Local NTP: Deploy strict-dynamic CSP

chrome/browser/search/local_ntp_source.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/search/local_ntp_source.h"
 
 #include <stddef.h>
 
 #include <memory>
 
+#include "base/base64.h"
 #include "base/command_line.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/ref_counted_memory.h"
-#include "base/metrics/field_trial.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "build/build_config.h"
+#include "chrome/browser/search/google_search_provider_service.h"
+#include "chrome/browser/search/google_search_provider_service_factory.h"
 #include "chrome/browser/search/instant_io_context.h"
 #include "chrome/browser/search/local_files_ntp_source.h"
-#include "chrome/browser/search_engines/template_url_service_factory.h"
 #include "chrome/browser/themes/theme_properties.h"
 #include "chrome/browser/themes/theme_service.h"
 #include "chrome/browser/themes/theme_service_factory.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/grit/browser_resources.h"
 #include "chrome/grit/generated_resources.h"
 #include "chrome/grit/theme_resources.h"
-#include "components/search_engines/template_url_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "crypto/secure_hash.h"
+#include "net/base/hash_value.h"
 #include "net/url_request/url_request.h"
 #include "third_party/skia/include/core/SkColor.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/webui/web_ui_util.h"
 #include "ui/resources/grit/ui_resources.h"
 #include "url/gurl.h"
 
 namespace {
 
 // Signifies a locally constructed resource, i.e. not from grit/.
 const int kLocalResource = -1;
 
 const char kConfigDataFilename[] = "config.js";
 const char kThemeCSSFilename[] = "theme.css";
+const char kMainHtmlFilename[] = "local-ntp.html";
 
 const struct Resource{
   const char* filename;
   int identifier;
   const char* mime_type;
 } kResources[] = {
-    {"local-ntp.html", IDR_LOCAL_NTP_HTML, "text/html"},
+    {kMainHtmlFilename, kLocalResource, "text/html"},
     {"local-ntp.js", IDR_LOCAL_NTP_JS, "application/javascript"},
     {kConfigDataFilename, kLocalResource, "application/javascript"},
     {kThemeCSSFilename, kLocalResource, "text/css"},
     {"local-ntp.css", IDR_LOCAL_NTP_CSS, "text/css"},
     {"images/close_3_mask.png", IDR_CLOSE_3_MASK, "image/png"},
     {"images/close_4_button.png", IDR_CLOSE_4_BUTTON, "image/png"},
     {"images/ntp_default_favicon.png", IDR_NTP_DEFAULT_FAVICON, "image/png"},
 };
 
 // Strips any query parameters from the specified path.
 std::string StripParameters(const std::string& path) {
   return path.substr(0, path.find("?"));
 }
 
-bool DefaultSearchProviderIsGoogle(Profile* profile) {
-  if (!profile)
-    return false;
-
-  TemplateURLService* template_url_service =
-      TemplateURLServiceFactory::GetForProfile(profile);
-  if (!template_url_service)
-    return false;
-
-  const TemplateURL* default_provider =
-      template_url_service->GetDefaultSearchProvider();
-  return default_provider &&
-      (default_provider->GetEngineType(
-          template_url_service->search_terms_data()) ==
-       SEARCH_ENGINE_GOOGLE);
-}
-
 // Adds a localized string keyed by resource id to the dictionary.
 void AddString(base::DictionaryValue* dictionary,
                const std::string& key,
                int resource_id) {
   dictionary->SetString(key, l10n_util::GetStringUTF16(resource_id));
 }
 
 // Populates |translated_strings| dictionary for the local NTP. |is_google|
 // indicates that this page is the Google local NTP.
 std::unique_ptr<base::DictionaryValue> GetTranslatedStrings(bool is_google) {
@@ skipping 12 matching lines @@
   AddString(translated_strings.get(), "title", IDS_NEW_TAB_TITLE);
   if (is_google) {
     AddString(translated_strings.get(), "searchboxPlaceholder",
               IDS_GOOGLE_SEARCH_BOX_EMPTY_HINT);
   }
 
   return translated_strings;
 }
 
 // Returns a JS dictionary of configuration data for the local NTP.
-std::string GetConfigData(Profile* profile) {
+std::string GetConfigData(bool is_google) {
   base::DictionaryValue config_data;
-  bool is_google = DefaultSearchProviderIsGoogle(profile);
   config_data.Set("translatedStrings", GetTranslatedStrings(is_google));
   config_data.SetBoolean("isGooglePage", is_google);
 
   // Serialize the dictionary.
   std::string js_text;
   JSONStringValueSerializer serializer(&js_text);
   serializer.Serialize(config_data);
 
   std::string config_data_js;
   config_data_js.append("var configData = ");
   config_data_js.append(js_text);
   config_data_js.append(";");
   return config_data_js;
 }
 
+std::string GetIntegritySha256Value(const std::string& data) {
+  // Compute the sha256 hash.
+  net::SHA256HashValue hash_value;
+  std::unique_ptr<crypto::SecureHash> hash(
+      crypto::SecureHash::Create(crypto::SecureHash::SHA256));
+  hash->Update(data.data(), data.size());
+  hash->Finish(&hash_value, sizeof(hash_value));
+
+  // Base64-encode it.
+  base::StringPiece hash_value_str(
+      reinterpret_cast<const char*>(hash_value.data), sizeof(hash_value));
+  std::string result;
+  base::Base64Encode(hash_value_str, &result);
+  return result;
+}
+
 std::string GetThemeCSS(Profile* profile) {
   SkColor background_color =
       ThemeService::GetThemeProviderForProfile(profile)
           .GetColor(ThemeProperties::COLOR_NTP_BACKGROUND);
 
   return base::StringPrintf("body { background-color: #%02X%02X%02X; }",
                             SkColorGetR(background_color),
                             SkColorGetG(background_color),
                             SkColorGetB(background_color));
 }
 
 std::string GetLocalNtpPath() {
   return std::string(chrome::kChromeSearchScheme) + "://" +
          std::string(chrome::kChromeSearchLocalNtpHost) + "/";
 }
 
 }  // namespace
 
-LocalNtpSource::LocalNtpSource(Profile* profile) : profile_(profile) {}
+LocalNtpSource::LocalNtpSource(Profile* profile)
+    : profile_(profile),
+      default_search_provider_observer_(this),
+      default_search_provider_is_google_(false) {
+  GoogleSearchProviderService* google_service =
+      GoogleSearchProviderServiceFactory::GetForProfile(profile_);
+  if (google_service) {
+    default_search_provider_observer_.Add(google_service);
+    default_search_provider_is_google_ =
+        google_service->DefaultSearchProviderIsGoogle();
+  }
+}
 
 LocalNtpSource::~LocalNtpSource() = default;
 
 std::string LocalNtpSource::GetSource() const {
   return chrome::kChromeSearchLocalNtpHost;
 }
 
 void LocalNtpSource::StartDataRequest(
     const std::string& path,
     const content::ResourceRequestInfo::WebContentsGetter& wc_getter,
     const content::URLDataSource::GotDataCallback& callback) {
   std::string stripped_path = StripParameters(path);
   if (stripped_path == kConfigDataFilename) {
-    std::string config_data_js = GetConfigData(profile_);
+    std::string config_data_js =
+        GetConfigData(default_search_provider_is_google_);
     callback.Run(base::RefCountedString::TakeString(&config_data_js));
     return;
   }
   if (stripped_path == kThemeCSSFilename) {
     std::string theme_css = GetThemeCSS(profile_);
     callback.Run(base::RefCountedString::TakeString(&theme_css));
     return;
   }
 
 #if !defined(GOOGLE_CHROME_BUILD)
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
   if (command_line->HasSwitch(switches::kLocalNtpReload)) {
     if (stripped_path == "local-ntp.html" || stripped_path == "local-ntp.js" ||
         stripped_path == "local-ntp.css") {
       base::ReplaceChars(stripped_path, "-", "_", &stripped_path);
       local_ntp::SendLocalFileResource(stripped_path, callback);
       return;
     }
   }
 #endif  // !defined(GOOGLE_CHROME_BUILD)
 
+  if (stripped_path == kMainHtmlFilename) {
+    std::string html = ResourceBundle::GetSharedInstance()
+                           .GetRawDataResource(IDR_LOCAL_NTP_HTML)
+                           .as_string();
+    std::string config_sha256 =
+        "sha256-" + GetIntegritySha256Value(
+                        GetConfigData(default_search_provider_is_google_));
+    base::ReplaceFirstSubstringAfterOffset(&html, 0, "{{CONFIG_INTEGRITY}}",
+                                           config_sha256);
+    callback.Run(base::RefCountedString::TakeString(&html));
+    return;
+  }
+
   float scale = 1.0f;
   std::string filename;
   webui::ParsePathAndScale(
       GURL(GetLocalNtpPath() + stripped_path), &filename, &scale);
   ui::ScaleFactor scale_factor = ui::GetSupportedScaleFactor(scale);
 
   for (size_t i = 0; i < arraysize(kResources); ++i) {
     if (filename == kResources[i].filename) {
       scoped_refptr<base::RefCountedMemory> response(
           ResourceBundle::GetSharedInstance().LoadDataResourceBytesForScale(
               kResources[i].identifier, scale_factor));
       callback.Run(response.get());
       return;
     }
   }
-  callback.Run(NULL);
+  callback.Run(nullptr);
 }
 
 std::string LocalNtpSource::GetMimeType(
     const std::string& path) const {
   const std::string stripped_path = StripParameters(path);
   for (size_t i = 0; i < arraysize(kResources); ++i) {
     if (stripped_path == kResources[i].filename)
       return kResources[i].mime_type;
   }
   return std::string();
 }
 
 bool LocalNtpSource::AllowCaching() const {
   // Some resources served by LocalNtpSource, i.e. config.js, are dynamically
   // generated and could differ on each access. To avoid using old cached
   // content on reload, disallow caching here. Otherwise, it fails to reflect
   // newly revised user configurations in the page.
   return false;
 }
 
 bool LocalNtpSource::ShouldServiceRequest(
     const net::URLRequest* request) const {
   DCHECK(request->url().host_piece() == chrome::kChromeSearchLocalNtpHost);
   if (!InstantIOContext::ShouldServiceRequest(request))
     return false;
 
   if (request->url().SchemeIs(chrome::kChromeSearchScheme)) {
     std::string filename;
-    webui::ParsePathAndScale(request->url(), &filename, NULL);
+    webui::ParsePathAndScale(request->url(), &filename, nullptr);
     for (size_t i = 0; i < arraysize(kResources); ++i) {
       if (filename == kResources[i].filename)
         return true;
     }
   }
   return false;
 }
 
+std::string LocalNtpSource::GetContentSecurityPolicyScriptSrc() const {
+// Note: This method is called on the IO thread.
+#if !defined(GOOGLE_CHROME_BUILD)
+  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(switches::kLocalNtpReload)) {
+    // While live-editing the local NTP files, turn off CSP.
+    return "script-src *;";
+  }
+#endif  // !defined(GOOGLE_CHROME_BUILD)
+
+  return "script-src 'strict-dynamic' "
+         "'sha256-" +
+         GetIntegritySha256Value(
+             GetConfigData(default_search_provider_is_google_)) +
+         "' "
+         "'sha256-g38WaUaxnOIWY7E2LtLZ5ff9r5sn1dBj80jevt/kmx0=';";
+}
+
 std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const {
   // Allow embedding of most visited iframes.
   return base::StringPrintf("child-src %s;",
                             chrome::kChromeSearchMostVisitedUrl);
 }
+
+void LocalNtpSource::OnDefaultSearchProviderIsGoogleChanged(bool is_google) {
+  default_search_provider_is_google_ = is_google;

[sfiera, 2017/04/11 09:45:17]

What thread is this method called from? If it's the UI thread, and we're reading
it from (only?) the IO thread, shouldn't we send the write to the IO thread too?

[Marc Treib, 2017/04/11 12:37:59]

Threading in URLDataSource is kind of a mess :(  The ctor and StartDataRequest
are called on the UI thread, most of the other stuff on the IO thread. I've
added a bunch of DCHECK_CURRENTLY_ONs to make things clearer to the reader.

This method is called on the UI thread, but the bool is read on both UI and IO
thread, which is not quite safe :-/  I've added a copy of the variable for the
IO thread. I'm not particularly happy with this, it feels super fragile... an
std::atomic<bool> might have been nice, but that's banned (and also atomics are
generally discouraged). Better ideas welcome.

[sfiera, 2017/04/11 14:07:35]

Alright, thanks. This is ugly, but feels like the right thing to do given the
circumstances.

+}
+
+void LocalNtpSource::OnGoogleSearchProviderServiceShuttingDown() {
+  default_search_provider_observer_.RemoveAll();
+}