CSP Suborigins

Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 74 matching lines @@
 const char ContentSecurityPolicy::FormAction[] = "form-action";
 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors";
 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types";
 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss";
 const char ContentSecurityPolicy::Referrer[] = "referrer";
 
 // Manifest Directives
 // https://w3c.github.io/manifest/#content-security-policy
 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
 
+// Experimental Directives (post CSP 1.1)

[Mike West, 2014/10/23 12:59:20]

Nit: Since we changed the name, can you change both this and the above comment
to CSP2?

[jww, 2015/03/20 22:50:03]

I ended up putting a "Suborigin" comment above it since it's not really CSP, as
you pointed out.

+const char ContentSecurityPolicy::Suborigin[] = "suborigin";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
         || equalIgnoringCase(name, DefaultSrc)
         || equalIgnoringCase(name, FontSrc)
         || equalIgnoringCase(name, FrameSrc)
         || equalIgnoringCase(name, ImgSrc)
         || equalIgnoringCase(name, MediaSrc)
         || equalIgnoringCase(name, ObjectSrc)
         || equalIgnoringCase(name, ReportURI)
         || equalIgnoringCase(name, Sandbox)
+        || equalIgnoringCase(name, Suborigin)
         || equalIgnoringCase(name, ScriptSrc)
         || equalIgnoringCase(name, StyleSrc)
         || equalIgnoringCase(name, BaseURI)
         || equalIgnoringCase(name, ChildSrc)
         || equalIgnoringCase(name, FormAction)
         || equalIgnoringCase(name, FrameAncestors)
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
@@ skipping 18 matching lines @@
         return ReferrerPolicyNever;
     return a;
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy()
     : m_executionContext(nullptr)
     , m_overrideInlineStyleAllowed(false)
     , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_sandboxMask(0)
+    , m_suboriginName(String())
     , m_referrerPolicy(ReferrerPolicyDefault)
 {
 }
 
 void ContentSecurityPolicy::bindToExecutionContext(ExecutionContext* executionContext)
 {
     m_executionContext = executionContext;
     applyPolicySideEffectsToExecutionContext();
 }
 
 void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
 {
     ASSERT(m_executionContext);
     // Ensure that 'self' processes correctly.
     m_selfProtocol = securityOrigin()->protocol();
     m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
 
     // If we're in a Document, set the referrer policy and sandbox flags, then dump all the
     // parsing error messages, then poke at histograms.
     if (Document* document = this->document()) {
         document->enforceSandboxFlags(m_sandboxMask);
+        if (experimentalFeaturesEnabled())

[Mike West, 2014/10/23 12:59:20]

`&& hasSuborigin`?

[jww, 2015/03/20 22:50:03]

Enforce only "turns on" Suborigins if the Suborigin is non-null, so this should
be fine.

+            document->enforceSuborigin(m_suboriginName);
         if (didSetReferrerPolicy())
             document->setReferrerPolicy(m_referrerPolicy);
 
         for (const auto& consoleMessage : m_consoleMessages)
             m_executionContext->addConsoleMessage(consoleMessage);
         m_consoleMessages.clear();
 
         for (const auto& policy : m_policies)
             UseCounter::count(*document, getUseCounterType(policy->headerType()));
     }
@@ skipping 419 matching lines @@
 KURL ContentSecurityPolicy::completeURL(const String& url) const
 {
     return m_executionContext->contextCompleteURL(url);
 }
 
 void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask)
 {
     m_sandboxMask |= mask;
 }
 
+void ContentSecurityPolicy::enforceSuborigin(const String& name)
+{
+    m_suboriginName = name;
+}
+
 static String stripURLForUseInReport(Document* document, const KURL& url)
 {
     if (!url.isValid())
         return String();
     if (!url.isHierarchical() || url.protocolIs("file"))
         return url.protocol();
     return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
 }
 
 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
@@ skipping 166 matching lines @@
     else
         message = "Invalid plugin type in 'plugin-types' Content Security Policy directive: '" + pluginType + "'.\n";
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags)
 {
     logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
 }
 
+void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags)
+{
+    logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags);
+}
+
 void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue)
 {
     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
 }
 
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value)
 {
     String message = "The value for Content Security Policy directive '" + directiveName + "' contains an invalid character: '" + value + "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.";
     logToConsole(message);
 }
@@ skipping 74 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink