Local NTP: Deploy strict-dynamic CSP

chrome/browser/search/local_ntp_source.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/search/local_ntp_source.h"
 
 #include <stddef.h>
 
 #include <memory>
 
+#include "base/base64.h"
 #include "base/command_line.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/metrics/field_trial.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "build/build_config.h"
 #include "chrome/browser/search/instant_io_context.h"
 #include "chrome/browser/search/local_files_ntp_source.h"
 #include "chrome/browser/search_engines/template_url_service_factory.h"
 #include "chrome/browser/themes/theme_properties.h"
 #include "chrome/browser/themes/theme_service.h"
 #include "chrome/browser/themes/theme_service_factory.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/grit/browser_resources.h"
 #include "chrome/grit/generated_resources.h"
 #include "chrome/grit/theme_resources.h"
 #include "components/search_engines/template_url_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "crypto/secure_hash.h"
+#include "net/base/hash_value.h"
 #include "net/url_request/url_request.h"
 #include "third_party/skia/include/core/SkColor.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/webui/web_ui_util.h"
 #include "ui/resources/grit/ui_resources.h"
 #include "url/gurl.h"
 
 namespace {
 
 // Signifies a locally constructed resource, i.e. not from grit/.
 const int kLocalResource = -1;
 
 const char kConfigDataFilename[] = "config.js";
 const char kThemeCSSFilename[] = "theme.css";
+const char kMainHtmlFilename[] = "local-ntp.html";
 
 const struct Resource{
   const char* filename;
   int identifier;
   const char* mime_type;
 } kResources[] = {
-    {"local-ntp.html", IDR_LOCAL_NTP_HTML, "text/html"},
+    {kMainHtmlFilename, kLocalResource, "text/html"},
     {"local-ntp.js", IDR_LOCAL_NTP_JS, "application/javascript"},
     {kConfigDataFilename, kLocalResource, "application/javascript"},
     {kThemeCSSFilename, kLocalResource, "text/css"},
     {"local-ntp.css", IDR_LOCAL_NTP_CSS, "text/css"},
     {"images/close_3_mask.png", IDR_CLOSE_3_MASK, "image/png"},
     {"images/close_4_button.png", IDR_CLOSE_4_BUTTON, "image/png"},
     {"images/ntp_default_favicon.png", IDR_NTP_DEFAULT_FAVICON, "image/png"},
 };
 
 // Strips any query parameters from the specified path.
@@ skipping 61 matching lines @@
   JSONStringValueSerializer serializer(&js_text);
   serializer.Serialize(config_data);
 
   std::string config_data_js;
   config_data_js.append("var configData = ");
   config_data_js.append(js_text);
   config_data_js.append(";");
   return config_data_js;
 }
 
+std::string GetIntegritySha256Value(const std::string& data) {
+  // Compute the sha256 hash.
+  net::SHA256HashValue hash_value;
+  std::unique_ptr<crypto::SecureHash> hash(
+      crypto::SecureHash::Create(crypto::SecureHash::SHA256));
+  hash->Update(data.data(), data.size());
+  hash->Finish(&hash_value, sizeof(hash_value));
+
+  // Base64-encode it.
+  base::StringPiece hash_value_str(reinterpret_cast<char*>(hash_value.data),
+                                   sizeof(hash_value));
+  std::string result;
+  base::Base64Encode(hash_value_str, &result);
+  return result;
+}
+
 std::string GetThemeCSS(Profile* profile) {
   SkColor background_color =
       ThemeService::GetThemeProviderForProfile(profile)
           .GetColor(ThemeProperties::COLOR_NTP_BACKGROUND);
 
   return base::StringPrintf("body { background-color: #%02X%02X%02X; }",
                             SkColorGetR(background_color),
                             SkColorGetG(background_color),
                             SkColorGetB(background_color));
 }
@@ skipping 27 matching lines @@
     std::string theme_css = GetThemeCSS(profile_);
     callback.Run(base::RefCountedString::TakeString(&theme_css));
     return;
   }
 
 #if !defined(GOOGLE_CHROME_BUILD)
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
   if (command_line->HasSwitch(switches::kLocalNtpReload)) {
     if (stripped_path == "local-ntp.html" || stripped_path == "local-ntp.js" ||
         stripped_path == "local-ntp.css") {
+      // TODO(treib): This is now broken for the html file - need to insert the
+      // config hash.

[Marc Treib, 2017/04/07 16:46:15]

...which would be somewhat annoying in terms of plumbing. Since I've never
actually used this stuff, I'm kinda tempted to just rip it out. WDYT?

[sfiera, 2017/04/10 08:53:21]

What's it actually for? Live-editing the files in the src/ tree? Can we just
disable integrity-checking in that case? Simpler than making it work.

[Marc Treib, 2017/04/10 10:11:18]

Yup, it's for live-editing.
Good idea, I'll turn off the CSP if that switch is set. There's still the hash
in the html file itself, I guess you'll just have to manually remove or update
that.

       base::ReplaceChars(stripped_path, "-", "_", &stripped_path);
       local_ntp::SendLocalFileResource(stripped_path, callback);
       return;
     }
   }
 #endif  // !defined(GOOGLE_CHROME_BUILD)
 
+  if (stripped_path == kMainHtmlFilename) {
+    std::string html = ResourceBundle::GetSharedInstance()
+                           .GetRawDataResource(IDR_LOCAL_NTP_HTML)
+                           .as_string();
+    std::string config_sha256 =
+        "sha256-" + GetIntegritySha256Value(GetConfigData(profile_));
+    base::ReplaceFirstSubstringAfterOffset(&html, 0, "{{CONFIG_INTEGRITY}}",
+                                           config_sha256);
+    callback.Run(base::RefCountedString::TakeString(&html));
+    return;
+  }
+
   float scale = 1.0f;
   std::string filename;
   webui::ParsePathAndScale(
       GURL(GetLocalNtpPath() + stripped_path), &filename, &scale);
   ui::ScaleFactor scale_factor = ui::GetSupportedScaleFactor(scale);
 
   for (size_t i = 0; i < arraysize(kResources); ++i) {
     if (filename == kResources[i].filename) {
       scoped_refptr<base::RefCountedMemory> response(
           ResourceBundle::GetSharedInstance().LoadDataResourceBytesForScale(
               kResources[i].identifier, scale_factor));
       callback.Run(response.get());
       return;
     }
   }
-  callback.Run(NULL);
+  callback.Run(nullptr);
 }
 
 std::string LocalNtpSource::GetMimeType(
     const std::string& path) const {
   const std::string stripped_path = StripParameters(path);
   for (size_t i = 0; i < arraysize(kResources); ++i) {
     if (stripped_path == kResources[i].filename)
       return kResources[i].mime_type;
   }
   return std::string();
 }
 
 bool LocalNtpSource::AllowCaching() const {
   // Some resources served by LocalNtpSource, i.e. config.js, are dynamically
   // generated and could differ on each access. To avoid using old cached
   // content on reload, disallow caching here. Otherwise, it fails to reflect
   // newly revised user configurations in the page.
   return false;
 }
 
 bool LocalNtpSource::ShouldServiceRequest(
     const net::URLRequest* request) const {
   DCHECK(request->url().host_piece() == chrome::kChromeSearchLocalNtpHost);
   if (!InstantIOContext::ShouldServiceRequest(request))
     return false;
 
   if (request->url().SchemeIs(chrome::kChromeSearchScheme)) {
     std::string filename;
-    webui::ParsePathAndScale(request->url(), &filename, NULL);
+    webui::ParsePathAndScale(request->url(), &filename, nullptr);
     for (size_t i = 0; i < arraysize(kResources); ++i) {
       if (filename == kResources[i].filename)
         return true;
     }
   }
   return false;
 }
 
+std::string LocalNtpSource::GetContentSecurityPolicyScriptSrc() const {
+  return "script-src 'strict-dynamic' "

[Marc Treib, 2017/04/07 16:46:15]

Could hide this behind a (default-enabled) feature, just to be sure...?

[sfiera, 2017/04/10 08:53:21]

Right now, users only land on the local NTP if they're offline, right? Do we
know how often that is? My inclination would be to not worry about it.

(obviously if we run an experiment and detect problems, we can pull the plug on
the experiment)

[Marc Treib, 2017/04/10 10:11:18]

Even while offline, there should usually be a cached version of the remote NTP.
However, metrics say that something like 10% of all NTP loads are on the local
NTP, so it's not all that rare.
My main worry would be that not everything can be put behind the experiment in a
straightforward way - e.g. the hashes in local_ntp.html wouldn't be trivial to
take out.

+         "'sha256-" +
+         GetIntegritySha256Value(GetConfigData(profile_)) +

[sfiera, 2017/04/10 08:53:21]

Are we going to be computing this hash multiple times on each NTP load?

[Marc Treib, 2017/04/10 10:11:18]

Yes; twice at the very least, probably even more often. Unfortunately, it's not
entirely trivial to cache, or more precisely, when to invalidate the cache.
Are you worried about performance?

[sfiera, 2017/04/10 10:28:53]

I was thinking about computing once when the HTML is loaded, since the HTML
would be loaded first (I assume), and the hashes in the CSP need to match those
in the HTML file.
That was my thought, but I guess this is Desktop-only.

[Marc Treib, 2017/04/10 11:44:03]

The CSP is served through HTTP headers, so that actually comes first. Also it
seems that GetContentSecurityPolicyScriptSrc is called multiple times during a
page load, I don't know why. But we can't really assume any relation between
HTML load and CSP query.
Yup. Still shouldn't ignore performance of course...

+         "' "
+         "'sha256-g38WaUaxnOIWY7E2LtLZ5ff9r5sn1dBj80jevt/kmx0=';";
+}
+
 std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const {
   // Allow embedding of most visited iframes.
   return base::StringPrintf("child-src %s;",
                             chrome::kChromeSearchMostVisitedUrl);
 }