Chromium Code Reviews Chromium Code Reviews
Issue 2805133004:
Local NTP: Deploy strict-dynamic CSP (Closed)
| Index: chrome/browser/search/local_ntp_source.cc |
| diff --git a/chrome/browser/search/local_ntp_source.cc b/chrome/browser/search/local_ntp_source.cc |
| index 4388e6a087d92e4c31ea3e1b8a9f11f371836eb7..d1a46a43edc3f9e3d5d641e51f2a9d61bd55c9ba 100644 |
| --- a/chrome/browser/search/local_ntp_source.cc |
| +++ b/chrome/browser/search/local_ntp_source.cc |
| @@ -6,14 +6,12 @@ |
| #include <stddef.h> |
| -#include <memory> |
| - |
| +#include "base/base64.h" |
| #include "base/command_line.h" |
| #include "base/json/json_string_value_serializer.h" |
| #include "base/logging.h" |
| #include "base/memory/ptr_util.h" |
| #include "base/memory/ref_counted_memory.h" |
| -#include "base/metrics/field_trial.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/values.h" |
| @@ -30,7 +28,11 @@ |
| #include "chrome/grit/generated_resources.h" |
| #include "chrome/grit/theme_resources.h" |
| #include "components/search_engines/template_url_service.h" |
| +#include "components/search_engines/template_url_service_observer.h" |
| #include "components/strings/grit/components_strings.h" |
| +#include "content/public/browser/browser_thread.h" |
| +#include "crypto/secure_hash.h" |
| +#include "net/base/hash_value.h" |
| #include "net/url_request/url_request.h" |
| #include "third_party/skia/include/core/SkColor.h" |
| #include "ui/base/l10n/l10n_util.h" |
| @@ -46,13 +48,14 @@ const int kLocalResource = -1; |
| const char kConfigDataFilename[] = "config.js"; |
| const char kThemeCSSFilename[] = "theme.css"; |
| +const char kMainHtmlFilename[] = "local-ntp.html"; |
| const struct Resource{ |
| const char* filename; |
| int identifier; |
| const char* mime_type; |
| } kResources[] = { |
| - {"local-ntp.html", IDR_LOCAL_NTP_HTML, "text/html"}, |
| + {kMainHtmlFilename, kLocalResource, "text/html"}, |
| {"local-ntp.js", IDR_LOCAL_NTP_JS, "application/javascript"}, |
| {kConfigDataFilename, kLocalResource, "application/javascript"}, |
| {kThemeCSSFilename, kLocalResource, "text/css"}, |
| @@ -67,23 +70,6 @@ std::string StripParameters(const std::string& path) { |
| return path.substr(0, path.find("?")); |
| } |
| -bool DefaultSearchProviderIsGoogle(Profile* profile) { |
| - if (!profile) |
| - return false; |
| - |
| - TemplateURLService* template_url_service = |
| - TemplateURLServiceFactory::GetForProfile(profile); |
| - if (!template_url_service) |
| - return false; |
| - |
| - const TemplateURL* default_provider = |
| - template_url_service->GetDefaultSearchProvider(); |
| - return default_provider && |
| - (default_provider->GetEngineType( |
| - template_url_service->search_terms_data()) == |
| - SEARCH_ENGINE_GOOGLE); |
| -} |
| - |
| // Adds a localized string keyed by resource id to the dictionary. |
| void AddString(base::DictionaryValue* dictionary, |
| const std::string& key, |
| @@ -116,9 +102,8 @@ std::unique_ptr<base::DictionaryValue> GetTranslatedStrings(bool is_google) { |
| } |
| // Returns a JS dictionary of configuration data for the local NTP. |
| -std::string GetConfigData(Profile* profile) { |
| +std::string GetConfigData(bool is_google) { |
| base::DictionaryValue config_data; |
| - bool is_google = DefaultSearchProviderIsGoogle(profile); |
| config_data.Set("translatedStrings", GetTranslatedStrings(is_google)); |
| config_data.SetBoolean("isGooglePage", is_google); |
| @@ -134,6 +119,22 @@ std::string GetConfigData(Profile* profile) { |
| return config_data_js; |
| } |
| +std::string GetIntegritySha256Value(const std::string& data) { |
| + // Compute the sha256 hash. |
| + net::SHA256HashValue hash_value; |
| + std::unique_ptr<crypto::SecureHash> hash( |
| + crypto::SecureHash::Create(crypto::SecureHash::SHA256)); |
| + hash->Update(data.data(), data.size()); |
| + hash->Finish(&hash_value, sizeof(hash_value)); |
| + |
| + // Base64-encode it. |
| + base::StringPiece hash_value_str( |
| + reinterpret_cast<const char*>(hash_value.data), sizeof(hash_value)); |
| + std::string result; |
| + base::Base64Encode(hash_value_str, &result); |
| + return result; |
| +} |
| + |
| std::string GetThemeCSS(Profile* profile) { |
| SkColor background_color = |
| ThemeService::GetThemeProviderForProfile(profile) |
| @@ -150,9 +151,76 @@ std::string GetLocalNtpPath() { |
| std::string(chrome::kChromeSearchLocalNtpHost) + "/"; |
| } |
| +bool DefaultSearchProviderIsGoogleImpl( |
| + const TemplateURLService* template_url_service) { |
| + const TemplateURL* default_provider = |
| + template_url_service->GetDefaultSearchProvider(); |
| + return default_provider && (default_provider->GetEngineType( |
| + template_url_service->search_terms_data()) == |
| + SEARCH_ENGINE_GOOGLE); |
| +} |
| + |
| } // namespace |
| -LocalNtpSource::LocalNtpSource(Profile* profile) : profile_(profile) {} |
| +class LocalNtpSource::GoogleSearchProviderTracker |
| + : public TemplateURLServiceObserver { |
| + public: |
| + using SearchProviderIsGoogleChangedCallback = |
| + base::Callback<void(bool is_google)>; |
| + |
| + GoogleSearchProviderTracker( |
| + TemplateURLService* service, |
| + const SearchProviderIsGoogleChangedCallback& callback) |
| + : service_(service), callback_(callback), is_google_(false) { |
| + DCHECK(service_); |
| + service_->AddObserver(this); |
| + is_google_ = DefaultSearchProviderIsGoogleImpl(service_); |
| + } |
| + |
| + ~GoogleSearchProviderTracker() override { |
| + if (service_) |
| + service_->RemoveObserver(this); |
| + } |
| + |
| + bool DefaultSearchProviderIsGoogle() const { return is_google_; } |
| + |
| + private: |
| + void OnTemplateURLServiceChanged() override { |
| + bool old_is_google = is_google_; |
| + is_google_ = DefaultSearchProviderIsGoogleImpl(service_); |
| + if (is_google_ != old_is_google) |
| + callback_.Run(is_google_); |
| + } |
| + |
| + void OnTemplateURLServiceShuttingDown() override { |
| + service_->RemoveObserver(this); |
| + service_ = nullptr; |
| + } |
| + |
| + TemplateURLService* service_; |
| + SearchProviderIsGoogleChangedCallback callback_; |
| + |
| + bool is_google_; |
| +}; |
| + |
| +LocalNtpSource::LocalNtpSource(Profile* profile) |
| + : profile_(profile), |
| + default_search_provider_is_google_(false), |
| + default_search_provider_is_google_io_thread_(false), |
| + weak_ptr_factory_(this) { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); |
| + |
| + TemplateURLService* template_url_service = |
| + TemplateURLServiceFactory::GetForProfile(profile_); |
| + if (template_url_service) { |
| + google_tracker_ = base::MakeUnique<GoogleSearchProviderTracker>( |
| + template_url_service, |
| + base::Bind(&LocalNtpSource::DefaultSearchProviderIsGoogleChanged, |
| + base::Unretained(this))); |
| + DefaultSearchProviderIsGoogleChanged( |
| + google_tracker_->DefaultSearchProviderIsGoogle()); |
| + } |
| +} |
| LocalNtpSource::~LocalNtpSource() = default; |
| @@ -164,9 +232,12 @@ void LocalNtpSource::StartDataRequest( |
| const std::string& path, |
| const content::ResourceRequestInfo::WebContentsGetter& wc_getter, |
| const content::URLDataSource::GotDataCallback& callback) { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); |
| + |
| std::string stripped_path = StripParameters(path); |
| if (stripped_path == kConfigDataFilename) { |
| - std::string config_data_js = GetConfigData(profile_); |
| + std::string config_data_js = |
| + GetConfigData(default_search_provider_is_google_); |
| callback.Run(base::RefCountedString::TakeString(&config_data_js)); |
| return; |
| } |
| @@ -188,6 +259,19 @@ void LocalNtpSource::StartDataRequest( |
| } |
| #endif // !defined(GOOGLE_CHROME_BUILD) |
| + if (stripped_path == kMainHtmlFilename) { |
| + std::string html = ResourceBundle::GetSharedInstance() |
| + .GetRawDataResource(IDR_LOCAL_NTP_HTML) |
| + .as_string(); |
| + std::string config_sha256 = |
| + "sha256-" + GetIntegritySha256Value( |
| + GetConfigData(default_search_provider_is_google_)); |
| + base::ReplaceFirstSubstringAfterOffset(&html, 0, "{{CONFIG_INTEGRITY}}", |
| + config_sha256); |
| + callback.Run(base::RefCountedString::TakeString(&html)); |
| + return; |
| + } |
| + |
| float scale = 1.0f; |
| std::string filename; |
| webui::ParsePathAndScale( |
| @@ -203,7 +287,7 @@ void LocalNtpSource::StartDataRequest( |
| return; |
| } |
| } |
| - callback.Run(NULL); |
| + callback.Run(nullptr); |
| } |
| std::string LocalNtpSource::GetMimeType( |
| @@ -226,13 +310,15 @@ bool LocalNtpSource::AllowCaching() const { |
| bool LocalNtpSource::ShouldServiceRequest( |
| const net::URLRequest* request) const { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); |
| + |
| DCHECK(request->url().host_piece() == chrome::kChromeSearchLocalNtpHost); |
| if (!InstantIOContext::ShouldServiceRequest(request)) |
| return false; |
| if (request->url().SchemeIs(chrome::kChromeSearchScheme)) { |
| std::string filename; |
| - webui::ParsePathAndScale(request->url(), &filename, NULL); |
| + webui::ParsePathAndScale(request->url(), &filename, nullptr); |
| for (size_t i = 0; i < arraysize(kResources); ++i) { |
| if (filename == kResources[i].filename) |
| return true; |
| @@ -241,8 +327,46 @@ bool LocalNtpSource::ShouldServiceRequest( |
| return false; |
| } |
| +std::string LocalNtpSource::GetContentSecurityPolicyScriptSrc() const { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); |
| + |
| +#if !defined(GOOGLE_CHROME_BUILD) |
| + base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); |
| + if (command_line->HasSwitch(switches::kLocalNtpReload)) { |
| + // While live-editing the local NTP files, turn off CSP. |
| + return "script-src *;"; |
| + } |
| +#endif // !defined(GOOGLE_CHROME_BUILD) |
| + |
| + return "script-src 'strict-dynamic' " |
| + "'sha256-" + |
| + GetIntegritySha256Value( |
| + GetConfigData(default_search_provider_is_google_io_thread_)) + |
| + "' " |
| + "'sha256-g38WaUaxnOIWY7E2LtLZ5ff9r5sn1dBj80jevt/kmx0=';"; |
|
Dan Beam
2017/05/30 17:09:52
is there perhaps a more dynamic way to do this?
sfiera
2017/05/31 08:22:39
Marc's OOO this week.
Doing it at runtime would b
Dan Beam
2017/05/31 17:49:23
yes, generating at compile time would be great
|
| +} |
| + |
| std::string LocalNtpSource::GetContentSecurityPolicyChildSrc() const { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); |
| + |
| // Allow embedding of most visited iframes. |
| return base::StringPrintf("child-src %s;", |
| chrome::kChromeSearchMostVisitedUrl); |
| } |
| + |
| +void LocalNtpSource::DefaultSearchProviderIsGoogleChanged(bool is_google) { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); |
| + |
| + default_search_provider_is_google_ = is_google; |
| + content::BrowserThread::PostTask( |
| + content::BrowserThread::IO, FROM_HERE, |
| + base::Bind(&LocalNtpSource::SetDefaultSearchProviderIsGoogleOnIOThread, |
| + weak_ptr_factory_.GetWeakPtr(), is_google)); |
| +} |
| + |
| +void LocalNtpSource::SetDefaultSearchProviderIsGoogleOnIOThread( |
| + bool is_google) { |
| + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); |
| + |
| + default_search_provider_is_google_io_thread_ = is_google; |
| +} |
