Local NTP: Deploy strict-dynamic CSP

chrome/browser/search/local_ntp_source.cc

Index: chrome/browser/search/local_ntp_source.cc
diff --git a/chrome/browser/search/local_ntp_source.cc b/chrome/browser/search/local_ntp_source.cc
index 4388e6a087d92e4c31ea3e1b8a9f11f371836eb7..efa9576765afd6fad18458d1a2df425f86e3e044 100644
--- a/chrome/browser/search/local_ntp_source.cc
+++ b/chrome/browser/search/local_ntp_source.cc
@@ -8,6 +8,7 @@
 
 #include <memory>
 
+#include "base/base64.h"
 #include "base/command_line.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/logging.h"
@@ -31,6 +32,8 @@
 #include "chrome/grit/theme_resources.h"
 #include "components/search_engines/template_url_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "crypto/secure_hash.h"
+#include "net/base/hash_value.h"
 #include "net/url_request/url_request.h"
 #include "third_party/skia/include/core/SkColor.h"
 #include "ui/base/l10n/l10n_util.h"
@@ -46,13 +49,14 @@ const int kLocalResource = -1;
 
 const char kConfigDataFilename[] = "config.js";
 const char kThemeCSSFilename[] = "theme.css";
+const char kMainHtmlFilename[] = "local-ntp.html";
 
 const struct Resource{
   const char* filename;
   int identifier;
   const char* mime_type;
 } kResources[] = {
-    {"local-ntp.html", IDR_LOCAL_NTP_HTML, "text/html"},
+    {kMainHtmlFilename, kLocalResource, "text/html"},
     {"local-ntp.js", IDR_LOCAL_NTP_JS, "application/javascript"},
     {kConfigDataFilename, kLocalResource, "application/javascript"},
     {kThemeCSSFilename, kLocalResource, "text/css"},
@@ -134,6 +138,22 @@ std::string GetConfigData(Profile* profile) {
   return config_data_js;
 }
 
+std::string GetIntegritySha256Value(const std::string& data) {
+  // Compute the sha256 hash.
+  net::SHA256HashValue hash_value;
+  std::unique_ptr<crypto::SecureHash> hash(
+      crypto::SecureHash::Create(crypto::SecureHash::SHA256));
+  hash->Update(data.data(), data.size());
+  hash->Finish(&hash_value, sizeof(hash_value));
+
+  // Base64-encode it.
+  base::StringPiece hash_value_str(reinterpret_cast<char*>(hash_value.data),
+                                   sizeof(hash_value));
+  std::string result;
+  base::Base64Encode(hash_value_str, &result);
+  return result;
+}
+
 std::string GetThemeCSS(Profile* profile) {
   SkColor background_color =
       ThemeService::GetThemeProviderForProfile(profile)
@@ -181,6 +201,8 @@ void LocalNtpSource::StartDataRequest(
   if (command_line->HasSwitch(switches::kLocalNtpReload)) {
     if (stripped_path == "local-ntp.html" || stripped_path == "local-ntp.js" ||
         stripped_path == "local-ntp.css") {
+      // TODO(treib): This is now broken for the html file - need to insert the
+      // config hash.

[Marc Treib, 2017/04/07 16:46:15]

...which would be somewhat annoying in terms of plumbing. Since I've never
actually used this stuff, I'm kinda tempted to just rip it out. WDYT?

[sfiera, 2017/04/10 08:53:21]

What's it actually for? Live-editing the files in the src/ tree? Can we just
disable integrity-checking in that case? Simpler than making it work.

[Marc Treib, 2017/04/10 10:11:18]

Yup, it's for live-editing.
Good idea, I'll turn off the CSP if that switch is set. There's still the hash
in the html file itself, I guess you'll just have to manually remove or update
that.

       base::ReplaceChars(stripped_path, "-", "_", &stripped_path);
       local_ntp::SendLocalFileResource(stripped_path, callback);
       return;
@@ -188,6 +210,18 @@ void LocalNtpSource::StartDataRequest(
   }
 #endif  // !defined(GOOGLE_CHROME_BUILD)
 
+  if (stripped_path == kMainHtmlFilename) {
+    std::string html = ResourceBundle::GetSharedInstance()
+                           .GetRawDataResource(IDR_LOCAL_NTP_HTML)
+                           .as_string();
+    std::string config_sha256 =
+        "sha256-" + GetIntegritySha256Value(GetConfigData(profile_));
+    base::ReplaceFirstSubstringAfterOffset(&html, 0, "{{CONFIG_INTEGRITY}}",
+                                           config_sha256);
+    callback.Run(base::RefCountedString::TakeString(&html));
+    return;
+  }
+
   float scale = 1.0f;
   std::string filename;
   webui::ParsePathAndScale(
@@ -203,7 +237,7 @@ void LocalNtpSource::StartDataRequest(
       return;
     }
   }
-  callback.Run(NULL);
+  callback.Run(nullptr);
 }
 
 std::string LocalNtpSource::GetMimeType(
@@ -232,7 +266,7 @@ bool LocalNtpSource::ShouldServiceRequest(
 
   if (request->url().SchemeIs(chrome::kChromeSearchScheme)) {
     std::string filename;
-    webui::ParsePathAndScale(request->url(), &filename, NULL);
+    webui::ParsePathAndScale(request->url(), &filename, nullptr);
     for (size_t i = 0; i < arraysize(kResources); ++i) {
       if (filename == kResources[i].filename)
         return true;
@@ -241,6 +275,14 @@ bool LocalNtpSource::ShouldServiceRequest(
   return false;
 }
 
+std::string LocalNtpSource::GetContentSecurityPolicyScriptSrc() const {
+  return "script-src 'strict-dynamic' "

[Marc Treib, 2017/04/07 16:46:15]

Could hide this behind a (default-enabled) feature, just to be sure...?

[sfiera, 2017/04/10 08:53:21]

Right now, users only land on the local NTP if they're offline, right? Do we
know how often that is? My inclination would be to not worry about it.

(obviously if we run an experiment and detect problems, we can pull the plug on
the experiment)

[Marc Treib, 2017/04/10 10:11:18]

Even while offline, there should usually be a cached version of the remote NTP.
However, metrics say that something like 10% of all NTP loads are on the local
NTP, so it's not all that rare.
My main worry would be that not everything can be put behind the experiment in a
straightforward way - e.g. the hashes in local_ntp.html wouldn't be trivial to
take out.

+         "'sha256-" +
+         GetIntegritySha256Value(GetConfigData(profile_)) +

[sfiera, 2017/04/10 08:53:21]

Are we going to be computing this hash multiple times on each NTP load?

[Marc Treib, 2017/04/10 10:11:18]

Yes; twice at the very least, probably even more often. Unfortunately, it's not
entirely trivial to cache, or more precisely, when to invalidate the cache.
Are you worried about performance?

[sfiera, 2017/04/10 10:28:53]

I was thinking about computing once when the HTML is loaded, since the HTML
would be loaded first (I assume), and the hashes in the CSP need to match those
in the HTML file.
That was my thought, but I guess this is Desktop-only.

[Marc Treib, 2017/04/10 11:44:03]

The CSP is served through HTTP headers, so that actually comes first. Also it
seems that GetContentSecurityPolicyScriptSrc is called multiple times during a
page load, I don't know why. But we can't really assume any relation between
HTML load and CSP query.
Yup. Still shouldn't ignore performance of course...

+         "' "
+         "'sha256-g38WaUaxnOIWY7E2LtLZ5ff9r5sn1dBj80jevt/kmx0=';";
+}
+
 std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const {
   // Allow embedding of most visited iframes.
   return base::StringPrintf("child-src %s;",