PlzNavigate: Enforce 'form-action' CSP on the browser-side.

content/browser/frame_host/navigation_handle_impl.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_handle_impl.h"
 
 #include <iterator>
 
 #include "base/debug/dump_without_crashing.h"
 #include "base/logging.h"
 #include "content/browser/appcache/appcache_navigation_handle.h"
 #include "content/browser/appcache/appcache_service_impl.h"
 #include "content/browser/browsing_data/clear_site_data_throttle.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
 #include "content/browser/frame_host/ancestor_throttle.h"
 #include "content/browser/frame_host/debug_urls.h"
+#include "content/browser/frame_host/form_submission_throttle.h"
 #include "content/browser/frame_host/frame_tree_node.h"
 #include "content/browser/frame_host/mixed_content_navigation_throttle.h"
 #include "content/browser/frame_host/navigation_controller_impl.h"
 #include "content/browser/frame_host/navigation_entry_impl.h"
 #include "content/browser/frame_host/navigator.h"
 #include "content/browser/frame_host/navigator_delegate.h"
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 #include "content/browser/service_worker/service_worker_context_wrapper.h"
 #include "content/browser/service_worker/service_worker_navigation_handle.h"
 #include "content/common/frame_messages.h"
@@ skipping 31 matching lines @@
 // static
 std::unique_ptr<NavigationHandleImpl> NavigationHandleImpl::Create(
     const GURL& url,
     const std::vector<GURL>& redirect_chain,
     FrameTreeNode* frame_tree_node,
     bool is_renderer_initiated,
     bool is_same_page,
     const base::TimeTicks& navigation_start,
     int pending_nav_entry_id,
     bool started_from_context_menu,
-    bool should_bypass_main_world_csp) {
+    bool should_bypass_main_world_csp,
+    bool is_form_submission) {
   return std::unique_ptr<NavigationHandleImpl>(new NavigationHandleImpl(
       url, redirect_chain, frame_tree_node, is_renderer_initiated, is_same_page,
       navigation_start, pending_nav_entry_id, started_from_context_menu,
-      should_bypass_main_world_csp));
+      should_bypass_main_world_csp, is_form_submission));
 }
 
 NavigationHandleImpl::NavigationHandleImpl(
     const GURL& url,
     const std::vector<GURL>& redirect_chain,
     FrameTreeNode* frame_tree_node,
     bool is_renderer_initiated,
     bool is_same_page,
     const base::TimeTicks& navigation_start,
     int pending_nav_entry_id,
     bool started_from_context_menu,
-    bool should_bypass_main_world_csp)
+    bool should_bypass_main_world_csp,
+    bool is_form_submission)
     : url_(url),
       has_user_gesture_(false),
       transition_(ui::PAGE_TRANSITION_LINK),
       is_external_protocol_(false),
       net_error_code_(net::OK),
       render_frame_host_(nullptr),
       is_renderer_initiated_(is_renderer_initiated),
       is_same_page_(is_same_page),
       was_redirected_(false),
       did_replace_entry_(false),
       should_update_history_(false),
       connection_info_(net::HttpResponseInfo::CONNECTION_INFO_UNKNOWN),
       original_url_(url),
       state_(INITIAL),
       is_transferring_(false),
       frame_tree_node_(frame_tree_node),
       next_index_(0),
       navigation_start_(navigation_start),
       pending_nav_entry_id_(pending_nav_entry_id),
       request_context_type_(REQUEST_CONTEXT_TYPE_UNSPECIFIED),
       mixed_content_context_type_(blink::WebMixedContentContextType::Blockable),
       should_replace_current_entry_(false),
       redirect_chain_(redirect_chain),
       is_download_(false),
       is_stream_(false),
       started_from_context_menu_(started_from_context_menu),
       reload_type_(ReloadType::NONE),
       navigation_type_(NAVIGATION_TYPE_UNKNOWN),
       should_bypass_main_world_csp_(should_bypass_main_world_csp),
+      is_form_submission_(is_form_submission),
       weak_factory_(this) {
   DCHECK(!navigation_start.is_null());
   if (redirect_chain_.empty())
     redirect_chain_.push_back(url);
 
   starting_site_instance_ =
       frame_tree_node_->current_frame_host()->GetSiteInstance();
 
   if (pending_nav_entry_id_) {
     NavigationControllerImpl* nav_controller =
@@ skipping 331 matching lines @@
 }
 
 NavigationData* NavigationHandleImpl::GetNavigationData() {
   return navigation_data_.get();
 }
 
 bool NavigationHandleImpl::should_bypass_main_world_csp() const {
   return should_bypass_main_world_csp_;
 }
 
+bool NavigationHandleImpl::is_form_submission() const {
+  DCHECK(IsBrowserSideNavigationEnabled())
+      << "This method is implemented only with PlzNavigate";
+  return is_form_submission_;
+}
+
 const GlobalRequestID& NavigationHandleImpl::GetGlobalRequestID() {
   DCHECK(state_ == WILL_PROCESS_RESPONSE || state_ == DEFERRING_RESPONSE ||
          state_ == READY_TO_COMMIT);
   return request_id_;
 }
 
 void NavigationHandleImpl::InitServiceWorkerHandle(
     ServiceWorkerContextWrapper* service_worker_context) {
   DCHECK(IsBrowserSideNavigationEnabled());
   service_worker_handle_.reset(
@@ skipping 429 matching lines @@
   std::unique_ptr<NavigationThrottle> clear_site_data_throttle =
       ClearSiteDataThrottle::CreateThrottleForNavigation(this);
   if (clear_site_data_throttle)
     throttles_to_register.push_back(std::move(clear_site_data_throttle));
 
   std::unique_ptr<content::NavigationThrottle> ancestor_throttle =
       content::AncestorThrottle::MaybeCreateThrottleFor(this);
   if (ancestor_throttle)
     throttles_.push_back(std::move(ancestor_throttle));
 
+  std::unique_ptr<content::NavigationThrottle> form_submission_throttle =
+      content::FormSubmissionThrottle::MaybeCreateThrottleFor(this);
+  if (form_submission_throttle)
+    throttles_.push_back(std::move(form_submission_throttle));

[Mike West, 2017/02/22 15:36:08]

This needs to happen before the mixed content check. Can I assume that throttles
execute in LIFO order?

[arthursonzogni, 2017/02/22 17:15:23]

I would say the FIFO order, they are executed from the first one
(mixed_content_throttle, then devtools_throttles, ..., then
form_submission_throttle)

You are probably right, but please, can you tell why the mixed_content_checks
should happens after the 'form-action' checks?
What about the 'frame-src' and 'XFO' checks?

[alexmos, 2017/02/28 02:48:46]

Mike would know these reasons much better, but one thing I recalled is this
comment in FrameFetchContext::canRequestInternal:

  // Check for mixed content. We do this second-to-last so that when folks block
  // mixed content with a CSP policy, they don't get a warning. They'll still
  // get a warning in the console about CSP blocking the load.

[arthursonzogni, 2017/03/07 16:25:51]

Done. Mike please confirm that it looks good to you to move the AncestorThrottle
and the FormSubmissionThrottle before the MixedContentThrottle.

+
   throttles_.insert(throttles_.begin(),
                     std::make_move_iterator(throttles_to_register.begin()),
                     std::make_move_iterator(throttles_to_register.end()));
 }
 
 bool NavigationHandleImpl::IsSelfReferentialURL() {
   // about: URLs should be exempted since they are reserved for other purposes
   // and cannot be the source of infinite recursion. See
   // https://crbug.com/341858 .
   if (url_.SchemeIs("about"))
@@ skipping 11 matching lines @@
     if (node->current_url().EqualsIgnoringRef(url_)) {
       if (found_self_reference)
         return true;
       found_self_reference = true;
     }
   }
   return false;
 }
 
 }  // namespace content