PlzNavigate: Do not disclose urls between cross-origin renderers.

content/common/content_security_policy/content_security_policy.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <sstream>
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "content/common/content_security_policy/csp_context.h"
 
 namespace content {
@@ skipping 26 matching lines @@
   return url.spec();
 }
 
 void ReportViolation(CSPContext* context,
                      const ContentSecurityPolicy& policy,
                      const CSPDirective& directive,
                      const CSPDirective::Name directive_name,
                      const GURL& url,
                      bool is_redirect,
                      const SourceLocation& source_location) {
+  // For security reasons, some urls must not be disclosed. It includes the
+  // blocked url and the source location of the error. Care must be taken to
+  // ensure that these information are not transmitted between different

[alexmos, 2017/05/12 01:37:20]

nit: "these information are" -> "these are" (or "this information is"

[arthursonzogni, 2017/05/15 12:20:46]

Done.

+  // cross-origin renderers.

[alexmos, 2017/05/12 01:37:20]

Perhaps also include a reference to https://crbug.com/633306?

[arthursonzogni, 2017/05/15 12:20:46]

Done (In RenderFrameHostImpl::SanitizeDataForUseInCspViolation)

+  GURL safe_url = context->ShouldProtectDataInCspViolation(url::Origin(url))
+                      ? url.GetOrigin()
+                      : url;

[Mike West, 2017/05/12 14:16:44]

I think we can skip this if |is_redirect| is false (because if it's not a
redirect, the initiating renderer already knows the URL, since it created the
request. I suspect that will solve some of the changed tests.

[arthursonzogni, 2017/05/15 12:20:46]

For form-action: I think you are right.
For frame-src: When a cross-origin subframe navigates by itself, I think the
main frame doesn't know (and mustn't know) the url.

I think we can skip if |is_redirect| is false and |directive| is form-action.

[alexmos, 2017/05/16 05:56:48]

Ack - I think that makes sense to me.  Mike, do you agree?

+
+  url::Origin source_location_origin(GURL(source_location.url));
+  SourceLocation safe_source_location =
+      context->ShouldProtectDataInCspViolation(source_location_origin)
+          ? SourceLocation(source_location_origin.Serialize(), 0u, 0u)
+          : source_location;
+
   // We should never have a violation against `child-src` or `default-src`
   // directly; the effective directive should always be one of the explicit
   // fetch directives.
   DCHECK_NE(directive_name, CSPDirective::DefaultSrc);
   DCHECK_NE(directive_name, CSPDirective::ChildSrc);
 
   std::stringstream message;
 
   if (policy.header.type == blink::kWebContentSecurityPolicyTypeReport)
     message << "[Report Only] ";
 
   if (directive_name == CSPDirective::FormAction)
     message << "Refused to send form data to '";
   else if (directive_name == CSPDirective::FrameSrc)
     message << "Refused to frame '";
 
-  message << ElideURLForReportViolation(url)
+  message << ElideURLForReportViolation(safe_url)
           << "' because it violates the following Content Security Policy "
              "directive: \""
           << directive.ToString() << "\".";
 
   if (directive.name != directive_name)
     message << " Note that '" << CSPDirective::NameToString(directive_name)
             << "' was not explicitly set, so '"
             << CSPDirective::NameToString(directive.name)
             << "' is used as a fallback.";
 
   message << "\n";
 
   context->ReportContentSecurityPolicyViolation(CSPViolationParams(
       CSPDirective::NameToString(directive.name),
-      CSPDirective::NameToString(directive_name), message.str(), url,
+      CSPDirective::NameToString(directive_name), message.str(), safe_url,
       policy.report_endpoints, policy.header.header_value, policy.header.type,
-      is_redirect, source_location));
+      is_redirect, safe_source_location));
 }
 
 bool AllowDirective(CSPContext* context,
                     const ContentSecurityPolicy& policy,
                     const CSPDirective& directive,
                     CSPDirective::Name directive_name,
                     const GURL& url,
                     bool is_redirect,
                     const SourceLocation& source_location) {
   if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect))
@@ skipping 80 matching lines @@
     is_first_policy = false;
     text << "report-uri";
     for (const std::string& endpoint : report_endpoints)
       text << " " << endpoint;
   }
 
   return text.str();
 }
 
 }  // namespace content