Do not serialize meta element containing Content-Security-Policy

third_party/WebKit/Source/web/WebFrameSerializer.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 78 matching lines @@
   bool shouldIgnoreElement(const Element&) override;
   bool shouldIgnoreAttribute(const Element&, const Attribute&) override;
   bool rewriteLink(const Element&, String& rewrittenLink) override;
   bool shouldSkipResourceWithURL(const KURL&) override;
   bool shouldSkipResource(
       FrameSerializer::ResourceHasCacheControlNoStoreHeader) override;
   Vector<Attribute> getCustomAttributes(const Element&) override;
 
  private:
   bool shouldIgnoreHiddenElement(const Element&);
+  bool shouldIgnoreMetaElement(const Element&);
   bool shouldIgnorePopupOverlayElement(const Element&);
   void getCustomAttributesForImageElement(const HTMLImageElement&,
                                           Vector<Attribute>*);
   void getCustomAttributesForFormControlElement(const Element&,
                                                 Vector<Attribute>*);
 
   WebFrameSerializer::MHTMLPartsGenerationDelegate& m_webDelegate;
 };
 
 MHTMLFrameSerializerDelegate::MHTMLFrameSerializerDelegate(
     WebFrameSerializer::MHTMLPartsGenerationDelegate& webDelegate)
     : m_webDelegate(webDelegate) {}
 
 bool MHTMLFrameSerializerDelegate::shouldIgnoreElement(const Element& element) {
   if (shouldIgnoreHiddenElement(element))
     return true;
+  if (shouldIgnoreMetaElement(element))
+    return true;
   if (m_webDelegate.removePopupOverlay() &&
       shouldIgnorePopupOverlayElement(element)) {
     return true;
   }
   return false;
 }
 
 bool MHTMLFrameSerializerDelegate::shouldIgnoreHiddenElement(
     const Element& element) {
   // Do not include elements that are are set to hidden without affecting layout
   // by the page. For those elements that are hidden by default, they will not
   // be excluded:
   // 1) All elements that are head or part of head, including head, meta, style,
   //    link and etc.
   // 2) Some specific elements in body: meta, style, datalist, option and etc.
   if (element.layoutObject())
     return false;
   if (isHTMLHeadElement(element) || isHTMLMetaElement(element) ||
       isHTMLStyleElement(element) || isHTMLDataListElement(element) ||
       isHTMLOptionElement(element)) {
     return false;
   }
   Element* parent = element.parentElement();
   return parent && !isHTMLHeadElement(parent);
 }
 
+bool MHTMLFrameSerializerDelegate::shouldIgnoreMetaElement(
+    const Element& element) {
+  // Do not include meta elements that declare Content-Security-Policy
+  // directives. They should have already been enforced when the original
+  // document is loaded. Since only the rendered resources are encapsulated in
+  // the saved MHTML page, there is no need to carry the directives. If they

[Mike West, 2017/02/24 08:21:49]

Hrm. I'm not sure I understand what this means. For example, if `<meta
http-equiv="Content-Security-Policy" content="style-src 'self'">` is present,
what happens to `<link href="https://evil.com/style.css"></link>`? Is it
ignored? Is it loaded and serialized as part of the packaging? Or are you really
just serializing the active document?

[jianli, 2017/02/24 21:38:19]

For the page containing the above example code, the style will be blocked due to
that it violates the Content-Security-Policy directive. So when the page is
serialized to MHTML, the evil style will not be encapsulated into MHTML  since
it is not loaded in the active document. The MHTML is loaded in full sandboxing
mode. Though the MHTML still contains '<link
href="https://evil.com/style.css"></link>', it will not be requested because all
the requests for resources not embedded in the MHTML will be blocked. So we
don't have any problem when the Content-Security-Policy directive is removed in
the MHTML.

+  // are still kept in the MHTML, child frames that are referred to using cid:
+  // scheme could be prevented from loading.
+  if (!isHTMLMetaElement(element))
+    return false;
+  if (!element.fastHasAttribute(HTMLNames::contentAttr))
+    return false;
+  const AtomicString& httpEquiv =
+      element.fastGetAttribute(HTMLNames::http_equivAttr);
+  return httpEquiv == "Content-Security-Policy";
+}
+
 bool MHTMLFrameSerializerDelegate::shouldIgnorePopupOverlayElement(
     const Element& element) {
   // The element should be visible.
   LayoutBox* box = element.layoutBox();
   if (!box)
     return false;
 
   // The bounding box of the element should contain center point of the
   // viewport.
   LocalDOMWindow* window = element.document().domWindow();
@@ skipping 304 matching lines @@
     const WebString& baseTarget) {
   // TODO(yosin) We should call |FrameSerializer::baseTagDeclarationOf()|.
   if (baseTarget.isEmpty())
     return String("<base href=\".\">");
   String baseString = "<base href=\".\" target=\"" +
                       static_cast<const String&>(baseTarget) + "\">";
   return baseString;
 }
 
 }  // namespace blink