PlzNavigate: Enforce 'frame-src' CSP on the browser.

content/browser/frame_host/render_frame_host_impl.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_FRAME_HOST_RENDER_FRAME_HOST_IMPL_H_
 #define CONTENT_BROWSER_FRAME_HOST_RENDER_FRAME_HOST_IMPL_H_
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <list>
 #include <map>
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
 #include "base/strings/string16.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "content/browser/accessibility/browser_accessibility_manager.h"
 #include "content/browser/bad_message.h"
+#include "content/browser/frame_host/csp_context_impl.h"
 #include "content/browser/loader/global_routing_id.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/browser/webui/web_ui_impl.h"
 #include "content/common/accessibility_mode_enums.h"
 #include "content/common/ax_content_node_data.h"
 #include "content/common/content_export.h"
-#include "content/common/content_security_policy/content_security_policy.h"
+#include "content/common/content_security_policy/csp_context.h"
 #include "content/common/download/mhtml_save_status.h"
 #include "content/common/frame.mojom.h"
 #include "content/common/frame_message_enums.h"
 #include "content/common/frame_replication_state.h"
 #include "content/common/image_downloader/image_downloader.mojom.h"
 #include "content/common/navigation_params.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/common/javascript_dialog_type.h"
 #include "content/public/common/previews_state.h"
 #include "media/mojo/interfaces/interface_factory.mojom.h"
@@ skipping 220 matching lines @@
   // The most recent non-net-error URL to commit in this frame.  In almost all
   // cases, use GetLastCommittedURL instead.
   const GURL& last_successful_url() { return last_successful_url_; }
   void set_last_successful_url(const GURL& url) {
     last_successful_url_ = url;
   }
 
   // Update this frame's last committed origin.
   void set_last_committed_origin(const url::Origin& origin) {
     last_committed_origin_ = origin;
+    csp_context_->SetSelf(origin);
   }
 
   // Returns the associated WebUI or null if none applies.
   WebUIImpl* web_ui() const { return web_ui_.get(); }
 
   // Returns the pending WebUI, or null if none applies.
   WebUIImpl* pending_web_ui() const {
     return should_reuse_web_ui_ ? web_ui_.get() : pending_web_ui_.get();
   }
 
@@ skipping 260 matching lines @@
                         bool is_view_source);
 
   // PlzNavigate
   // Indicates that a navigation failed and that this RenderFrame should display
   // an error page.
   void FailedNavigation(const CommonNavigationParams& common_params,
                         const RequestNavigationParams& request_params,
                         bool has_stale_copy_in_cache,
                         int error_code);
 
+  // PlzNavigate
+  // Inform the renderer process that a navigation has been blocked by a content
+  // security policy.
+  void ReportContentSecurityPolicyViolation(
+      const CSPViolationParams& violation_params);
+
   // Sets up the Mojo connection between this instance and its associated render
   // frame if it has not yet been set up.
   void SetUpMojoIfNeeded();
 
   // Tears down the browser-side state relating to the Mojo connection between
   // this instance and its associated render frame.
   void InvalidateMojoConnection();
 
   // Returns whether the frame is focused. A frame is considered focused when it
   // is the parent chain of the focused frame within the frame tree. In
@@ skipping 48 matching lines @@
   // that made a network request. The PreviewsState is a bitmask of potentially
   // several Previews optimizations.
   PreviewsState last_navigation_previews_state() const {
     return last_navigation_previews_state_;
   }
 
   bool has_focused_editable_element() const {
     return has_focused_editable_element_;
   }
 
+  // Returns the set of Content-Security-Policy policies to enforce on the
+  // browser-side.
+  const std::vector<ContentSecurityPolicy>& content_security_policies() const {

[alexmos, 2017/02/24 06:40:27]

I wonder if content's ContentSecurityPolicy should just hide the fact that there
are multiple policies within itself.  I.e., behave similarly to Blink's
ContentSecurityPolicy which I think stores the vector of m_policies internally. 
Then we won't need to pass this vector around whenever we want to check the CSP,
which would make the code in callers easier to follow.  Perhaps CSPContext could
be part of that too; i.e., it'd be nice to just say
parent->content_security_policy()->Allow(CSPDirective::FrameSrc, url,
is_redirect)), instead of dealing with CSPContexts and vectors of policies.  Or
are there reasons that it has to be organized like this?  (This is fine to think
about for a followup cleanup.)

[arthursonzogni, 2017/02/24 16:13:29]

The name of the classes inside blink confused me.
ContentSecurityPolicy is not a policy but the concept, it store several policies
and does what I do in CSPContext also.
DirectiveSourceList is the the policy :)

I am not sure what is the best thing. I will try to store the policies inside
the CSPContext, please tell me if it looks good to you.

+    return content_security_policies_;
+  }
+
+  void ResetContentSecurityPolicy() { content_security_policies_.clear(); }

[alexmos, 2017/02/24 06:40:27]

Should this be ResetContentSecurityPolicies, since it's resetting a set of
policies?

[arthursonzogni, 2017/02/24 16:13:29]

I copied FrameTreeNode::ResetContentSecurityPolicy, will 
Removed in the latest CL.

+
+  // Returns the context that must be used to check if a RenderFrameHost is
+  // allowed to navigate to an URL according to a set of content-security-policy
+  // policies. RenderFrameHostImpl. Never null.

[alexmos, 2017/02/24 06:40:27]

Is "RenderFrameHostImpl." needed?

[arthursonzogni, 2017/02/24 16:13:29]

Removed in the latest CL.

+  CSPContext* csp_context() { return csp_context_.get(); }
+
  protected:
   friend class RenderFrameHostFactory;
 
   // |flags| is a combination of CreateRenderFrameFlags.
   // TODO(nasko): Remove dependency on RenderViewHost here. RenderProcessHost
   // should be the abstraction needed here, but we need RenderViewHost to pass
   // into WebContentsObserver::FrameDetached for now.
   RenderFrameHostImpl(SiteInstance* site_instance,
                       RenderViewHostImpl* render_view_host,
                       RenderFrameHostDelegate* delegate,
@@ skipping 515 matching lines @@
   std::unique_ptr<AssociatedInterfaceProviderImpl>
       remote_associated_interfaces_;
 
   // A bitwise OR of bindings types that have been enabled for this RenderFrame.
   // See BindingsPolicy for details.
   int enabled_bindings_ = 0;
 
   // Tracks the feature policy which has been set on this frame.
   std::unique_ptr<FeaturePolicy> feature_policy_;
 
+  // A set of Content-Security-Policy policies to enforce on the browser-side.
+  std::vector<ContentSecurityPolicy> content_security_policies_;

[alexmos, 2017/02/24 06:40:27]

It might be good to document here why we need this to be a set of policies,
rather than a single policy.  (I guess the explanation is in the comment for
FrameHostMsg_DidAddContentSecurityPolicy?)

[arthursonzogni, 2017/02/24 16:13:29]

Removed in the latest CL.

+
+  // Used to check if a frame is allowed to navigate to an URL according to a
+  // set of content-security-policy policies.
+  std::unique_ptr<CSPContext> csp_context_;
+
   // NOTE: This must be the last member.
   base::WeakPtrFactory<RenderFrameHostImpl> weak_ptr_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(RenderFrameHostImpl);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_FRAME_HOST_RENDER_FRAME_HOST_IMPL_H_