PlzNavigate: Enforce 'frame-src' CSP on the browser.

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
@@ skipping 1610 matching lines @@
 bool FrameLoader::shouldContinueForNavigationPolicy(
     const ResourceRequest& request,
     const SubstituteData& substituteData,
     DocumentLoader* loader,
     ContentSecurityPolicyDisposition shouldCheckMainWorldContentSecurityPolicy,
     NavigationType type,
     NavigationPolicy policy,
     FrameLoadType frameLoadType,
     bool isClientRedirect,
     HTMLFormElement* form) {
+  Settings* settings = m_frame->settings();
+  bool browserSideNavigationEnabled =
+      settings && settings->getBrowserSideNavigationEnabled();
+
   // Don't ask if we are loading an empty URL.
   if (request.url().isEmpty() || substituteData.isValid())
     return true;
 
   // If we're loading content into |m_frame| (NavigationPolicyCurrentTab), check
   // against the parent's Content Security Policy and kill the load if that
   // check fails, unless we should bypass the main world's CSP.
   if (policy == NavigationPolicyCurrentTab &&
-      shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy) {
+      shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy &&
+      !browserSideNavigationEnabled) {

[arthursonzogni, 2017/02/10 16:42:22]

Note: It is possible to check the CSP with PlzNavigate on the browser-side and
on the renderer-side at the same time, but I prevent this to happens because
'shouldContinueForNavigationPolicy' is called two times with PlzNavigate:
* One for the initial request.
* A Second time when the request come back from the browser.
The problem is that 'shouldCheckMainWorldContentSecurityPolicy' is does not
correspond to reality the second time.

[alexmos, 2017/02/10 22:59:53]

I might be fuzzy on how this part works with PlzNavigate, but could you explain
more about what's wrong with shouldCheckMainWorldContentSecurityPolicy the
second time?

[arthursonzogni, 2017/02/13 16:33:20]

With PlzNavigate, we currently use a dirty hack to commit navigation inside
blink. It is temporarily. After the navigation has been done in the browser, it
is committed inside the renderer. The browser sends a request to the renderer,
but in a way, it is the response. It is essentially a request with a few
attributes that tells the renderer that it doesn't have to submit a new request
and where it can find the response.
So 2 requests are made, one for the request and one for the "response".

For the second request, the renderer doesn't know if the request was submitted
from an isolated world and it will block the request if we don't prevent it to
do so.

[alexmos, 2017/02/14 06:57:20]

Acknowledged, thanks for the explanation.  Can you please add a brief comment
here about why this is disabled for PlzNavigate, and reference a bug (if you
have it) for removing that hack?

[arthursonzogni, 2017/02/15 17:02:16]

Done. See http://crbug.com/692595

     Frame* parentFrame = m_frame->tree().parent();
     if (parentFrame) {
       ContentSecurityPolicy* parentPolicy =
           parentFrame->securityContext()->contentSecurityPolicy();
       if (!parentPolicy->allowFrameFromSource(request.url(),
                                               request.redirectStatus())) {
         // Fire a load event, as timing attacks would otherwise reveal that the
         // frame was blocked. This way, it looks like every other cross-origin
         // page load.
         m_frame->document()->enforceSandboxFlags(SandboxOrigin);
         m_frame->owner()->dispatchLoad();
         return false;
       }
     }
   }
 
   bool isFormSubmission = type == NavigationTypeFormSubmitted ||
                           type == NavigationTypeFormResubmitted;
   if (isFormSubmission &&
       !m_frame->document()->contentSecurityPolicy()->allowFormAction(
           request.url()))
     return false;
 
   bool replacesCurrentHistoryItem =
       frameLoadType == FrameLoadTypeReplaceCurrentItem;
-  policy = client()->decidePolicyForNavigation(request, loader, type, policy,
-                                               replacesCurrentHistoryItem,
-                                               isClientRedirect, form);
+  policy = client()->decidePolicyForNavigation(
+      request, loader, type, policy, replacesCurrentHistoryItem,
+      isClientRedirect, form, shouldCheckMainWorldContentSecurityPolicy);
   if (policy == NavigationPolicyCurrentTab)
     return true;
   if (policy == NavigationPolicyIgnore)
     return false;
   if (policy == NavigationPolicyHandledByClient) {
     m_isNavigationHandledByClient = true;
     // Mark the frame as loading since the embedder is handling the navigation.
     m_progressTracker->progressStarted(frameLoadType);
 
     m_frame->navigationScheduler().cancel();
@@ skipping 332 matching lines @@
       frameLoadRequest.clientRedirect());
 
   loader->setLoadType(loadType);
   loader->setNavigationType(navigationType);
   loader->setReplacesCurrentHistoryItem(loadType ==
                                         FrameLoadTypeReplaceCurrentItem);
   return loader;
 }
 
 }  // namespace blink