CSP Suborigins

Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 78 matching lines @@
 // https://w3c.github.io/manifest/#content-security-policy
 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
 
 // Mixed Content Directive
 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
 const char ContentSecurityPolicy::BlockAllMixedContent[] = "block-all-mixed-content";
 
 // https://w3c.github.io/webappsec/specs/upgrade/
 const char ContentSecurityPolicy::UpgradeInsecureRequests[] = "upgrade-insecure-requests";
 
+// Suborigin Directive
+// https://metromoxie.github.io/webappsec/specs/suborigins/index.html
+const char ContentSecurityPolicy::Suborigin[] = "suborigin";
+
 bool ContentSecurityPolicy::isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, ConnectSrc)
         || equalIgnoringCase(name, DefaultSrc)
         || equalIgnoringCase(name, FontSrc)
         || equalIgnoringCase(name, FrameSrc)
         || equalIgnoringCase(name, ImgSrc)
         || equalIgnoringCase(name, MediaSrc)
         || equalIgnoringCase(name, ObjectSrc)
         || equalIgnoringCase(name, ReportURI)
         || equalIgnoringCase(name, Sandbox)
+        || equalIgnoringCase(name, Suborigin)
         || equalIgnoringCase(name, ScriptSrc)
         || equalIgnoringCase(name, StyleSrc)
         || equalIgnoringCase(name, BaseURI)
         || equalIgnoringCase(name, ChildSrc)
         || equalIgnoringCase(name, FormAction)
         || equalIgnoringCase(name, FrameAncestors)
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
@@ skipping 19 matching lines @@
         return ReferrerPolicyNever;
     return a;
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy()
     : m_executionContext(nullptr)
     , m_overrideInlineStyleAllowed(false)
     , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
     , m_sandboxMask(0)
+    , m_suboriginName(String())
     , m_enforceStrictMixedContentChecking(false)
     , m_referrerPolicy(ReferrerPolicyDefault)
     , m_insecureRequestsPolicy(SecurityContext::InsecureRequestsDoNotUpgrade)
 {
 }
 
 void ContentSecurityPolicy::bindToExecutionContext(ExecutionContext* executionContext)
 {
     m_executionContext = executionContext;
     applyPolicySideEffectsToExecutionContext();
 }
 
 void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
 {
     ASSERT(m_executionContext);
     // Ensure that 'self' processes correctly.
     m_selfProtocol = securityOrigin()->protocol();
     m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
 
     // If we're in a Document, set the referrer policy, mixed content checking, and sandbox
     // flags, then dump all the parsing error messages, then poke at histograms.
     if (Document* document = this->document()) {
         if (m_sandboxMask != SandboxNone) {
             UseCounter::count(document, UseCounter::SandboxViaCSP);
             document->enforceSandboxFlags(m_sandboxMask);
         }
         if (m_enforceStrictMixedContentChecking)
             document->enforceStrictMixedContentChecking();
+        if (RuntimeEnabledFeatures::suboriginsEnabled()) {
+            document->enforceSuborigin(m_suboriginName);
+        }
         if (didSetReferrerPolicy())
             document->setReferrerPolicy(m_referrerPolicy);
         if (m_insecureRequestsPolicy > document->insecureRequestsPolicy())
             document->setInsecureRequestsPolicy(m_insecureRequestsPolicy);
 
         for (const auto& consoleMessage : m_consoleMessages)
             m_executionContext->addConsoleMessage(consoleMessage);
         m_consoleMessages.clear();
 
         for (const auto& policy : m_policies)
@@ skipping 453 matching lines @@
 {
     m_enforceStrictMixedContentChecking = true;
 }
 
 void ContentSecurityPolicy::setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy policy)
 {
     if (policy > m_insecureRequestsPolicy)
         m_insecureRequestsPolicy = policy;
 }
 
+void ContentSecurityPolicy::enforceSuborigin(const String& name)
+{
+    m_suboriginName = name;
+}
+
 static String stripURLForUseInReport(Document* document, const KURL& url)
 {
     if (!url.isValid())
         return String();
     if (!url.isHierarchical() || url.protocolIs("file"))
         return url.protocol();
     return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
 }
 
 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
@@ skipping 109 matching lines @@
 void ContentSecurityPolicy::reportReportOnlyInMeta(const String& header)
 {
     logToConsole("The report-only Content Security Policy '" + header + "' was delivered via a <meta> element, which is disallowed. The policy has been ignored.");
 }
 
 void ContentSecurityPolicy::reportMetaOutsideHead(const String& header)
 {
     logToConsole("The Content Security Policy '" + header + "' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored.");
 }
 
+void ContentSecurityPolicy::reportSuboriginInMeta(const String& suboriginName)
+{
+    logToConsole("The Suborigin name '" + suboriginName + "' was delivered via a Content Security Policy in a <meta> element and not an HTTP header, which is disallowed. The Suborigin has been ignored.");
+}
+
 void ContentSecurityPolicy::reportValueForEmptyDirective(const String& name, const String& value)
 {
     logToConsole("The Content Security Policy directive '" + name + "' should be empty, but was delivered with a value of '" + value + "'. The directive has been applied, and the value ignored.");
 }
 
 void ContentSecurityPolicy::reportInvalidInReportOnly(const String& name)
 {
     logToConsole("The Content Security Policy directive '" + name + "' is ignored when delivered in a report-only policy.");
 }
 
@@ skipping 44 matching lines @@
     else
         message = "Invalid plugin type in 'plugin-types' Content Security Policy directive: '" + pluginType + "'.\n";
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags)
 {
     logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
 }
 
+void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags)
+{
+    logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags);
+}
+
 void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue)
 {
     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
 }
 
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value)
 {
     String message = "The value for Content Security Policy directive '" + directiveName + "' contains an invalid character: '" + value + "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.";
     logToConsole(message);
 }
@@ skipping 74 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink