PlzNavigate: Enforce 'form-action' CSP on the browser-side.

content/browser/frame_host/form_submission_throttle.cc

Index: content/browser/frame_host/form_submission_throttle.cc
diff --git a/content/browser/frame_host/form_submission_throttle.cc b/content/browser/frame_host/form_submission_throttle.cc
new file mode 100644
index 0000000000000000000000000000000000000000..deeac8b870152cacc3b49ca9fe128bb90a1543b5
--- /dev/null
+++ b/content/browser/frame_host/form_submission_throttle.cc
@@ -0,0 +1,68 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/frame_host/form_submission_throttle.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/public/browser/browser_thread.h"
+#include "content/public/browser/navigation_handle.h"
+#include "content/public/browser/navigation_throttle.h"
+#include "content/public/common/browser_side_navigation_policy.h"
+
+namespace content {
+
+// static
+std::unique_ptr<NavigationThrottle>
+FormSubmissionThrottle::MaybeCreateThrottleFor(NavigationHandle* handle) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+
+  if (!IsBrowserSideNavigationEnabled())
+    return nullptr;
+
+  NavigationHandleImpl* handle_impl =
+      static_cast<NavigationHandleImpl*>(handle);
+
+  if (!handle_impl->is_form_submission())
+    return nullptr;
+
+  return std::unique_ptr<NavigationThrottle>(
+      new FormSubmissionThrottle(handle));
+}
+
+FormSubmissionThrottle::~FormSubmissionThrottle() {}
+
+NavigationThrottle::ThrottleCheckResult
+FormSubmissionThrottle::CheckContentSecurityPolicyFormAction(bool is_redirect) {
+  NavigationHandleImpl* handle =
+      static_cast<NavigationHandleImpl*>(navigation_handle());
+
+  // Allow the request when it bypasses the CSP.
+  if (handle->should_bypass_main_world_csp())
+    return NavigationThrottle::PROCEED;
+
+  const GURL& url = handle->GetURL();
+  RenderFrameHostImpl* render_frame =
+      handle->frame_tree_node()->current_frame_host();
+
+  if (!render_frame->AllowContentSecurityPolicy(CSPDirective::FormAction, url,
+                                                is_redirect)) {
+    return NavigationThrottle::CANCEL;

[Mike West, 2017/03/02 10:45:34]

How do you plan to deal with violation reports and `securitypolicyviolation`
events? I don't think you need to block testing PlzNavigate on that, but we
ought to be surfacing errors to developers before shipping.

[arthursonzogni, 2017/03/07 16:25:51]

The violation report and the 'securitypolicyviolation' event are sent when the
call to AllowContentSecurityPolicy returns false.

[Mike West, 2017/03/09 08:20:03]

I see, thanks!

[alexmos, 2017/03/16 23:05:35]

I also found this non-obvious just by reading the code and seeing
IsAllowedByCsp, as it reads like the function just returns a bool without any
side effects.  Perhaps we can at least put in a comment on IsAllowedByCsp?  And
maybe IsAllowedByCsp could be named better to reflect that it also sends
violations, but it's ok to consider that in a followup.

+  }
+
+  return NavigationThrottle::PROCEED;
+}
+
+NavigationThrottle::ThrottleCheckResult
+FormSubmissionThrottle::WillStartRequest() {
+  return CheckContentSecurityPolicyFormAction(false /* is_redirect */);
+}
+
+NavigationThrottle::ThrottleCheckResult
+FormSubmissionThrottle::WillRedirectRequest() {
+  return CheckContentSecurityPolicyFormAction(true /* is_redirect */);
+}
+
+FormSubmissionThrottle::FormSubmissionThrottle(NavigationHandle* handle)
+    : NavigationThrottle(handle) {}
+
+}  // namespace content