CSP: Enable whitelisting of external JavaScript via hashes

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/Document.h"
 #include "core/dom/SecurityContext.h"
 #include "core/dom/SpaceSplitString.h"
@@ skipping 27 matching lines @@
 
   return "sha256-" + base64Encode(reinterpret_cast<char*>(digest.data()),
                                   digest.size(), Base64DoNotInsertLFs);
 }
 
 template <typename CharType>
 inline bool isASCIIAlphanumericOrHyphen(CharType c) {
   return isASCIIAlphanumeric(c) || c == '-';
 }
 
+ContentSecurityPolicyHashAlgorithm convertHashAlgorithmToCSPHashAlgorithm(

[Mike West, 2017/03/29 13:03:54]

Hrm. Can we just make these the same thing? I don't know why we have two hash
enums. That doesn't make much sense.

[Marc Treib, 2017/03/30 09:48:51]

I was wondering that myself :)
The CSP variant has a "None" entry while the other doesn't, and it's also set up
as a bitmask, so it won't be completely trivial to merge them. If you want, I
can give it a try in a separate CL. (Though TBH, I'm also kinda trying to
minimize the amount of yak shaving here ;) )

+    HashAlgorithm algorithm) {
+  switch (algorithm) {
+    case HashAlgorithmSha1:
+      return ContentSecurityPolicyHashAlgorithmSha1;

[Mike West, 2017/03/29 13:03:54]

We shouldn't support SHA-1.

[Marc Treib, 2017/03/30 09:48:51]

Done.

+    case HashAlgorithmSha256:
+      return ContentSecurityPolicyHashAlgorithmSha256;
+    case HashAlgorithmSha384:
+      return ContentSecurityPolicyHashAlgorithmSha384;
+    case HashAlgorithmSha512:
+      return ContentSecurityPolicyHashAlgorithmSha512;
+  }
+  NOTREACHED();
+  return ContentSecurityPolicyHashAlgorithmNone;
+}
+
+bool parseBase64Digest(String base64, DigestValue& hash) {

[Mike West, 2017/03/29 13:03:54]

Can you add some comments noting why this is necessary? (just to accept base64
and base64url? in which case just move the comment up)

[Marc Treib, 2017/03/30 09:48:51]

The DigestValue type has a binary digest value, while SRI has a base64-encoded
string. Comment added.
(I'm actually not sure if base64url is required, but I think it doesn't hurt to
accept it too..?)

+  Vector<char> hashVector;
+  // We accept base64url-encoded data here by normalizing it to base64.
+  if (!base64Decode(normalizeToBase64(base64), hashVector))
+    return false;
+  if (hashVector.isEmpty() || hashVector.size() > kMaxDigestSize)
+    return false;
+  hash.append(reinterpret_cast<uint8_t*>(hashVector.data()), hashVector.size());
+  return true;
+}
+
 }  // namespace
 
 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy,
                                    ContentSecurityPolicyHeaderType type,
                                    ContentSecurityPolicyHeaderSource source)
     : m_policy(policy),
       m_headerType(type),
       m_headerSource(source),
       m_hasSandboxPolicy(false),
       m_strictMixedContentCheckingEnforced(false),
@@ skipping 106 matching lines @@
 
 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const {
   return !directive || directive->allowEval();
 }
 
 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive,
                                               const String& nonce) const {
   return directive && directive->allowNonce(nonce);
 }
 
+bool CSPDirectiveList::areAllMatchingHashesPresent(
+    SourceListDirective* directive,
+    const IntegrityMetadataSet& hashes) const {
+  if (!directive || hashes.isEmpty())
+    return false;
+  for (const std::pair<WTF::String, HashAlgorithm>& hash : hashes) {
+    // Convert the hash from integrity metadata format to CSP format.
+    CSPHashValue cspHash;
+    cspHash.first = convertHashAlgorithmToCSPHashAlgorithm(hash.second);
+    if (!parseBase64Digest(hash.first, cspHash.second))
+      return false;

[Mike West, 2017/03/29 13:03:54]

This appears to replicate much of the logic in `checkDigest()` from
`ContentSecurityPolicy.cpp`. Can we extract the normalization steps somewhere
that can be reused?

[Marc Treib, 2017/03/30 09:48:51]

I don't think they're all that similar. checkDigest() actually computes the
hashes, while this just converts the format of existing hashes.
The mapping between the two HashAlgorithm enums is duplicated in a slightly
different form, but checkDigest() allows sha-1, so I'm not sure it's worth
trying to de-dupe that.

+    // All integrity hashes must be listed in the CSP.
+    if (!directive->allowHash(cspHash))
+      return false;
+  }
+  return true;
+}
+
 bool CSPDirectiveList::checkHash(SourceListDirective* directive,
                                  const CSPHashValue& hashValue) const {
   return !directive || directive->allowHash(hashValue);
 }
 
 bool CSPDirectiveList::checkHashedAttributes(
     SourceListDirective* directive) const {
   return !directive || directive->allowHashedAttributes();
 }
 
@@ skipping 433 matching lines @@
                    "Refused to load '" + url.elidedString() + "' (MIME type '" +
                        typeAttribute +
                        "') because it violates the following Content Security "
                        "Policy Directive: ")
              : checkMediaType(m_pluginTypes.get(), type, typeAttribute);
 }
 
 bool CSPDirectiveList::allowScriptFromSource(
     const KURL& url,
     const String& nonce,
+    const IntegrityMetadataSet& hashes,
     ParserDisposition parserDisposition,
     ResourceRequest::RedirectStatus redirectStatus,
     SecurityViolationReportingPolicy reportingPolicy) const {
-  if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce))
+  SourceListDirective* directive = operativeDirective(m_scriptSrc.get());
+  if (isMatchingNoncePresent(directive, nonce))
     return true;
   if (parserDisposition == NotParserInserted && allowDynamic())
     return true;
+  if (areAllMatchingHashesPresent(directive, hashes))
+    return true;
   return reportingPolicy == SecurityViolationReportingPolicy::Report
              ? checkSourceAndReportViolation(
-                   operativeDirective(m_scriptSrc.get()), url,
+                   directive, url,
                    ContentSecurityPolicy::DirectiveType::ScriptSrc,
                    redirectStatus)
-             : checkSource(operativeDirective(m_scriptSrc.get()), url,
-                           redirectStatus);
+             : checkSource(directive, url, redirectStatus);
 }
 
 bool CSPDirectiveList::allowObjectFromSource(
     const KURL& url,
     ResourceRequest::RedirectStatus redirectStatus,
     SecurityViolationReportingPolicy reportingPolicy) const {
   if (url.protocolIsAbout())
     return true;
   return reportingPolicy == SecurityViolationReportingPolicy::Report
              ? checkSourceAndReportViolation(
@@ skipping 703 matching lines @@
   visitor->trace(m_imgSrc);
   visitor->trace(m_mediaSrc);
   visitor->trace(m_manifestSrc);
   visitor->trace(m_objectSrc);
   visitor->trace(m_scriptSrc);
   visitor->trace(m_styleSrc);
   visitor->trace(m_workerSrc);
 }
 
 }  // namespace blink