Enable websocket filtering via SubresourceFilter

third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp

Index: third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp
diff --git a/third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp b/third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp
index 743f06d89a4c106ab6e7fe419c23c658ca828319..2185573499764ec1858773182bc98daaa4d2c054 100644
--- a/third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp
+++ b/third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp
@@ -34,12 +34,15 @@
 #include "core/dom/DOMArrayBuffer.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
+#include "core/dom/TaskRunnerHelper.h"
 #include "core/fileapi/FileReaderLoader.h"
 #include "core/fileapi/FileReaderLoaderClient.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/LocalFrameClient.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/inspector/InspectorInstrumentation.h"
+#include "core/loader/DocumentLoader.h"
+#include "core/loader/SubresourceFilter.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/MixedContentChecker.h"
 #include "modules/websockets/InspectorWebSocketEvents.h"
@@ -181,6 +184,22 @@ bool DocumentWebSocketChannel::connect(const KURL& url,
     protocol.split(", ", true, protocols);
   }
 
+  // If the connection needs to be filtered, asynchronously fail. Note that
+  // returning "true" just indicates that this was not synchronous security
+  // error.
+  if (shouldFilterConnection(url)) {
+    // TODO(csharrison): Include a reason string here.

[pkalinnikov, 2017/03/02 12:33:53]

Could this be done in this CL? E.g., "Connection blocked|disallowed by
subresource_filter.".

[Charlie Harrison, 2017/03/02 14:48:01]

OK. This is a little hard to understand but it is better than nothing. We'll
have better devtools strings in notifyLoad later.

+    TaskRunnerHelper::get(TaskType::Networking, document())
+        ->postTask(
+            BLINK_FROM_HERE,
+            WTF::bind(
+                &DocumentWebSocketChannel::failWithClosureCode,
+                wrapPersistent(this), CloseEventCodePolicyViolation, String(""),
+                WarningMessageLevel,
+                WTF::passed(SourceLocation::create(String(), 0, 0, nullptr))));
+    return true;
+  }
+
   if (document()->frame() &&
       document()->frame()->interfaceProvider() !=
           InterfaceProvider::getEmptyInterfaceProvider()) {
@@ -291,6 +310,15 @@ void DocumentWebSocketChannel::close(int code, const String& reason) {
 void DocumentWebSocketChannel::fail(const String& reason,
                                     MessageLevel level,
                                     std::unique_ptr<SourceLocation> location) {
+  return failWithClosureCode(CloseEventCodeAbnormalClosure, reason, level,
+                             std::move(location));
+}
+
+void DocumentWebSocketChannel::failWithClosureCode(
+    unsigned short code,
+    const String& reason,
+    MessageLevel level,
+    std::unique_ptr<SourceLocation> location) {
   NETWORK_DVLOG(1) << this << " fail(" << reason << ")";
   // m_handle and m_client can be null here.
 
@@ -307,7 +335,7 @@ void DocumentWebSocketChannel::fail(const String& reason,
     m_client->didError();
   // |reason| is only for logging and should not be provided for scripts,
   // hence close reason must be empty.
-  handleDidClose(false, CloseEventCodeAbnormalClosure, String());
+  handleDidClose(false, code, String());
   // handleDidClose may delete this object.
 }
 
@@ -662,6 +690,18 @@ void DocumentWebSocketChannel::didFailLoadingBlob(
   // |this| can be deleted here.
 }
 
+bool DocumentWebSocketChannel::shouldFilterConnection(const KURL& url) {

[pkalinnikov, 2017/03/02 12:33:53]

nit: How about should(Disallow|Block)Connection?

[Charlie Harrison, 2017/03/02 14:48:01]

Changed to Disallow.

+  if (!m_handle)
+    return false;
+  DocumentLoader* loader = document()->loader();
+  if (!loader)
+    return false;
+  SubresourceFilter* subresourceFilter = loader->subresourceFilter();
+  if (!subresourceFilter)
+    return false;
+  return !subresourceFilter->allowWebSocketConnection(url);
+}
+
 DEFINE_TRACE(DocumentWebSocketChannel) {
   visitor->trace(m_blobLoader);
   visitor->trace(m_messages);