CSP: 'self' should work inside sandboxes.

CSP: 'self' should work inside sandboxes.

We ought to be looking at the URL of a sandboxed resource when resolving
the CSP source expression 'self'. Currently, we're looking at the origin
of the resource, which is generally correct, but fails if the resource
has been pushed into an opaque origin.

This patch uses the fallback base URL of a document rather than its
origin to do the comparison.

BUG=692475
R=jochen@chromium.org
CC=andypaicu@chromium.org

Review-Url: https://codereview.chromium.org/2699663002
Cr-Commit-Position: refs/heads/master@{#451626}
Committed: https://chromium.googlesource.com/chromium/src/+/9d3329c4a3d3dd0ab85869b7de4d62a8e2797520

[Mike West, 2017-02-15 13:36:36]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-02-15 13:36:51]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2017-02-15 13:38:06]

WDYT, Jochen?

CC andypaicu@, mikispag@, FYI.

https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html
(right):

https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html:1:
<!DOCTYPE html>
I'd put this into //external/wpt/content-security-policy, but we apparently
haven't imported those yet. Submitting
https://codereview.chromium.org/2700493003 to fix.

[commit-bot: I haz the power, 2017-02-15 14:25:32]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-02-15 14:25:33]

Dry run: Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)

[jochen (gone - plz use gerrit), 2017-02-20 09:55:19]

lgtm

https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html
(right):

https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html:11:
async_test(t => {
why are you using 4sp indent for tags, but 2sp for script?

[Mike West, 2017-02-20 12:45:42]

On 2017/02/20 at 09:55:19, jochen wrote:
> lgtm
> 
>
https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
> File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html
(right):
> 
>
https://codereview.chromium.org/2699663002/diff/1/third_party/WebKit/LayoutTe...
>
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-self.html:11:
async_test(t => {
> why are you using 4sp indent for tags, but 2sp for script?

Probably because my vim settings are still screwed up from The Great Screwing Up
Of Blink Style that happened earlier this year. :(

[Mike West, 2017-02-20 12:58:13]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2017-02-20 12:58:13]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2699663002/#ps20001
(title: "Test + Formatting")

[commit-bot: I haz the power, 2017-02-20 12:58:27]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-02-20 15:04:12]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1487595493018390,
"parent_rev": "4904876279fbe19be093f6a669fd71905a4ac14c", "commit_rev":
"9d3329c4a3d3dd0ab85869b7de4d62a8e2797520"}

[commit-bot: I haz the power, 2017-02-20 15:04:48]

Description was changed from

==========
CSP: 'self' should work inside sandboxes.

We ought to be looking at the URL of a sandboxed resource when resolving
the CSP source expression 'self'. Currently, we're looking at the origin
of the resource, which is generally correct, but fails if the resource
has been pushed into an opaque origin.

This patch uses the fallback base URL of a document rather than its
origin to do the comparison.

BUG=692475
R=jochen@chromium.org
CC=andypaicu@chromium.org
==========

to

==========
CSP: 'self' should work inside sandboxes.

We ought to be looking at the URL of a sandboxed resource when resolving
the CSP source expression 'self'. Currently, we're looking at the origin
of the resource, which is generally correct, but fails if the resource
has been pushed into an opaque origin.

This patch uses the fallback base URL of a document rather than its
origin to do the comparison.

BUG=692475
R=jochen@chromium.org
CC=andypaicu@chromium.org

Review-Url: https://codereview.chromium.org/2699663002
Cr-Commit-Position: refs/heads/master@{#451626}
Committed:
https://chromium.googlesource.com/chromium/src/+/9d3329c4a3d3dd0ab85869b7de4d...
==========

[commit-bot: I haz the power, 2017-02-20 15:04:49]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/chromium/src/+/9d3329c4a3d3dd0ab85869b7de4d...

[Mike West, 2017-02-25 13:18:05]

A revert of this CL (patchset #2 id:20001) has been created in
https://codereview.chromium.org/2711363004/ by mkwst@chromium.org.

The reason for reverting is: I suspect that this breaks Synology's UI, which
submits a form through
an `about:blank` frame. Perhaps we're not persisting the fallback base
URL correctly?

BUG=695058.