PlzNavigate & CSP. Use the SourceLocation in violation reports.

PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946, 705098
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel

Review-Url: https://codereview.chromium.org/2761153003
Cr-Commit-Position: refs/heads/master@{#460727}
Committed: https://chromium.googlesource.com/chromium/src/+/8bec3f2a2edf7217f83d10fe929816e698c64a35

[arthursonzogni, 2017-03-21 12:33:20]

Description was changed from

==========
PlzNavigate|CSP Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
==========

to

==========
PlzNavigate|CSP Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[arthursonzogni, 2017-03-21 12:35:33]

Description was changed from

==========
PlzNavigate|CSP Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
PlzNavigate|CSP Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

[arthursonzogni, 2017-03-21 12:51:58]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-21 12:52:09]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[arthursonzogni, 2017-03-21 13:57:23]

Patchset #1 (id:1) has been deleted

[arthursonzogni, 2017-03-21 14:04:47]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-21 14:05:05]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-21 15:30:12]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-21 15:30:13]

Dry run: This issue passed the CQ dry run.

[arthursonzogni, 2017-03-21 15:36:12]

Patchset #1 (id:20001) has been deleted

[arthursonzogni, 2017-03-21 15:57:55]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-21 15:58:24]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[arthursonzogni, 2017-03-21 16:03:12]

Description was changed from

==========
PlzNavigate|CSP Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

to

==========
PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

[arthursonzogni, 2017-03-21 16:20:37]

arthursonzogni@chromium.org changed reviewers:
+ clamy@chromium.org, mkwst@chromium.org

[arthursonzogni, 2017-03-21 16:20:38]

Hi Camille and Mike,

Please can you take a look? Thanks!

Camille:
* content/

Mike:
* third_party/WebKit/public/{web, platform}/
* content/common/frame_messages.h

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
content/browser/frame_host/ancestor_throttle.cc:192: if
(parent->EnforceCsp(CSPDirective::FrameSrc, url, is_redirect,
While I added the SourceLocation argument to this function, I choose to change
the "IsAllowedByCsp" name, because it was not clear that this function produces
side-effects.
It is probably unrelated to this CL though, let me know what do you think.

[commit-bot: I haz the power, 2017-03-21 17:34:32]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-21 17:34:33]

Dry run: This issue passed the CQ dry run.

[Mike West, 2017-03-22 08:57:38]

LGTM % the rename, which I think needs a little more discussion.

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
content/browser/frame_host/ancestor_throttle.cc:192: if
(parent->EnforceCsp(CSPDirective::FrameSrc, url, is_redirect,
On 2017/03/21 at 16:20:38, arthursonzogni wrote:
> While I added the SourceLocation argument to this function, I choose to change
the "IsAllowedByCsp" name, because it was not clear that this function produces
side-effects.
> It is probably unrelated to this CL though, let me know what do you think.

It seems odd to diverge from Blink's implementation. There we do something like
`policy->allowRequest(...)` and pass in an enum that governs whether or not
we're just checking the result or doing reporting. I'd suggest splitting this
change out into a separate patch so we have a chance to discuss the model in a
little more detail.

[arthursonzogni, 2017-03-22 09:38:35]

I applied your suggestion.
Thanks for the review!

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
File content/browser/frame_host/ancestor_throttle.cc (right):

https://codereview.chromium.org/2761153003/diff/60001/content/browser/frame_h...
content/browser/frame_host/ancestor_throttle.cc:192: if
(parent->EnforceCsp(CSPDirective::FrameSrc, url, is_redirect,
On 2017/03/22 08:57:38, Mike West wrote:
> On 2017/03/21 at 16:20:38, arthursonzogni wrote:
> > While I added the SourceLocation argument to this function, I choose to
change
> the "IsAllowedByCsp" name, because it was not clear that this function
produces
> side-effects.
> > It is probably unrelated to this CL though, let me know what do you think.
> 
> It seems odd to diverge from Blink's implementation. There we do something
like
> `policy->allowRequest(...)` and pass in an enum that governs whether or not
> we're just checking the result or doing reporting. I'd suggest splitting this
> change out into a separate patch so we have a chance to discuss the model in a
> little more detail.

Okay, let's do this!

[arthursonzogni, 2017-03-27 12:09:01]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-27 12:09:17]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-27 15:47:18]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-27 15:47:22]

Dry run: This issue passed the CQ dry run.

[arthursonzogni, 2017-03-28 12:32:52]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-28 12:33:02]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-28 12:35:47]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-28 12:35:48]

Dry run: Try jobs failed on following builders:
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)

[arthursonzogni, 2017-03-28 14:12:48]

Patchset #6 (id:140001) has been deleted

[arthursonzogni, 2017-03-28 14:12:57]

Patchset #5 (id:120001) has been deleted

[arthursonzogni, 2017-03-28 14:13:07]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[arthursonzogni, 2017-03-28 14:13:25]

Patchset #5 (id:160001) has been deleted

[commit-bot: I haz the power, 2017-03-28 14:13:46]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[arthursonzogni, 2017-03-28 15:17:49]

Description was changed from

==========
PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

to

==========
PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946,705098
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

[commit-bot: I haz the power, 2017-03-28 16:13:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-28 16:13:20]

Dry run: This issue passed the CQ dry run.

[arthursonzogni, 2017-03-29 09:32:54]

arthursonzogni@chromium.org changed reviewers:
+ alexmos@chromium.org

[arthursonzogni, 2017-03-29 09:32:55]

Hi Alex,

Please can you take a this CL? (as an OWNER of content)
Thanks!

[alexmos, 2017-03-29 23:27:32]

content/ LGTM, and a couple of minor clarification questions about test
expectations.

https://codereview.chromium.org/2761153003/diff/200001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2761153003/diff/200001/content/common/content...
content/common/content_security_policy/csp_context.h:23: // and what is the set
of scheme that bypasses the CSP. Its main implementation
nit: "set of schemes that bypass the CSP"

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation
(right):

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation:10:
crbug.com/690946
http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html [
Failure ]
I'm curious why this test is still not working?

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation:19:
Bug(none)
http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html
[ Failure ]
I thought the expectations in this file are only applied when running with
--enable-browser-side-navigation, so then I'm a little confused on why we still
need these?

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-blocked.php
(right):

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-blocked.php:14:
assert_equals(e.lineNumber, 20);
This doesn't seem related to this CL and is already changed on ToT.  You
probably need to rebase?  Also looks like the other two tests doing this were
deleted in r460353.

[arthursonzogni, 2017-03-30 09:36:36]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-30 09:36:55]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-30 11:26:47]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-30 11:26:48]

Dry run: This issue passed the CQ dry run.

[arthursonzogni, 2017-03-30 11:36:27]

Thanks for the review!

https://codereview.chromium.org/2761153003/diff/200001/content/common/content...
File content/common/content_security_policy/csp_context.h (right):

https://codereview.chromium.org/2761153003/diff/200001/content/common/content...
content/common/content_security_policy/csp_context.h:23: // and what is the set
of scheme that bypasses the CSP. Its main implementation
On 2017/03/29 23:27:32, alexmos wrote:
> nit: "set of schemes that bypass the CSP"

Done.

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation
(right):

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation:10:
crbug.com/690946
http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html [
Failure ]
On 2017/03/29 23:27:32, alexmos wrote:
> I'm curious why this test is still not working?

Hum, I don't know. I will investigate.
It looks like the SourceLocation that is captured here:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/web/LocalFrame...
doesn't contain the data.

The goal of this CL is to transmit the SourceLocation to the ReportViolation
function. I think I can do another CL that will fix the issue.

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation:19:
Bug(none)
http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html
[ Failure ]
On 2017/03/29 23:27:32, alexmos wrote:
> I thought the expectations in this file are only applied when running with
> --enable-browser-side-navigation, so then I'm a little confused on why we
still
> need these?

The thing is that the current test expectations doesn't match what we get with
PlzNavigate. What we have with PlzNavigate is better. The test expectations
should be updated, but we can't, since the source location is missing without
PlzNavigate whenever there is a redirect.

It would be nice to be able to provide different test expectations for the
LayoutTest depending on the experiments that are running.

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-blocked.php
(right):

https://codereview.chromium.org/2761153003/diff/200001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-blocked.php:14:
assert_equals(e.lineNumber, 20);
On 2017/03/29 23:27:32, alexmos wrote:
> This doesn't seem related to this CL and is already changed on ToT.  You
> probably need to rebase?  Also looks like the other two tests doing this were
> deleted in r460353.

Yes, sorry for the confusion. I wanted to add
https://codereview.chromium.org/2785463002/
as dependent patchset, but apparently, it fails.

I will rebase.

[arthursonzogni, 2017-03-30 11:51:28]

The CQ bit was checked by arthursonzogni@chromium.org

[arthursonzogni, 2017-03-30 11:51:29]

The patchset sent to the CQ was uploaded after l-g-t-m from mkwst@chromium.org,
alexmos@chromium.org
Link to the patchset: https://codereview.chromium.org/2761153003/#ps240001
(title: "Addressed comment @alexmos")

[commit-bot: I haz the power, 2017-03-30 11:51:50]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-30 11:56:00]

CQ is committing da patch.

Bot data: {"patchset_id": 240001, "attempt_start_ts": 1490874688634510,
"parent_rev": "e504e898649ac4eb5d9bbf371dd4e6c57034cb19", "commit_rev":
"8bec3f2a2edf7217f83d10fe929816e698c64a35"}

[commit-bot: I haz the power, 2017-03-30 11:56:50]

Description was changed from

==========
PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946,705098
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel
==========

to

==========
PlzNavigate & CSP. Use the SourceLocation in violation reports.

The SourceLocation struct is available during a navigation thanks to this CL:
https://codereview.chromium.org/2720763002

This patch makes use of it for CSP. It fixes several test where the line
number in console messages was missing.

BUG=690946,705098
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_browser_side_navigation_rel

Review-Url: https://codereview.chromium.org/2761153003
Cr-Commit-Position: refs/heads/master@{#460727}
Committed:
https://chromium.googlesource.com/chromium/src/+/8bec3f2a2edf7217f83d10fe9298...
==========

[commit-bot: I haz the power, 2017-03-30 11:56:51]

Committed patchset #8 (id:240001) as
https://chromium.googlesource.com/chromium/src/+/8bec3f2a2edf7217f83d10fe9298...