlzNavigate. The
> navigation is cross-origin, so we use another RFHI, not the previous one.
There
> is no last successful url.

Ah, got it, thanks.  That's actually really great; thanks for adding the comment
with the explanation.  I wish this would happen without PlzNavigate too. :)

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
File content/common/navigation_params.h (right):

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
content/common/navigation_params.h:126: // surround it. It is actually used to
bypass the 'frame-src' and 'child-src'
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > nit: drop "actually"
> 
> Done. I misunderstood what "main_world" means, it is simply the opposite of
> "isolated_world". This comment is very bad, I will update it.
> AFAIK, it is used for 'frame-src' and not for 'form-action'.
> 
> It is also used for others CSP, for instance 'style-src', 'script-src', ...,
but
> I only care about CSP when it can block a navigation.

Interesting, thanks.  It's sad that an evil renderer can just pass this bit to
turn off the enforcement of frame-src in the browser process.  Perhaps down the
road we could add some validation in the browser process, such as whether the
renderer process really contained extension content scripts that could do this.

By the way, it doesn't seem like the isolated world's CSP is actually enforced
today (looking at how DOMWrapperWorld::setIsolatedWorldContentSecurityPolicy
ignores the passed-in policy).  It's only used to flip the bit that allows
bypassing the main world CSP.  So it doesn't seem like we need to worry about
how to enforce frame-src from the isolated world's CSP, for example.

https://codereview.chromium.org/2655463006/diff/200001/content/common/navigat...
content/common/navigation_params.h:129: bool should_bypass_main_world_CSP;
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > Do we have tests that things work properly when this is true, with
PlzNavigate
> > enabled?
> 
> Yes, I did this to make this test work:
> http/tests/security/isolatedWorld/bypass-main-world-csp-iframes.html
> 
> I was able to remove the failure expectation from:
> third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation

Acknowledged.

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/loader/FrameLoader.cpp (right):

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoader.cpp:1644:
!browserSideNavigationEnabled) {
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > On 2017/02/10 16:42:22, arthursonzogni wrote:
> > > Note: It is possible to check the CSP with PlzNavigate on the browser-side
> and
> > > on the renderer-side at the same time, but I prevent this to happens
because
> > > 'shouldContinueForNavigationPolicy' is called two times with PlzNavigate:
> > > * One for the initial request.
> > > * A Second time when the request come back from the browser.
> > > The problem is that 'shouldCheckMainWorldContentSecurityPolicy' is does
not
> > > correspond to reality the second time.
> > 
> > I might be fuzzy on how this part works with PlzNavigate, but could you
> explain
> > more about what's wrong with shouldCheckMainWorldContentSecurityPolicy the
> > second time?
> 
> With PlzNavigate, we currently use a dirty hack to commit navigation inside
> blink. It is temporarily. After the navigation has been done in the browser,
it
> is committed inside the renderer. The browser sends a request to the renderer,
> but in a way, it is the response. It is essentially a request with a few
> attributes that tells the renderer that it doesn't have to submit a new
request
> and where it can find the response.
> So 2 requests are made, one for the request and one for the "response".
> 
> For the second request, the renderer doesn't know if the request was submitted
> from an isolated world and it will block the request if we don't prevent it to
> do so.

Acknowledged, thanks for the explanation.  Can you please add a brief comment
here about why this is disabled for PlzNavigate, and reference a bug (if you
have it) for removing that hack?

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/interstitial_page_navigator_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/interstitial_page_navigator_impl.cc:45: );
nit: this looks a bit weird on its own line.  Can you just combine this with the
) on the previous line into "));"?  
If the comment outside the ) seems too weird, you could always use /*
should_bypass_main_world_csp */ inside the parens, like you do below.

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/navigation_handle_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.cc:462: bool
NavigationHandleImpl::ShouldBypassMainWorldCSP() const {
nit: you can move this simple getter into to the header as
should_bypass_main_world_csp().

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/navigation_handle_impl.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.h:497: // instance from a
chrome extension. When it returns true, the navigation
nit: I'd also mention content scripts, and make it into a complete sentence (or
combine with previous one).  Also, "When it returns true," -> "When true,"
(nothing returned here).  Perhaps something like:  "Whether or not the
navigation has been started from an isolated world, such as from an extension
content script.  When true, the navigation should not be blocked by the parent
frame's CSP."

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.h:498: // should not be
blocked by the parent frame's Content-Security-Policy(CSP).
nit: probably mentioning one of Content Security Policy or CSP is enough.

https://codereview.chromium.org/2655463006/diff/240001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/common/content...
content/common/content_security_policy/csp_context.h:87: // Whether or not the
violation happens after a redirection.
nit: s/redirection/redirect/

https://codereview.chromium.org/2655463006/diff/240001/content/public/browser...
File content/public/browser/navigation_handle.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/public/browser...
content/public/browser/navigation_handle.h:283: // instance from a
chrome-extension. When it returns true, the navigation
See my comment about the earlier copy of this comment :)

https://codereview.chromium.org/2655463006/diff/240001/third_party/WebKit/pub...
File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
(right):

https://codereview.chromium.org/2655463006/diff/240001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:93: //
Whether or not the violation happens after a redirection.
nit: s/redirection/redirect/

arthursonzogni

Thanks alexmos@! https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/csp_context_impl.cc File content/browser/frame_host/csp_context_impl.cc (right): https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_host/csp_context_impl.cc#newcode22 content/browser/frame_host/csp_context_impl.cc:22: if (!current_frame_host) On 2017/02/14 06:57:19, alexmos (OOO ...

3 years, 10 months ago (2017-02-15 09:26:10 UTC) #42

Thanks alexmos@!

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.cc:22: if (!current_frame_host)
On 2017/02/14 06:57:19, alexmos (OOO until 2-21) wrote:
> On 2017/02/13 16:33:20, arthursonzogni wrote:
> > On 2017/02/10 22:59:53, alexmos wrote:
> > > Is this null check needed?
> > 
> > It is probably not needed indeed for this case(i.e. frame-src)
> > Maybe in the future if we choose to handle frame-ancestor on the
browser-side
> > and the response is 204-No-content?
> > 
> > Do you prefer to add a DCHECK for the moment to detect some edges cases we
are
> > not aware of?
> 
> I haven't ever seen any code null-checking current_frame_host(), out of
numerous
> call sites, so my assumption is that something else will break very quickly if
> it happens to be null.  You could add the DCHECK, but if it's null, we'll just
> crash on the next line and we will get some crash reports anyway, so I don't
> think it's really needed.
> 
> I'm not exactly sure how the 204 works, but that should keep the RFH created
> initially (in RFHM::Init), no?
> 
> See also this comment in ~RFHM:
>   // We should always have a current RenderFrameHost except in some tests.
>   SetRenderFrameHost(std::unique_ptr<RenderFrameHostImpl>());
> 
> (not sure what tests it's talking about, but I'd rather only include the
> null-check if any tests actually need it.)

You are probably right. I will remove the "if (!current_frame_host)".
I initially put this because of this patch:
https://codereview.chromium.org/2606933002/
But it doesn't apply to this case I think.

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/interstitial_page_navigator_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/interstitial_page_navigator_impl.cc:45: );
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: this looks a bit weird on its own line.  Can you just combine this with
the
> ) on the previous line into "));"?  
> If the comment outside the ) seems too weird, you could always use /*
> should_bypass_main_world_csp */ inside the parens, like you do below.

Yes, it looks weird to me too. The code formatter forces me to keep it like
this. I will apply your suggestion.

edit: I can't align the comments now :-(

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/navigation_handle_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.cc:462: bool
NavigationHandleImpl::ShouldBypassMainWorldCSP() const {
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: you can move this simple getter into to the header as
> should_bypass_main_world_csp().

Done, but I can't move the implementation in the header, it is disallowed by the
code formatter. Probably because it is an override.

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/navigation_handle_impl.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.h:497: // instance from a
chrome extension. When it returns true, the navigation
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: I'd also mention content scripts, and make it into a complete sentence
(or
> combine with previous one).  Also, "When it returns true," -> "When true,"
> (nothing returned here).  Perhaps something like:  "Whether or not the
> navigation has been started from an isolated world, such as from an extension
> content script.  When true, the navigation should not be blocked by the parent
> frame's CSP."

Done.

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.h:498: // should not be
blocked by the parent frame's Content-Security-Policy(CSP).
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: probably mentioning one of Content Security Policy or CSP is enough.

Done.

https://codereview.chromium.org/2655463006/diff/240001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/common/content...
content/common/content_security_policy/csp_context.h:87: // Whether or not the
violation happens after a redirection.
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: s/redirection/redirect/

Done.

https://codereview.chromium.org/2655463006/diff/240001/content/public/browser...
File content/public/browser/navigation_handle.h (right):

https://codereview.chromium.org/2655463006/diff/240001/content/public/browser...
content/public/browser/navigation_handle.h:283: // instance from a
chrome-extension. When it returns true, the navigation
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> See my comment about the earlier copy of this comment :)

Done.

https://codereview.chromium.org/2655463006/diff/240001/third_party/WebKit/pub...
File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
(right):

https://codereview.chromium.org/2655463006/diff/240001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:93: //
Whether or not the violation happens after a redirection.
On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> nit: s/redirection/redirect/

Done.

arthursonzogni

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 10 months ago (2017-02-15 16:14:02 UTC) #43

arthursonzogni

alexmos@, you asked if it would be possible to make this patch working without Plznavigate ...

3 years, 10 months ago (2017-02-15 17:02:16 UTC) #44

alexmos@, you asked if it would be possible to make this patch working without
Plznavigate as well.

I think there is two things I need to add to make it possible:
1) Passing shouldCheckMainWorldContentSecurityPolicy to the browser, like it was
done with PlzNavigate with common_params.should_check_main_world_csp.
2) Solving the error-page crash with the ChromeWebStore. I am working on a
solution in https://codereview.chromium.org/2697713005/, but it only works with
PlzNavigate.

It sounds feasible, but since we will try PlzNavigate on Canary ~the next week,
I really would like to commit this patch without non-plznavigate support and
works on it then.

A few others answers below:

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2655463006/diff/200001/content/browser/frame_...
content/browser/frame_host/ancestor_throttle.cc:203: return
NavigationThrottle::BLOCK_REQUEST;
On 2017/02/13 16:33:20, arthursonzogni wrote:
> On 2017/02/10 22:59:53, alexmos wrote:
> > Will this result in loading a regular error page?  I remember we discussed
> > whether to load a blank page with a unique origin (data:,) temporarily until
> we
> > fix the error pages, because otherwise we can get the problems with the CWS
> kill
> > and more down the road as we tighten up CanCommitURL for OOPIFs
> > (https://crbug.com/622385, https://crbug.com/689733).  Can you check if you
> get
> > the kill in 622385 with this approach, if a parent page declares a CSP that
> > disallows the CWS URL?  Would the frame-src checks happen before XFO blocks
it
> > using BLOCK_RESPONSE, for which you used data:, when you moved XFO over to
the
> > browser?
> 
> Yes you are right. I forgot this.
> XFO checks happens after 'frame-src'.
> I will have to create a new ThrottleCheckResult for this.

I am working on a solution. See https://codereview.chromium.org/2697713005/
Now, the browser will not ask the renderer to commit an error page with an URL
that would make the browser kills the renderer if it tries to commit it.
Unfortunately, it only works with PlzNavigate.

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/loader/FrameLoader.cpp (right):

https://codereview.chromium.org/2655463006/diff/200001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoader.cpp:1644:
!browserSideNavigationEnabled) {
On 2017/02/14 06:57:20, alexmos (OOO until 2-21) wrote:
> On 2017/02/13 16:33:20, arthursonzogni wrote:
> > On 2017/02/10 22:59:53, alexmos wrote:
> > > On 2017/02/10 16:42:22, arthursonzogni wrote:
> > > > Note: It is possible to check the CSP with PlzNavigate on the
browser-side
> > and
> > > > on the renderer-side at the same time, but I prevent this to happens
> because
> > > > 'shouldContinueForNavigationPolicy' is called two times with
PlzNavigate:
> > > > * One for the initial request.
> > > > * A Second time when the request come back from the browser.
> > > > The problem is that 'shouldCheckMainWorldContentSecurityPolicy' is does
> not
> > > > correspond to reality the second time.
> > > 
> > > I might be fuzzy on how this part works with PlzNavigate, but could you
> > explain
> > > more about what's wrong with shouldCheckMainWorldContentSecurityPolicy the
> > > second time?
> > 
> > With PlzNavigate, we currently use a dirty hack to commit navigation inside
> > blink. It is temporarily. After the navigation has been done in the browser,
> it
> > is committed inside the renderer. The browser sends a request to the
renderer,
> > but in a way, it is the response. It is essentially a request with a few
> > attributes that tells the renderer that it doesn't have to submit a new
> request
> > and where it can find the response.
> > So 2 requests are made, one for the request and one for the "response".
> > 
> > For the second request, the renderer doesn't know if the request was
submitted
> > from an isolated world and it will block the request if we don't prevent it
to
> > do so.
> 
> Acknowledged, thanks for the explanation.  Can you please add a brief comment
> here about why this is disabled for PlzNavigate, and reference a bug (if you
> have it) for removing that hack?

Done. See http://crbug.com/692595

nasko

I'm personally ok landing this CL without unifying PlzNavigate and old navigation to behave the ...

3 years, 10 months ago (2017-02-15 21:28:45 UTC) #45

arthursonzogni

Thanks Nasko! A few response below: https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h File content/browser/frame_host/csp_context_impl.h (right): https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h#newcode14 content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : ...

3 years, 10 months ago (2017-02-16 17:32:41 UTC) #46

arthursonzogni

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 10 months ago (2017-02-20 15:01:42 UTC) #47

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-20 15:01:44 UTC) #48

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/390001

3 years, 10 months ago (2017-02-20 15:02:16 UTC) #49

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-20 15:02:18 UTC) #50

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-20 15:32:02 UTC) #51

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-20 16:02:28 UTC) #52

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-20 16:23:19 UTC) #53

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/393744)

3 years, 10 months ago (2017-02-20 16:23:20 UTC) #54

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-21 08:47:10 UTC) #55

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/390001

3 years, 10 months ago (2017-02-21 08:47:26 UTC) #56

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 08:47:28 UTC) #57

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 09:01:47 UTC) #58

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 09:31:47 UTC) #59

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 10:01:40 UTC) #60

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 10:31:37 UTC) #61

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 11:01:49 UTC) #62

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-21 11:19:26 UTC) #63

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/394060)

3 years, 10 months ago (2017-02-21 11:19:27 UTC) #64

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-21 17:33:55 UTC) #65

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/430001

3 years, 10 months ago (2017-02-21 17:34:29 UTC) #66

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-21 17:34:31 UTC) #67

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-21 17:39:20 UTC) #68

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: ios-simulator on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/builds/158945) ios-simulator-xcode-clang on ...

3 years, 10 months ago (2017-02-21 17:39:21 UTC) #69

alexmos

On 2017/02/15 21:28:45, nasko (out until Feb 27th) wrote: > I'm personally ok landing this ...

3 years, 10 months ago (2017-02-22 02:30:52 UTC) #70

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-22 09:02:27 UTC) #72

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/470001

3 years, 10 months ago (2017-02-22 09:03:27 UTC) #73

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 09:03:29 UTC) #74

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 09:33:02 UTC) #75

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 10:02:41 UTC) #76

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 10:32:33 UTC) #77

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 11:02:15 UTC) #78

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-22 11:05:39 UTC) #79

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_browser_side_navigation_rel on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_browser_side_navigation_rel/builds/367)

3 years, 10 months ago (2017-02-22 11:05:40 UTC) #80

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-22 13:23:53 UTC) #81

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/470001

3 years, 10 months ago (2017-02-22 13:24:05 UTC) #82

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 13:24:08 UTC) #83

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 13:31:39 UTC) #84

arthursonzogni

In the latest patch, I applied suggestions from you(alexmos@) and nasko@, i.e moving the CSP ...

3 years, 10 months ago (2017-02-22 13:46:22 UTC) #85

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 14:02:34 UTC) #86

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 14:32:15 UTC) #87

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 15:02:35 UTC) #88

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-22 15:32:45 UTC) #89

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-22 15:50:49 UTC) #90

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_browser_side_navigation_rel on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_browser_side_navigation_rel/builds/370)

3 years, 10 months ago (2017-02-22 15:50:50 UTC) #91

alexmos

On 2017/02/22 13:46:22, arthursonzogni wrote: > In the latest patch, I applied suggestions from you(alexmos@) ...

3 years, 10 months ago (2017-02-23 02:37:15 UTC) #92

On 2017/02/22 13:46:22, arthursonzogni wrote:
> In the latest patch, I applied suggestions from you(alexmos@) and nasko@, i.e
> moving the CSP from the frame_tree_node to the render_frame_host. I hope I did
> it well.
> 
> So yes, the CL is in a stable shape right now. I got a patch failure in my
last
> git-try :(
> I would be happy to have one more pass through this CL, Thank you very much!
> 
> Nevertheless, it looks like I have a problem with:
> SiteDetailsBrowserTest.PlatformAppsNotIsolated
> 
> From what I understand, it is a PlatformApp, it loads a sandboxed iframe that
> tries to navigate toward 127.0.0.1
> 
> It can't because the CSP of a sandboxed iframe.
> kDefaultSandboxedPageContentSecurityPolicy(=> "frame-src 'self'")
> 
> The problems in the test is that
> details->GetOutOfProcessIframeCount() returns 1 instead of 0
> I think it is because we now loads an error page instead of loading nothing.
> I don't know exactly why it uses an out of process iframe for loading the
error
> page.
> 
> Due to http://crbug.com/612711, we are not isolating iframes from platform
apps
> with --isolate-extensions for the moment. That's what the test is checking.
> 
> I will investigate, but maybe you will have an immediate understanding of the
> problem since you know the details of site isolation.

I haven't followed that bug closely (lazyboy/creis would have more context), but
it seems like the test is just wrong now, since
https://codereview.chromium.org/2563843002 added those CSP restrictions to
disallow web content inside iframes on sandboxed app pages for good.  This is
supposed to be deprecated starting in M57 - see also https://crbug.com/615585. 
Perhaps ping lazyboy@ to double-check what the test should be doing now, if
anything?   That CL also removed the platform app exception from
DoesSiteRequireDedicatedProcess, which probably explains why the error page is
placed into an OOPIF.  Would this reintroduce the wrong storage partition kill
from 612711 for that error page, with PlzNavigate enabled?

alexmos

Thanks, this is looking good! Some more comments below. https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_host/navigation_handle_impl.cc File content/browser/frame_host/navigation_handle_impl.cc (right): https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_host/navigation_handle_impl.cc#newcode462 content/browser/frame_host/navigation_handle_impl.cc:462: ...

3 years, 10 months ago (2017-02-24 06:40:28 UTC) #94

lazyboy

On 2017/02/23 02:37:15, alexmos wrote: > On 2017/02/22 13:46:22, arthursonzogni wrote: > > In the ...

3 years, 10 months ago (2017-02-24 07:52:02 UTC) #95

On 2017/02/23 02:37:15, alexmos wrote:
> On 2017/02/22 13:46:22, arthursonzogni wrote:
> > In the latest patch, I applied suggestions from you(alexmos@) and nasko@,
i.e
> > moving the CSP from the frame_tree_node to the render_frame_host. I hope I
did
> > it well.
> > 
> > So yes, the CL is in a stable shape right now. I got a patch failure in my
> last
> > git-try :(
> > I would be happy to have one more pass through this CL, Thank you very much!
> > 
> > Nevertheless, it looks like I have a problem with:
> > SiteDetailsBrowserTest.PlatformAppsNotIsolated
> > 
> > From what I understand, it is a PlatformApp, it loads a sandboxed iframe
that
> > tries to navigate toward 127.0.0.1
> > 
> > It can't because the CSP of a sandboxed iframe.
> > kDefaultSandboxedPageContentSecurityPolicy(=> "frame-src 'self'")
> > 
> > The problems in the test is that
> > details->GetOutOfProcessIframeCount() returns 1 instead of 0
> > I think it is because we now loads an error page instead of loading nothing.
> > I don't know exactly why it uses an out of process iframe for loading the
> error
> > page.
> > 
> > Due to http://crbug.com/612711, we are not isolating iframes from platform
> apps
> > with --isolate-extensions for the moment. That's what the test is checking.
> > 
> > I will investigate, but maybe you will have an immediate understanding of
the
> > problem since you know the details of site isolation.
> 
> I haven't followed that bug closely (lazyboy/creis would have more context),
but
> it seems like the test is just wrong now, since
> https://codereview.chromium.org/2563843002 added those CSP restrictions to
> disallow web content inside iframes on sandboxed app pages for good.  This is
> supposed to be deprecated starting in M57 - see also https://crbug.com/615585.

> Perhaps ping lazyboy@ to double-check what the test should be doing now, if
> anything?
With crbug.com/615585 fixed, we won't allow web content inside sandbox
pages' iframes, so this test is incorrect and not doing anything anymore. We
should be able to delete this test.
   That CL also removed the platform app exception from
> DoesSiteRequireDedicatedProcess, which probably explains why the error page is
> placed into an OOPIF.  Would this reintroduce the wrong storage partition kill
> from 612711 for that error page, with PlzNavigate enabled?

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-24 14:59:38 UTC) #97

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/510001

3 years, 10 months ago (2017-02-24 14:59:58 UTC) #98

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 15:00:00 UTC) #99

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 15:01:53 UTC) #100

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-24 15:02:11 UTC) #101

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: ios-device on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds/159749) ios-simulator on ...

3 years, 10 months ago (2017-02-24 15:02:12 UTC) #102

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 10 months ago (2017-02-24 15:42:58 UTC) #103

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/550001

3 years, 10 months ago (2017-02-24 15:43:16 UTC) #104

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 15:43:19 UTC) #105

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 16:02:00 UTC) #107

arthursonzogni

Thanks @lazyboy! I made a patch for removing the test: https://codereview.chromium.org/2715933002/ Thanks @alexmos for the ...

3 years, 10 months ago (2017-02-24 16:13:30 UTC) #108

Thanks @lazyboy! I made a patch for removing the test:
https://codereview.chromium.org/2715933002/

Thanks @alexmos for the review!
I applied your suggestions, some answers below.

@alexmos:
> DoesSiteRequireDedicatedProcess, which probably explains why the error page is
> placed into an OOPIF.  Would this reintroduce the wrong storage partition kill
> from 612711 for that error page, with PlzNavigate enabled?

I tried to understand what you are speaking about. I found that
bad_message::ACI_WRONG_STORAGE_PARTITION is sent in
AppCacheInterceptor::CompleteCrossSiteTransfer(...)
But there is no cross site transferts with PlzNavigate, the right process is
chosen when we really know where the navigation ends.
So there is no kill. Is this okay?

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
File content/browser/frame_host/navigation_handle_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/240001/content/browser/frame_...
content/browser/frame_host/navigation_handle_impl.cc:462: bool
NavigationHandleImpl::ShouldBypassMainWorldCSP() const {
On 2017/02/24 06:40:27, alexmos wrote:
> On 2017/02/15 09:26:09, arthursonzogni wrote:
> > On 2017/02/14 06:57:20, alexmos (OOO soon) wrote:
> > > nit: you can move this simple getter into to the header as
> > > should_bypass_main_world_csp().
> > 
> > Done, but I can't move the implementation in the header, it is disallowed by
> the
> > code formatter. Probably because it is an override.
> 
> Ack, though that's surprising to me, as should_bypass_main_world_csp() is not
> overriding anything from NavigationHandle?

You are right, after this change, I removed the "override" and now it is
possible. Done :)

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public
CSPContext {
On 2017/02/24 06:40:27, alexmos wrote:
> On 2017/02/16 17:32:40, arthursonzogni wrote:
> > On 2017/02/15 21:28:44, nasko wrote:
> > > Why do we need to subclass?
> > Because I have to implement the virtual methods
> > 
> > The CSPContext represents the system on which the CSP are checked on. A
system
> > can report violation to the user, it can display messages on the console and
> it
> > tells you when the CSP should by bypassed.
> > 
> > By doing this, the CSP classes are not tied to anything like the CSP classes
> > inside blink were.
> > 
> > If one day, we want to check the CSP in another place, the network stack or
> the
> > renderer for instance, you can. You will just have to implement these 3
> > functions.
> > 
> > It is also useful in my test. I can make a custom implementation of
CSPContext
> > to check the console message and test what happens when a scheme is bypassed
> by
> > the CSP for instance.
> > 
> > > Also, missing a class level comment.
> > Done.
> 
> As an alternative to this, would it be easier if RenderFrameHostImpl just
> extended CSPContext and implemented the three functions directly?  Just
curious
> how this compares to having CSPContextImpl as an accessor on RFHI, since
> CSPContextImpl is tied to its RFHI anyway.

Yes, it might be a good idea.
I am just a little bit afraid of the method names of CSPContext are too simple.
I will rename some of them. For instance
Allow()           => AllowContentSecurityPolicy(),
ReportViolation() => ReportContentSecurityPolicyViolation();

https://codereview.chromium.org/2655463006/diff/470001/chrome/test/data/exten...
File chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
(right):

https://codereview.chromium.org/2655463006/diff/470001/chrome/test/data/exten...
chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html:48: //
PlzNavigate: The first local frame has been replaced by an error page.
On 2017/02/24 06:40:27, alexmos wrote:
> nit: s/has been/will be/
> 
> Alternatively, we could just remove "the local frame will still be there. 
> Therefore, expect the local frame to respond again." and this sentence.  Since
> the eventual goal is to always go to the error page in both modes, and we will
> probably forget to go back and update this comment once we do that.  Just
saying
> that we rely on the SecurityPolicyViolationEvent to detect that the frame has
> been blocked might be good enough.

Done.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/BUILD.gn
File content/browser/BUILD.gn (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/BUILD....
content/browser/BUILD.gn:613: "frame_host/csp_context_impl.cc",
On 2017/02/24 06:40:27, alexmos wrote:
> Does this need the .h also?

Ack. (File removed)

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/ancestor_throttle.cc:172: // If PlzNavigate is
enabled, "frame-src" is enforced on the browser-side,
On 2017/02/24 06:40:27, alexmos wrote:
> nit: "browser side", "renderer side" (no -).  Same in some other places below
as
> well.

Done.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: // The CSPContext class
represents the system on which the CSP are enforced.
On 2017/02/24 06:40:27, alexmos wrote:
> nit: s/are/is/

Acknowledged. (File removed)

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:21:
CSPContextImpl(RenderFrameHostImpl* render_frame);
On 2017/02/24 06:40:27, alexmos wrote:
> nit: explicit

Acknowledged. (File removed)

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/render_frame_host_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.cc:1847: const
std::vector<ContentSecurityPolicy>& policies) {
On 2017/02/24 06:40:27, alexmos wrote:
> This wasn't in this CL, but I'm a bit confused by this.  Why is this a vector?

> Wouldn't one header correspond to one policy?  (I.e., I thought this message
is
> sent multiple times, each time a new header, csp in <meta>, etc. is added --
so
> how does this correspond with this vector of policies?)

RFC2616, section 4.2 specifies that headers appearing multiple times can be
combined with a comma. So, you can have two CSP defined inside one header :(

We could split the header by comma and send the policies one by one if we wanted
to. I choose not to modify how the data in the frame_replication_state in my
patch. I think we can though.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/render_frame_host_impl.h (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.h:632: const
std::vector<ContentSecurityPolicy>& content_security_policies() const {
On 2017/02/24 06:40:27, alexmos wrote:
> I wonder if content's ContentSecurityPolicy should just hide the fact that
there
> are multiple policies within itself.  I.e., behave similarly to Blink's
> ContentSecurityPolicy which I think stores the vector of m_policies
internally. 
> Then we won't need to pass this vector around whenever we want to check the
CSP,
> which would make the code in callers easier to follow.  Perhaps CSPContext
could
> be part of that too; i.e., it'd be nice to just say
> parent->content_security_policy()->Allow(CSPDirective::FrameSrc, url,
> is_redirect)), instead of dealing with CSPContexts and vectors of policies. 
Or
> are there reasons that it has to be organized like this?  (This is fine to
think
> about for a followup cleanup.)

The name of the classes inside blink confused me.
ContentSecurityPolicy is not a policy but the concept, it store several policies
and does what I do in CSPContext also.
DirectiveSourceList is the the policy :)

I am not sure what is the best thing. I will try to store the policies inside
the CSPContext, please tell me if it looks good to you.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.h:636: void
ResetContentSecurityPolicy() { content_security_policies_.clear(); }
On 2017/02/24 06:40:27, alexmos wrote:
> Should this be ResetContentSecurityPolicies, since it's resetting a set of
> policies?

I copied FrameTreeNode::ResetContentSecurityPolicy, will 
Removed in the latest CL.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.h:640: // policies.
RenderFrameHostImpl. Never null.
On 2017/02/24 06:40:27, alexmos wrote:
> Is "RenderFrameHostImpl." needed?

Removed in the latest CL.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.h:1179:
std::vector<ContentSecurityPolicy> content_security_policies_;
On 2017/02/24 06:40:27, alexmos wrote:
> It might be good to document here why we need this to be a set of policies,
> rather than a single policy.  (I guess the explanation is in the comment for
> FrameHostMsg_DidAddContentSecurityPolicy?)

Removed in the latest CL.

https://codereview.chromium.org/2655463006/diff/470001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2655463006/diff/470001/content/common/content...
content/common/content_security_policy/csp_context.h:64: bool
followed_redirect);
On 2017/02/24 06:40:27, alexmos wrote:
> after_redirect?  (that's what it's named below now)

Done.

I tried to follow the naming of @lukasza in the first place and then I switched
to after_redirect. Thanks.

https://codereview.chromium.org/2655463006/diff/470001/content/common/frame_m...
File content/common/frame_messages.h (right):

https://codereview.chromium.org/2655463006/diff/470001/content/common/frame_m...
content/common/frame_messages.h:920: content::CSPViolationParams /*
violation_params*/)
On 2017/02/24 06:40:27, alexmos wrote:
> nit: space before */

Done.

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/loader/FrameLoader.cpp (right):

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoader.cpp:1637: settings &&
settings->getBrowserSideNavigationEnabled();
On 2017/02/24 06:40:27, alexmos wrote:
> nit: could move this after the if statement below, which doesn't need this
> value.

Done.

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoader.cpp:1651: // can't be enforced
on both side instead.
On 2017/02/24 06:40:28, alexmos wrote:
> nit: s/side/sides/

Done.

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/loader/FrameLoaderClient.h (right):

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/loader/FrameLoaderClient.h:125:
ContentSecurityPolicyDisposition shouldBypassMainWorldCSP) = 0;
On 2017/02/24 06:40:28, alexmos wrote:
> This arg is named as if it's a bool, but it's not, and it sounds completely
> different from the enum's name. :)  Perhaps just policyDisposition?  It's
clear
> enough what it is for when you check it against the enum value.  (or you could
> actually pass this as a bool)

I agree. I will use shouldCheckMainWorldContentSecurityPolicy.

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
File third_party/WebKit/Source/web/WebLocalFrameImpl.cpp (right):

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:2075:
ContentSecurityPolicy::ViolationType::URLViolation); /* ViolationType */
On 2017/02/24 06:40:28, alexmos wrote:
> Does this still need to extract out and explicitly pass in the redirect info
> from the WebContentSecurityPolicyViolation?

I am not sure to understand, but if you mean that I forgot to pass
violation.after_redirect, yes this is really important.

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 16:34:00 UTC) #109

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 17:03:31 UTC) #110

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 10 months ago (2017-02-24 17:32:50 UTC) #111

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 10 months ago (2017-02-24 17:48:45 UTC) #112

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_browser_side_navigation_rel on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_browser_side_navigation_rel/builds/375)

3 years, 10 months ago (2017-02-24 17:48:46 UTC) #113

Charlie Reis

On 2017/02/24 16:13:30, arthursonzogni wrote: > Thanks @lazyboy! I made a patch for removing the ...

3 years, 10 months ago (2017-02-24 21:58:35 UTC) #114

alexmos

Thanks! A couple more nits, a question for Nasko below, and we still need to ...

3 years, 9 months ago (2017-03-01 02:22:28 UTC) #115

Thanks!  A couple more nits, a question for Nasko below, and we still need to
figure out the situation around the wrong storage partition for the error page;
otherwise this looks good from my side.  I'll see if I can dig some more into
Charlie's storage partition questions tomorrow.

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public
CSPContext {
On 2017/02/24 16:13:29, arthursonzogni wrote:
> On 2017/02/24 06:40:27, alexmos wrote:
> > On 2017/02/16 17:32:40, arthursonzogni wrote:
> > > On 2017/02/15 21:28:44, nasko wrote:
> > > > Why do we need to subclass?
> > > Because I have to implement the virtual methods
> > > 
> > > The CSPContext represents the system on which the CSP are checked on. A
> system
> > > can report violation to the user, it can display messages on the console
and
> > it
> > > tells you when the CSP should by bypassed.
> > > 
> > > By doing this, the CSP classes are not tied to anything like the CSP
classes
> > > inside blink were.
> > > 
> > > If one day, we want to check the CSP in another place, the network stack
or
> > the
> > > renderer for instance, you can. You will just have to implement these 3
> > > functions.
> > > 
> > > It is also useful in my test. I can make a custom implementation of
> CSPContext
> > > to check the console message and test what happens when a scheme is
bypassed
> > by
> > > the CSP for instance.
> > > 
> > > > Also, missing a class level comment.
> > > Done.
> > 
> > As an alternative to this, would it be easier if RenderFrameHostImpl just
> > extended CSPContext and implemented the three functions directly?  Just
> curious
> > how this compares to having CSPContextImpl as an accessor on RFHI, since
> > CSPContextImpl is tied to its RFHI anyway.
> 
> Yes, it might be a good idea.
> I am just a little bit afraid of the method names of CSPContext are too
simple.
> I will rename some of them. For instance
> Allow()           => AllowContentSecurityPolicy(),
> ReportViolation() => ReportContentSecurityPolicyViolation();

Thanks for trying this out!  On one hand, I like the simplification and that we
don't need to pass the rfh->content_security_policies() as an arg anymore.  On
the other hand, it was nice to have all CSP methods grouped into one object,
i.e. it'd be still nice to write the Allow check as something like
rfh->content_security_policy()->Allow(...).  I'm not too thrilled by the name
AllowContentSecurityPolicy, as it sounds like it's "allowing a CSP", rather than
checking the frame's CSP to see if a directive is allowed; perhaps we can come
up with a better name.  I'm curious what Nasko thinks here.  Nasko?

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/render_frame_host_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.cc:1847: const
std::vector<ContentSecurityPolicy>& policies) {
On 2017/02/24 16:13:29, arthursonzogni wrote:
> On 2017/02/24 06:40:27, alexmos wrote:
> > This wasn't in this CL, but I'm a bit confused by this.  Why is this a
vector?
> 
> > Wouldn't one header correspond to one policy?  (I.e., I thought this message
> is
> > sent multiple times, each time a new header, csp in <meta>, etc. is added --
> so
> > how does this correspond with this vector of policies?)
> 
> RFC2616, section 4.2 specifies that headers appearing multiple times can be
> combined with a comma. So, you can have two CSP defined inside one header :(
> 
> We could split the header by comma and send the policies one by one if we
wanted
> to. I choose not to modify how the data in the frame_replication_state in my
> patch. I think we can though.

Acknowledged.  I didn't know this, and indeed, Blink's
ContentSecurityPolicy::addPolicyFromHeaderValue handles exactly this.  It'd be
nice to add a comment to explain this, as it's not obvious.

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
File third_party/WebKit/Source/web/WebLocalFrameImpl.cpp (right):

https://codereview.chromium.org/2655463006/diff/470001/third_party/WebKit/Sou...
third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:2075:
ContentSecurityPolicy::ViolationType::URLViolation); /* ViolationType */
On 2017/02/24 16:13:30, arthursonzogni wrote:
> On 2017/02/24 06:40:28, alexmos wrote:
> > Does this still need to extract out and explicitly pass in the redirect info
> > from the WebContentSecurityPolicyViolation?
> 
> I am not sure to understand, but if you mean that I forgot to pass
> violation.after_redirect, yes this is really important.

Yes, this is what I meant.  Thanks for fixing it!

https://codereview.chromium.org/2655463006/diff/550001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/550001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:617:
render_frame_host->frame_tree_node()->ResetContentSecurityPolicy();
It looks a bit weird to call something to reset CSP twice on both RFH and FTN. 
Perhaps we could combine them somehow and call one from the other, or rename the
FTN ResetContentSecurityPolicy into something like ResetCSPHeaders, since it's
really about resetting replicated CSP headers.  Not that big of a deal.

https://codereview.chromium.org/2655463006/diff/550001/third_party/WebKit/Sou...
File third_party/WebKit/Source/web/WebLocalFrameImpl.cpp (right):

https://codereview.chromium.org/2655463006/diff/550001/third_party/WebKit/Sou...
third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:2078: // See
http://crbug.com/690946  //
nit: remove extra // at the end

nasko

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h File content/browser/frame_host/csp_context_impl.h (right): https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h#newcode14 content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public CSPContext { On 2017/03/01 02:22:28, ...

3 years, 9 months ago (2017-03-03 23:16:53 UTC) #116

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public
CSPContext {
On 2017/03/01 02:22:28, alexmos wrote:
> On 2017/02/24 16:13:29, arthursonzogni wrote:
> > On 2017/02/24 06:40:27, alexmos wrote:
> > > On 2017/02/16 17:32:40, arthursonzogni wrote:
> > > > On 2017/02/15 21:28:44, nasko wrote:
> > > > > Why do we need to subclass?
> > > > Because I have to implement the virtual methods
> > > > 
> > > > The CSPContext represents the system on which the CSP are checked on. A
> > system
> > > > can report violation to the user, it can display messages on the console
> and
> > > it
> > > > tells you when the CSP should by bypassed.
> > > > 
> > > > By doing this, the CSP classes are not tied to anything like the CSP
> classes
> > > > inside blink were.
> > > > 
> > > > If one day, we want to check the CSP in another place, the network stack
> or
> > > the
> > > > renderer for instance, you can. You will just have to implement these 3
> > > > functions.
> > > > 
> > > > It is also useful in my test. I can make a custom implementation of
> > CSPContext
> > > > to check the console message and test what happens when a scheme is
> bypassed
> > > by
> > > > the CSP for instance.
> > > > 
> > > > > Also, missing a class level comment.
> > > > Done.
> > > 
> > > As an alternative to this, would it be easier if RenderFrameHostImpl just
> > > extended CSPContext and implemented the three functions directly?  Just
> > curious
> > > how this compares to having CSPContextImpl as an accessor on RFHI, since
> > > CSPContextImpl is tied to its RFHI anyway.
> > 
> > Yes, it might be a good idea.
> > I am just a little bit afraid of the method names of CSPContext are too
> simple.
> > I will rename some of them. For instance
> > Allow()           => AllowContentSecurityPolicy(),
> > ReportViolation() => ReportContentSecurityPolicyViolation();
> 
> Thanks for trying this out!  On one hand, I like the simplification and that
we
> don't need to pass the rfh->content_security_policies() as an arg anymore.  On
> the other hand, it was nice to have all CSP methods grouped into one object,
> i.e. it'd be still nice to write the Allow check as something like
> rfh->content_security_policy()->Allow(...).  I'm not too thrilled by the name
> AllowContentSecurityPolicy, as it sounds like it's "allowing a CSP", rather
than
> checking the frame's CSP to see if a directive is allowed; perhaps we can come
> up with a better name.  I'm curious what Nasko thinks here.  Nasko?

I like the methods being folded into RFH and avoiding the Impl class. What if we
rename the allow method to be a bit more intuitive when read - IsAllowedByCsp?
Or something similar?

alexmos

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h File content/browser/frame_host/csp_context_impl.h (right): https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_host/csp_context_impl.h#newcode14 content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public CSPContext { On 2017/03/03 23:16:53, ...

3 years, 9 months ago (2017-03-03 23:40:35 UTC) #117

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public
CSPContext {
On 2017/03/03 23:16:53, nasko (slow) wrote:
> On 2017/03/01 02:22:28, alexmos wrote:
> > On 2017/02/24 16:13:29, arthursonzogni wrote:
> > > On 2017/02/24 06:40:27, alexmos wrote:
> > > > On 2017/02/16 17:32:40, arthursonzogni wrote:
> > > > > On 2017/02/15 21:28:44, nasko wrote:
> > > > > > Why do we need to subclass?
> > > > > Because I have to implement the virtual methods
> > > > > 
> > > > > The CSPContext represents the system on which the CSP are checked on.
A
> > > system
> > > > > can report violation to the user, it can display messages on the
console
> > and
> > > > it
> > > > > tells you when the CSP should by bypassed.
> > > > > 
> > > > > By doing this, the CSP classes are not tied to anything like the CSP
> > classes
> > > > > inside blink were.
> > > > > 
> > > > > If one day, we want to check the CSP in another place, the network
stack
> > or
> > > > the
> > > > > renderer for instance, you can. You will just have to implement these
3
> > > > > functions.
> > > > > 
> > > > > It is also useful in my test. I can make a custom implementation of
> > > CSPContext
> > > > > to check the console message and test what happens when a scheme is
> > bypassed
> > > > by
> > > > > the CSP for instance.
> > > > > 
> > > > > > Also, missing a class level comment.
> > > > > Done.
> > > > 
> > > > As an alternative to this, would it be easier if RenderFrameHostImpl
just
> > > > extended CSPContext and implemented the three functions directly?  Just
> > > curious
> > > > how this compares to having CSPContextImpl as an accessor on RFHI, since
> > > > CSPContextImpl is tied to its RFHI anyway.
> > > 
> > > Yes, it might be a good idea.
> > > I am just a little bit afraid of the method names of CSPContext are too
> > simple.
> > > I will rename some of them. For instance
> > > Allow()           => AllowContentSecurityPolicy(),
> > > ReportViolation() => ReportContentSecurityPolicyViolation();
> > 
> > Thanks for trying this out!  On one hand, I like the simplification and that
> we
> > don't need to pass the rfh->content_security_policies() as an arg anymore. 
On
> > the other hand, it was nice to have all CSP methods grouped into one object,
> > i.e. it'd be still nice to write the Allow check as something like
> > rfh->content_security_policy()->Allow(...).  I'm not too thrilled by the
name
> > AllowContentSecurityPolicy, as it sounds like it's "allowing a CSP", rather
> than
> > checking the frame's CSP to see if a directive is allowed; perhaps we can
come
> > up with a better name.  I'm curious what Nasko thinks here.  Nasko?
> 
> I like the methods being folded into RFH and avoiding the Impl class. What if
we
> rename the allow method to be a bit more intuitive when read - IsAllowedByCsp?
> Or something similar?

I like IsAllowedByCsp() - I think we can go with that.

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-06 15:04:10 UTC) #118

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/590001

3 years, 9 months ago (2017-03-06 15:04:22 UTC) #119

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-06 15:04:27 UTC) #120

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-06 15:07:16 UTC) #121

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: ios-device on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds/165100) ios-device-xcode-clang on ...

3 years, 9 months ago (2017-03-06 15:07:18 UTC) #122

arthursonzogni

I was OOO the last week, I am back. Thanks everyone! I think I fixed ...

3 years, 9 months ago (2017-03-06 15:09:02 UTC) #123

I was OOO the last week, I am back.

Thanks everyone!
I think I fixed the remaining comments.

In addition, this are two sub patches that should fix the problem with OOPIF
error pages in Platform Apps.
https://codereview.chromium.org/2732883003/
https://codereview.chromium.org/2715933002/

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
File content/browser/frame_host/csp_context_impl.h (right):

https://codereview.chromium.org/2655463006/diff/330001/content/browser/frame_...
content/browser/frame_host/csp_context_impl.h:14: class CSPContextImpl : public
CSPContext {
On 2017/03/03 23:40:35, alexmos wrote:
> On 2017/03/03 23:16:53, nasko (slow) wrote:
> > On 2017/03/01 02:22:28, alexmos wrote:
> > > On 2017/02/24 16:13:29, arthursonzogni wrote:
> > > > On 2017/02/24 06:40:27, alexmos wrote:
> > > > > On 2017/02/16 17:32:40, arthursonzogni wrote:
> > > > > > On 2017/02/15 21:28:44, nasko wrote:
> > > > > > > Why do we need to subclass?
> > > > > > Because I have to implement the virtual methods
> > > > > > 
> > > > > > The CSPContext represents the system on which the CSP are checked
on.
> A
> > > > system
> > > > > > can report violation to the user, it can display messages on the
> console
> > > and
> > > > > it
> > > > > > tells you when the CSP should by bypassed.
> > > > > > 
> > > > > > By doing this, the CSP classes are not tied to anything like the CSP
> > > classes
> > > > > > inside blink were.
> > > > > > 
> > > > > > If one day, we want to check the CSP in another place, the network
> stack
> > > or
> > > > > the
> > > > > > renderer for instance, you can. You will just have to implement
these
> 3
> > > > > > functions.
> > > > > > 
> > > > > > It is also useful in my test. I can make a custom implementation of
> > > > CSPContext
> > > > > > to check the console message and test what happens when a scheme is
> > > bypassed
> > > > > by
> > > > > > the CSP for instance.
> > > > > > 
> > > > > > > Also, missing a class level comment.
> > > > > > Done.
> > > > > 
> > > > > As an alternative to this, would it be easier if RenderFrameHostImpl
> just
> > > > > extended CSPContext and implemented the three functions directly? 
Just
> > > > curious
> > > > > how this compares to having CSPContextImpl as an accessor on RFHI,
since
> > > > > CSPContextImpl is tied to its RFHI anyway.
> > > > 
> > > > Yes, it might be a good idea.
> > > > I am just a little bit afraid of the method names of CSPContext are too
> > > simple.
> > > > I will rename some of them. For instance
> > > > Allow()           => AllowContentSecurityPolicy(),
> > > > ReportViolation() => ReportContentSecurityPolicyViolation();
> > > 
> > > Thanks for trying this out!  On one hand, I like the simplification and
that
> > we
> > > don't need to pass the rfh->content_security_policies() as an arg anymore.

> On
> > > the other hand, it was nice to have all CSP methods grouped into one
object,
> > > i.e. it'd be still nice to write the Allow check as something like
> > > rfh->content_security_policy()->Allow(...).  I'm not too thrilled by the
> name
> > > AllowContentSecurityPolicy, as it sounds like it's "allowing a CSP",
rather
> > than
> > > checking the frame's CSP to see if a directive is allowed; perhaps we can
> come
> > > up with a better name.  I'm curious what Nasko thinks here.  Nasko?
> > 
> > I like the methods being folded into RFH and avoiding the Impl class. What
if
> we
> > rename the allow method to be a bit more intuitive when read -
IsAllowedByCsp?
> > Or something similar?
> 
> I like IsAllowedByCsp() - I think we can go with that.

Done.

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
File content/browser/frame_host/render_frame_host_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/470001/content/browser/frame_...
content/browser/frame_host/render_frame_host_impl.cc:1847: const
std::vector<ContentSecurityPolicy>& policies) {
On 2017/03/01 02:22:28, alexmos wrote:
> On 2017/02/24 16:13:29, arthursonzogni wrote:
> > On 2017/02/24 06:40:27, alexmos wrote:
> > > This wasn't in this CL, but I'm a bit confused by this.  Why is this a
> vector?
> > 
> > > Wouldn't one header correspond to one policy?  (I.e., I thought this
message
> > is
> > > sent multiple times, each time a new header, csp in <meta>, etc. is added
--
> > so
> > > how does this correspond with this vector of policies?)
> > 
> > RFC2616, section 4.2 specifies that headers appearing multiple times can be
> > combined with a comma. So, you can have two CSP defined inside one header :(
> > 
> > We could split the header by comma and send the policies one by one if we
> wanted
> > to. I choose not to modify how the data in the frame_replication_state in my
> > patch. I think we can though.
> 
> Acknowledged.  I didn't know this, and indeed, Blink's
> ContentSecurityPolicy::addPolicyFromHeaderValue handles exactly this.  It'd be
> nice to add a comment to explain this, as it's not obvious.

I will add a comment.
FYI, the |policies| argument could be empty if the |header| contain an invalid
policy.

https://codereview.chromium.org/2655463006/diff/550001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2655463006/diff/550001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:617:
render_frame_host->frame_tree_node()->ResetContentSecurityPolicy();
On 2017/03/01 02:22:28, alexmos wrote:
> It looks a bit weird to call something to reset CSP twice on both RFH and FTN.

> Perhaps we could combine them somehow and call one from the other, or rename
the
> FTN ResetContentSecurityPolicy into something like ResetCSPHeaders, since it's
> really about resetting replicated CSP headers.  Not that big of a deal.

Done.

alexmos

Thanks for all the work on this! LGTM once Nasko fixes the blocking error page ...

3 years, 9 months ago (2017-03-13 17:26:26 UTC) #124

ncarter (slow)

nick@chromium.org changed reviewers: + nick@chromium.org

3 years, 9 months ago (2017-03-13 18:44:27 UTC) #125

ncarter (slow)

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h File content/common/frame_messages.h (right): https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h#newcode345 content/common/frame_messages.h:345: IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp) I'm wondering if we ought to consider making ...

3 years, 9 months ago (2017-03-13 18:44:29 UTC) #126

dcheng

dcheng@chromium.org changed reviewers: + dcheng@chromium.org

3 years, 9 months ago (2017-03-13 19:02:52 UTC) #127

dcheng

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/Source/core/frame/LocalFrameClient.h File third_party/WebKit/Source/core/frame/LocalFrameClient.h (right): https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/Source/core/frame/LocalFrameClient.h#newcode127 third_party/WebKit/Source/core/frame/LocalFrameClient.h:127: shouldCheckMainWorldContentSecurityPolicy) = 0; Main world or main frame? https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h ...

3 years, 9 months ago (2017-03-13 19:02:54 UTC) #128

ncarter (slow)

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/Source/core/frame/LocalFrameClient.h File third_party/WebKit/Source/core/frame/LocalFrameClient.h (right): https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/Source/core/frame/LocalFrameClient.h#newcode127 third_party/WebKit/Source/core/frame/LocalFrameClient.h:127: shouldCheckMainWorldContentSecurityPolicy) = 0; On 2017/03/13 19:02:54, dcheng wrote: > ...

3 years, 9 months ago (2017-03-13 21:18:53 UTC) #129

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-14 10:32:06 UTC) #130

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/630001

3 years, 9 months ago (2017-03-14 10:32:24 UTC) #131

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 10:32:27 UTC) #132

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 11:01:51 UTC) #133

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 11:31:32 UTC) #134

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 12:01:38 UTC) #135

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 12:31:51 UTC) #136

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-14 13:02:01 UTC) #137

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-14 13:07:34 UTC) #138

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/408174)

3 years, 9 months ago (2017-03-14 13:07:37 UTC) #139

arthursonzogni

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h File content/common/frame_messages.h (right): https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h#newcode345 content/common/frame_messages.h:345: IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp) On 2017/03/13 18:44:29, ncarter wrote: > I'm wondering ...

3 years, 9 months ago (2017-03-14 15:38:57 UTC) #140

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
File content/common/frame_messages.h (right):

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
content/common/frame_messages.h:345:
IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp)
On 2017/03/13 18:44:29, ncarter wrote:
> I'm wondering if we ought to consider making this be the url::Origin
> corresponding to the SecurityOrigin of the isolated world in which the
> navigation originated (or a null origin, if it's the main world)?

I lack knowledge about isolated world. Okay, there is CSPs for extensions
too and they are not used for now. It seems to me that they are not even stored
in blink. Blink only knows that they are defined, but not what they are.

I was thinking about frame-src. In the future, if we were able to apply
the isolated world CSPs. Should we apply any extension's CSPs when the
request is initiated by an user-script for the frame-src case? I ask this
because frame-src doesn't use the CSP of the document that has initiated the
navigation, but the CSPs of the parent of the document that is navigating.

Does someone else want to say something?

https://codereview.chromium.org/2655463006/diff/590001/content/renderer/conte...
File content/renderer/content_security_policy_util.h (right):

https://codereview.chromium.org/2655463006/diff/590001/content/renderer/conte...
content/renderer/content_security_policy_util.h:14: // Convert a
WebContentSecurityPolicy into a CSPPolicy. These two classes
On 2017/03/13 17:26:26, alexmos wrote:
> nit: CSPPolicy => ContentSecurityPolicy, since that's what's returned from
this?

Thanks!

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
(right):

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:75: // The
name of the directive that infringe the policy. |directive| might be a
On 2017/03/13 17:26:26, alexmos wrote:
> nit: s/infringe/violates/

Done.

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:90:
WebVector<WebString> reportEndpoints;
On 2017/03/13 19:02:54, dcheng wrote:
> Can we use WebURL if these are URLs?

I don't know. Blink uses a Vector<String> in CPDirectiveList.h
I would have to convert it into an URL and then back to a string when it comes
back to blink.

I am not sure it is 100% related, but I think it is nice to keep it as string
because of the Reporting API that will launch:
https://www.w3.org/TR/2016/NOTE-reporting-1-20160607/

Summary:
```
It allows web developers to associate a set of named reporting endpoints with an
origin. Various platform features (like Content Security Policy, Network Error
Reporting, and others) will use these endpoints to deliver feature-specific
reports in a consistent manner.
```

dcheng

Blink LGTM with two comments. Changing the report endpoints list to hold a URL can ...

3 years, 9 months ago (2017-03-16 08:34:47 UTC) #141

Blink LGTM with two comments.

Changing the report endpoints list to hold a URL can wait for a followup CL; if
possible, it would be nice to use an enum value rather than a bool for the new
parameter though (since often times, we need an inline comment to document what
false/true means anyway).

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
(right):

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:90:
WebVector<WebString> reportEndpoints;
On 2017/03/14 15:38:57, arthursonzogni wrote:
> On 2017/03/13 19:02:54, dcheng wrote:
> > Can we use WebURL if these are URLs?
> 
> I don't know. Blink uses a Vector<String> in CPDirectiveList.h
> I would have to convert it into an URL and then back to a string when it comes
> back to blink.
> 
> I am not sure it is 100% related, but I think it is nice to keep it as string
> because of the Reporting API that will launch:
> https://www.w3.org/TR/2016/NOTE-reporting-1-20160607/
> 
> Summary:
> ```
> It allows web developers to associate a set of named reporting endpoints with
an
> origin. Various platform features (like Content Security Policy, Network Error
> Reporting, and others) will use these endpoints to deliver feature-specific
> reports in a consistent manner.
> ```

I talked with mkwst, and he's OK with changing this to use WebURL/KURL/GURL
throughout (since we convert to a KURL eventually anyway). The reporting API
linked there will use a new directive.

As this involves changing other random plumbing that's not necessarily related
to this CL though... would you be OK with addressing this in a followup?

https://codereview.chromium.org/2655463006/diff/630001/third_party/WebKit/pub...
File third_party/WebKit/public/web/WebFrameClient.h (right):

https://codereview.chromium.org/2655463006/diff/630001/third_party/WebKit/pub...
third_party/WebKit/public/web/WebFrameClient.h:303: bool
shouldBypassMainWorldCSP;
I would encourage the use of an enum for this (and similarly in the content
layer): having so many bool parameters can be a little unreadable.

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-16 15:32:45 UTC) #142

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/670001

3 years, 9 months ago (2017-03-16 15:33:09 UTC) #143

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 15:33:13 UTC) #144

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-16 15:40:14 UTC) #146

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/690001

3 years, 9 months ago (2017-03-16 15:40:41 UTC) #147

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 15:40:45 UTC) #148

arthursonzogni

Thanks for the review! A few comments below: https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h (right): https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h#newcode90 third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:90: WebVector<WebString> ...

3 years, 9 months ago (2017-03-16 15:47:37 UTC) #149

Thanks for the review!
A few comments below:

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
File third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
(right):

https://codereview.chromium.org/2655463006/diff/590001/third_party/WebKit/pub...
third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h:90:
WebVector<WebString> reportEndpoints;
On 2017/03/16 08:34:46, dcheng wrote:
> On 2017/03/14 15:38:57, arthursonzogni wrote:
> > On 2017/03/13 19:02:54, dcheng wrote:
> > > Can we use WebURL if these are URLs?
> > 
> > I don't know. Blink uses a Vector<String> in CPDirectiveList.h
> > I would have to convert it into an URL and then back to a string when it
comes
> > back to blink.
> > 
> > I am not sure it is 100% related, but I think it is nice to keep it as
string
> > because of the Reporting API that will launch:
> > https://www.w3.org/TR/2016/NOTE-reporting-1-20160607/
> > 
> > Summary:
> > ```
> > It allows web developers to associate a set of named reporting endpoints
with
> an
> > origin. Various platform features (like Content Security Policy, Network
Error
> > Reporting, and others) will use these endpoints to deliver feature-specific
> > reports in a consistent manner.
> > ```
> 
> I talked with mkwst, and he's OK with changing this to use WebURL/KURL/GURL
> throughout (since we convert to a KURL eventually anyway). The reporting API
> linked there will use a new directive.
> 
> As this involves changing other random plumbing that's not necessarily related
> to this CL though... would you be OK with addressing this in a followup?

Thank you for clarifying that. I will address it in a followup.

https://codereview.chromium.org/2655463006/diff/630001/third_party/WebKit/pub...
File third_party/WebKit/public/web/WebFrameClient.h (right):

https://codereview.chromium.org/2655463006/diff/630001/third_party/WebKit/pub...
third_party/WebKit/public/web/WebFrameClient.h:303: bool
shouldBypassMainWorldCSP;
On 2017/03/16 08:34:47, dcheng wrote:
> I would encourage the use of an enum for this (and similarly in the content
> layer): having so many bool parameters can be a little unreadable.

By seeing all of these booleans, I thought that I had to do the same, that it
was a sort of implicit coding style rule that applies to content/ and that is
different from the blink's one.
Thanks for the information.

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-16 15:50:21 UTC) #150

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linux/builds/328244)

3 years, 9 months ago (2017-03-16 15:50:22 UTC) #151

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-16 15:56:28 UTC) #154

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/730001

3 years, 9 months ago (2017-03-16 15:57:21 UTC) #155

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 15:57:25 UTC) #156

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 16:02:33 UTC) #157

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 16:32:12 UTC) #158

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 17:02:05 UTC) #159

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 17:32:43 UTC) #160

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 18:02:43 UTC) #161

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-16 18:32:31 UTC) #162

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-16 18:48:34 UTC) #163

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_chromium_browser_side_navigation_rel on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_browser_side_navigation_rel/builds/405)

3 years, 9 months ago (2017-03-16 18:48:36 UTC) #164

nasko

It looks like there are some tests that are failing with Site Isolation: SitePerProcessBrowserTest.CrossSiteIframeBlockedByParentCSPFromMeta SitePerProcessBrowserTest.CrossSiteIframeBlockedByCSPInheritedBySrcDocParent ...

3 years, 9 months ago (2017-03-16 22:00:33 UTC) #165

alexmos

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h File content/common/frame_messages.h (right): https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h#newcode345 content/common/frame_messages.h:345: IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp) On 2017/03/14 15:38:57, arthursonzogni wrote: > On 2017/03/13 ...

3 years, 9 months ago (2017-03-17 00:24:27 UTC) #166

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
File content/common/frame_messages.h (right):

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
content/common/frame_messages.h:345:
IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp)
On 2017/03/14 15:38:57, arthursonzogni wrote:
> On 2017/03/13 18:44:29, ncarter wrote:
> > I'm wondering if we ought to consider making this be the url::Origin
> > corresponding to the SecurityOrigin of the isolated world in which the
> > navigation originated (or a null origin, if it's the main world)?
> 
> I lack knowledge about isolated world. Okay, there is CSPs for extensions
> too and they are not used for now. It seems to me that they are not even
stored
> in blink. Blink only knows that they are defined, but not what they are.
> 
> I was thinking about frame-src. In the future, if we were able to apply
> the isolated world CSPs. Should we apply any extension's CSPs when the
> request is initiated by an user-script for the frame-src case? I ask this
> because frame-src doesn't use the CSP of the document that has initiated the
> navigation, but the CSPs of the parent of the document that is navigating.
> 
> Does someone else want to say something?

Our docs say that "content scripts are generally not subject to the CSP of the
extension", and additionally, "the CSP of the page does not apply to content
scripts".
https://developer.chrome.com/extensions/contentSecurityPolicy#interactions

Given that people have been building extensions under these expectations, it
seems hard to start enforcing any kind of CSP for content scripts.  Would the
extension needs to declare a separate CSP for content scripts, since the default
extension CSP applies to background pages and event pages, but here we'd need to
apply it to regular web pages?  I don't know if the FIXME is actually fixable.

I agree with Nick that having an origin here would at least let the browser
process verify that there's an extension with a content script that was supposed
to run on the page that sent this, to minimize malicious renderers misusing this
to bypass CSP.  Not much, but better than nothing.  However, given the amount of
plumbing involved, I'm ok not blocking this CL on it and exploring this in a
followup.  Perhaps you can file a bug to explore ways to lock down the use of
this flag so we don't forget?

arthursonzogni

On 2017/03/16 22:00:33, nasko (slow) wrote: > It looks like there are some tests that ...

3 years, 9 months ago (2017-03-17 09:04:07 UTC) #167

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-17 09:44:53 UTC) #168

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/750001

3 years, 9 months ago (2017-03-17 09:45:03 UTC) #169

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 09:45:06 UTC) #170

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

3 years, 9 months ago (2017-03-17 09:49:00 UTC) #172

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/790001

3 years, 9 months ago (2017-03-17 09:49:17 UTC) #173

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 09:49:20 UTC) #174

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 10:01:27 UTC) #175

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 10:33:23 UTC) #176

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 11:02:45 UTC) #177

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 11:31:43 UTC) #178

arthursonzogni

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h File content/common/frame_messages.h (right): https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_messages.h#newcode345 content/common/frame_messages.h:345: IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp) On 2017/03/17 00:24:27, alexmos wrote: > On 2017/03/14 ...

3 years, 9 months ago (2017-03-17 11:42:31 UTC) #179

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
File content/common/frame_messages.h (right):

https://codereview.chromium.org/2655463006/diff/590001/content/common/frame_m...
content/common/frame_messages.h:345:
IPC_STRUCT_TRAITS_MEMBER(should_bypass_main_world_csp)
On 2017/03/17 00:24:27, alexmos wrote:
> On 2017/03/14 15:38:57, arthursonzogni wrote:
> > On 2017/03/13 18:44:29, ncarter wrote:
> > > I'm wondering if we ought to consider making this be the url::Origin
> > > corresponding to the SecurityOrigin of the isolated world in which the
> > > navigation originated (or a null origin, if it's the main world)?
> > 
> > I lack knowledge about isolated world. Okay, there is CSPs for extensions
> > too and they are not used for now. It seems to me that they are not even
> stored
> > in blink. Blink only knows that they are defined, but not what they are.
> > 
> > I was thinking about frame-src. In the future, if we were able to apply
> > the isolated world CSPs. Should we apply any extension's CSPs when the
> > request is initiated by an user-script for the frame-src case? I ask this
> > because frame-src doesn't use the CSP of the document that has initiated the
> > navigation, but the CSPs of the parent of the document that is navigating.
> > 
> > Does someone else want to say something?
> 
> Our docs say that "content scripts are generally not subject to the CSP of the
> extension", and additionally, "the CSP of the page does not apply to content
> scripts".
> https://developer.chrome.com/extensions/contentSecurityPolicy#interactions
> 
> Given that people have been building extensions under these expectations, it
> seems hard to start enforcing any kind of CSP for content scripts.  Would the
> extension needs to declare a separate CSP for content scripts, since the
default
> extension CSP applies to background pages and event pages, but here we'd need
to
> apply it to regular web pages?  I don't know if the FIXME is actually fixable.
> 
> I agree with Nick that having an origin here would at least let the browser
> process verify that there's an extension with a content script that was
supposed
> to run on the page that sent this, to minimize malicious renderers misusing
this
> to bypass CSP.  Not much, but better than nothing.  However, given the amount
of
> plumbing involved, I'm ok not blocking this CL on it and exploring this in a
> followup.  Perhaps you can file a bug to explore ways to lock down the use of
> this flag so we don't forget?

TODO and BUG added: https://crbug.com/702540

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-17 11:46:12 UTC) #180

commit-bot: I haz the power

Dry run: This issue passed the CQ dry run.

3 years, 9 months ago (2017-03-17 11:46:13 UTC) #181

arthursonzogni

The CQ bit was checked by arthursonzogni@chromium.org

3 years, 9 months ago (2017-03-17 14:00:08 UTC) #182

arthursonzogni

The patchset sent to the CQ was uploaded after l-g-t-m from alexmos@chromium.org, dcheng@chromium.org Link to ...

3 years, 9 months ago (2017-03-17 14:00:09 UTC) #183

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/790001

3 years, 9 months ago (2017-03-17 14:00:27 UTC) #184

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 14:00:31 UTC) #185

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 14:03:33 UTC) #186

commit-bot: I haz the power

CQ is committing da patch. Bot data: {"patchset_id": 790001, "attempt_start_ts": 1489759208296270, "parent_rev": "47d64d328b84b893246a65264781df243d428ae6", "commit_rev": "1e3b610bfff1acd060ed8b3f595344402b833bad"}

3 years, 9 months ago (2017-03-17 14:05:13 UTC) #187

commit-bot: I haz the power

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 9 months ago (2017-03-17 14:05:59 UTC) #188

commit-bot: I haz the power

Committed patchset #23 (id:790001) as https://chromium.googlesource.com/chromium/src/+/1e3b610bfff1acd060ed8b3f595344402b833bad

3 years, 9 months ago (2017-03-17 14:06:01 UTC) #189

nektarios

A revert of this CL (patchset #23 id:790001) has been created in https://codereview.chromium.org/2754303002/ by nektar@chromium.org. ...

3 years, 9 months ago (2017-03-17 15:46:56 UTC) #190

nektarios

A revert of this CL (patchset #23 id:790001) has been created in https://codereview.chromium.org/2756913002/ by nektar@chromium.org. ...

3 years, 9 months ago (2017-03-17 15:47:01 UTC) #191

nektarios

[5868:1532:0317/082357.173:34929421:INFO:CONSOLE(0)] "Refused to frame 'http://c.com:57177/title3.html' because it violates the following Content Security Policy directive: "frame-src ...

3 years, 9 months ago (2017-03-17 15:49:50 UTC) #192

arthursonzogni

On 2017/03/17 15:49:50, nektarios wrote: > [5868:1532:0317/082357.173:34929421:INFO:CONSOLE(0)] "Refused to frame > 'http://c.com:57177/title3.html' because it violates ...

3 years, 9 months ago (2017-03-17 15:53:56 UTC) #193

jam

On 2017/03/17 15:53:56, arthursonzogni wrote: > On 2017/03/17 15:49:50, nektarios wrote: > > [5868:1532:0317/082357.173:34929421:INFO:CONSOLE(0)] "Refused ...

3 years, 9 months ago (2017-03-17 19:24:06 UTC) #194

jam

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 9 months ago (2017-03-17 21:52:20 UTC) #195

jam

On 2017/03/17 19:24:06, jam wrote: > On 2017/03/17 15:53:56, arthursonzogni wrote: > > On 2017/03/17 ...

3 years, 9 months ago (2017-03-17 21:53:14 UTC) #197

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/790001

3 years, 9 months ago (2017-03-17 21:53:38 UTC) #198

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 21:53:43 UTC) #199

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 22:02:56 UTC) #200

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-17 22:19:33 UTC) #201

commit-bot: I haz the power

Try jobs failed on following builders: chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/388578)

3 years, 9 months ago (2017-03-17 22:19:36 UTC) #202

jam

The patchset sent to the CQ was uploaded after l-g-t-m from dcheng@chromium.org, alexmos@chromium.org Link to ...

3 years, 9 months ago (2017-03-17 22:58:30 UTC) #205

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/830001

3 years, 9 months ago (2017-03-17 22:59:27 UTC) #206

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 22:59:32 UTC) #207

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 23:02:17 UTC) #208

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-17 23:32:54 UTC) #209

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 00:02:32 UTC) #210

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 00:32:27 UTC) #211

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-18 00:54:47 UTC) #212

commit-bot: I haz the power

Try jobs failed on following builders: win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_ng/builds/403346)

3 years, 9 months ago (2017-03-18 00:54:50 UTC) #213

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/830001

3 years, 9 months ago (2017-03-18 01:31:17 UTC) #215

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 01:31:22 UTC) #216

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 01:32:06 UTC) #217

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

3 years, 9 months ago (2017-03-18 01:36:52 UTC) #218

commit-bot: I haz the power

Try jobs failed on following builders: chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/388752)

3 years, 9 months ago (2017-03-18 01:36:54 UTC) #219

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2655463006/830001

3 years, 9 months ago (2017-03-18 02:25:26 UTC) #221

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 02:25:32 UTC) #222

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 02:32:09 UTC) #223

commit-bot: I haz the power

There were warnings when CQ was processing your CL: * CQ is not running the ...

3 years, 9 months ago (2017-03-18 03:01:35 UTC) #224

commit-bot: I haz the power

CQ is committing da patch. Bot data: {"patchset_id": 830001, "attempt_start_ts": 1489803903600170, "parent_rev": "d16b86f20467acbb4c2659ad7080df5d07dfad11", "commit_rev": "7fed384c1a1d7a6c89531dddbb8b539061a9e455"}

3 years, 9 months ago (2017-03-18 03:07:46 UTC) #225

commit-bot: I haz the power

Description was changed from ========== PlzNavigate: Enforce frame-src CSP on the browser. Use a NavigationThrottle ...

3 years, 9 months ago (2017-03-18 03:09:15 UTC) #226

commit-bot: I haz the power

3 years, 9 months ago (2017-03-18 03:09:18 UTC) #227

Message was sent while issue was closed.

Committed patchset #24 (id:830001) as
https://chromium.googlesource.com/chromium/src/+/7fed384c1a1d7a6c89531dddbb8b...

Issue 2655463006: PlzNavigate: Enforce 'frame-src' CSP on the browser. (Closed)

Description

Patch Set 1 #

Patch Set 2 : Fix test:chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html #

Patch Set 3 : Rebase #

Patch Set 4 : Fix tests. #

Patch Set 5 : Addressed comments(alexmos@ and nasko@) #

Patch Set 6 : Addressed comments (alexmos@ #2) + Rebase from parent. #

Patch Set 7 : Add TODO in the FrameLoader. #

Patch Set 8 : Rebase from master and parent. #

Patch Set 9 : Addressed comments (nasko@) #

Patch Set 10 : Rebase. #

Patch Set 11 : Rebase. #

Patch Set 12 : Move things from the FTN to the RFH. #

Patch Set 13 : Rebase. #

Patch Set 14 : Rebase #

Patch Set 15 : Addressed comments @alexmos. #

Patch Set 16 : Rebase from clamy's patch: https://crrev.com/2727633005/ #

Patch Set 17 : Addressed comments #

Patch Set 18 : Rebase #

Patch Set 19 : Addressed comments #

Patch Set 20 : Rebase. #

Patch Set 21 : bool -> enum. #

Patch Set 22 : Rebase. #

Patch Set 23 : Add TODO for https://crbug.com/702540 and fix test expectations #

Patch Set 24 : Rebase. #

Messages