Do not serialize meta element containing Content-Security-Policy

third_party/WebKit/Source/web/WebFrameSerializer.cpp

Index: third_party/WebKit/Source/web/WebFrameSerializer.cpp
diff --git a/third_party/WebKit/Source/web/WebFrameSerializer.cpp b/third_party/WebKit/Source/web/WebFrameSerializer.cpp
index 4434b29d0ebf1950f76066c6237085b0a8142cc8..e1f5084a1d3f6d66e5b47d46da53e4413835a57f 100644
--- a/third_party/WebKit/Source/web/WebFrameSerializer.cpp
+++ b/third_party/WebKit/Source/web/WebFrameSerializer.cpp
@@ -96,6 +96,7 @@ class MHTMLFrameSerializerDelegate final : public FrameSerializer::Delegate {
 
  private:
   bool shouldIgnoreHiddenElement(const Element&);
+  bool shouldIgnoreMetaElement(const Element&);
   bool shouldIgnorePopupOverlayElement(const Element&);
   void getCustomAttributesForImageElement(const HTMLImageElement&,
                                           Vector<Attribute>*);
@@ -112,6 +113,8 @@ MHTMLFrameSerializerDelegate::MHTMLFrameSerializerDelegate(
 bool MHTMLFrameSerializerDelegate::shouldIgnoreElement(const Element& element) {
   if (shouldIgnoreHiddenElement(element))
     return true;
+  if (shouldIgnoreMetaElement(element))
+    return true;
   if (m_webDelegate.removePopupOverlay() &&
       shouldIgnorePopupOverlayElement(element)) {
     return true;
@@ -138,6 +141,23 @@ bool MHTMLFrameSerializerDelegate::shouldIgnoreHiddenElement(
   return parent && !isHTMLHeadElement(parent);
 }
 
+bool MHTMLFrameSerializerDelegate::shouldIgnoreMetaElement(
+    const Element& element) {
+  // Do not include meta elements that declare Content-Security-Policy
+  // directives. They should have already been enforced when the original
+  // document is loaded. Since only the rendered resources are encapsulated in
+  // the saved MHTML page, there is no need to carry the directives. If they

[Mike West, 2017/02/24 08:21:49]

Hrm. I'm not sure I understand what this means. For example, if `<meta
http-equiv="Content-Security-Policy" content="style-src 'self'">` is present,
what happens to `<link href="https://evil.com/style.css"></link>`? Is it
ignored? Is it loaded and serialized as part of the packaging? Or are you really
just serializing the active document?

[jianli, 2017/02/24 21:38:19]

For the page containing the above example code, the style will be blocked due to
that it violates the Content-Security-Policy directive. So when the page is
serialized to MHTML, the evil style will not be encapsulated into MHTML  since
it is not loaded in the active document. The MHTML is loaded in full sandboxing
mode. Though the MHTML still contains '<link
href="https://evil.com/style.css"></link>', it will not be requested because all
the requests for resources not embedded in the MHTML will be blocked. So we
don't have any problem when the Content-Security-Policy directive is removed in
the MHTML.

+  // are still kept in the MHTML, child frames that are referred to using cid:
+  // scheme could be prevented from loading.
+  if (!isHTMLMetaElement(element))
+    return false;
+  if (!element.fastHasAttribute(HTMLNames::contentAttr))
+    return false;
+  const AtomicString& httpEquiv =
+      element.fastGetAttribute(HTMLNames::http_equivAttr);
+  return httpEquiv == "Content-Security-Policy";
+}
+
 bool MHTMLFrameSerializerDelegate::shouldIgnorePopupOverlayElement(
     const Element& element) {
   // The element should be visible.