PlzNavigate: Enforce 'frame-src' CSP on the browser.

third_party/WebKit/Source/core/loader/FrameLoader.cpp

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 26bd2f95c92e404ed37be2e1c80177c58efb2a69..7bacc520b53fc8148d8ff9667fe8f3bb16f7384f 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -1628,6 +1628,10 @@ bool FrameLoader::shouldContinueForNavigationPolicy(
     FrameLoadType frameLoadType,
     bool isClientRedirect,
     HTMLFormElement* form) {
+  Settings* settings = m_frame->settings();
+  bool browserSideNavigationEnabled =
+      settings && settings->getBrowserSideNavigationEnabled();
+
   // Don't ask if we are loading an empty URL.
   if (request.url().isEmpty() || substituteData.isValid())
     return true;
@@ -1636,7 +1640,8 @@ bool FrameLoader::shouldContinueForNavigationPolicy(
   // against the parent's Content Security Policy and kill the load if that
   // check fails, unless we should bypass the main world's CSP.
   if (policy == NavigationPolicyCurrentTab &&
-      shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy) {
+      shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy &&
+      !browserSideNavigationEnabled) {

[arthursonzogni, 2017/02/10 16:42:22]

Note: It is possible to check the CSP with PlzNavigate on the browser-side and
on the renderer-side at the same time, but I prevent this to happens because
'shouldContinueForNavigationPolicy' is called two times with PlzNavigate:
* One for the initial request.
* A Second time when the request come back from the browser.
The problem is that 'shouldCheckMainWorldContentSecurityPolicy' is does not
correspond to reality the second time.

[alexmos, 2017/02/10 22:59:53]

I might be fuzzy on how this part works with PlzNavigate, but could you explain
more about what's wrong with shouldCheckMainWorldContentSecurityPolicy the
second time?

[arthursonzogni, 2017/02/13 16:33:20]

With PlzNavigate, we currently use a dirty hack to commit navigation inside
blink. It is temporarily. After the navigation has been done in the browser, it
is committed inside the renderer. The browser sends a request to the renderer,
but in a way, it is the response. It is essentially a request with a few
attributes that tells the renderer that it doesn't have to submit a new request
and where it can find the response.
So 2 requests are made, one for the request and one for the "response".

For the second request, the renderer doesn't know if the request was submitted
from an isolated world and it will block the request if we don't prevent it to
do so.

[alexmos, 2017/02/14 06:57:20]

Acknowledged, thanks for the explanation.  Can you please add a brief comment
here about why this is disabled for PlzNavigate, and reference a bug (if you
have it) for removing that hack?

[arthursonzogni, 2017/02/15 17:02:16]

Done. See http://crbug.com/692595

     Frame* parentFrame = m_frame->tree().parent();
     if (parentFrame) {
       ContentSecurityPolicy* parentPolicy =
@@ -1662,9 +1667,9 @@ bool FrameLoader::shouldContinueForNavigationPolicy(
 
   bool replacesCurrentHistoryItem =
       frameLoadType == FrameLoadTypeReplaceCurrentItem;
-  policy = client()->decidePolicyForNavigation(request, loader, type, policy,
-                                               replacesCurrentHistoryItem,
-                                               isClientRedirect, form);
+  policy = client()->decidePolicyForNavigation(
+      request, loader, type, policy, replacesCurrentHistoryItem,
+      isClientRedirect, form, shouldCheckMainWorldContentSecurityPolicy);
   if (policy == NavigationPolicyCurrentTab)
     return true;
   if (policy == NavigationPolicyIgnore)