3 years, 7 months ago
(2017-05-22 14:08:47 UTC)
#4
andypaicu
Description was changed from ========== Added validation of the policy specified in the 'csp' attribute ...
3 years, 7 months ago
(2017-05-22 14:09:17 UTC)
#5
Description was changed from
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that document this functionality
BUG=647588
==========
to
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that documents this functionality
BUG=647588
==========
andypaicu
Description was changed from ========== Added validation of the policy specified in the 'csp' attribute ...
3 years, 7 months ago
(2017-05-22 14:10:12 UTC)
#6
Description was changed from
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that documents this functionality
BUG=647588
==========
to
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that documents this functionality
Fixed the expected and actual order in said test as it was reversed
BUG=647588
==========
andypaicu
The CQ bit was unchecked by andypaicu@chromium.org
3 years, 7 months ago
(2017-05-22 14:10:36 UTC)
#7
Dry run: Try jobs failed on following builders: win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_ng/builds/451137)
3 years, 7 months ago
(2017-05-22 16:18:03 UTC)
#11
3 years, 7 months ago
(2017-05-23 12:32:54 UTC)
#15
Dry run: This issue passed the CQ dry run.
Mike West
Thanks! The implementation looks good, sorry it took me so long to get to this ...
3 years, 7 months ago
(2017-05-23 19:21:37 UTC)
#16
Thanks! The implementation looks good, sorry it took me so long to get to this
review. I've left a few comments inline, mostly about tests I'd like to see. :)
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:991: name = value
= "";
I don't think you actually need two strings. Something like
```
String unused;
...
if (!ParseDirective(directive_begin, position, unused, unused, nullptr))
```
should work.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:992: if
(!ParseDirective(directive_begin, position, name, value, nullptr))
This is doing to dump console messages that probably don't make sense. I'd
suggest adding something to ... oh. That's why you added the `nullptr`. I see.
Hrm. I think I'd prefer that to be an enum. You can reuse the existing
`SecurityViolationReportingPolicy` enum if you like, but that seems better to me
than passing in a policy at the other callsites.
Oh. Hrm. Nevermind. You made it static. So that doesn't work. Hrm.
Ok. I guess it's not _too_ magical. :/ Can you add a comment to the .h file so
that potential callers understand when reports are generated?
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:996:
ContentSecurityPolicy::DirectiveType::kUndefined)
Style nit: {} after multi-line conditionals.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp (right):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp:1159: false);
It would be nice to get a little more coverage here. Can you copy/paste some
items out of
//LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-*.html
to flesh this out with some edge cases?
Ditto for the test we're upstreaming to WPT.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp (left):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp:149: if
(!value.GetString().ContainsOnlyASCII()) {
We should probably add some tests for non-ASCII characters.
andypaicu
The CQ bit was checked by andypaicu@chromium.org to run a CQ dry run
3 years, 7 months ago
(2017-05-26 14:34:17 UTC)
#17
Modified the way validation is done to simulate creating a CSPDirectiveList and catching whatever errors ...
3 years, 7 months ago
(2017-05-26 14:41:09 UTC)
#19
Modified the way validation is done to simulate creating a CSPDirectiveList and
catching whatever errors might occur.
The previous implementation would not catch directive-specific errors (e.g.
incorrect host in script-src).
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:991: name = value
= "";
On 2017/05/23 at 19:21:36, Mike West wrote:
> I don't think you actually need two strings. Something like
>
> ```
> String unused;
> ...
> if (!ParseDirective(directive_begin, position, unused, unused, nullptr))
> ```
>
> should work.
I've modified this whole bit.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:992: if
(!ParseDirective(directive_begin, position, name, value, nullptr))
On 2017/05/23 at 19:21:36, Mike West wrote:
> This is doing to dump console messages that probably don't make sense. I'd
suggest adding something to ... oh. That's why you added the `nullptr`. I see.
Hrm. I think I'd prefer that to be an enum. You can reuse the existing
`SecurityViolationReportingPolicy` enum if you like, but that seems better to me
than passing in a policy at the other callsites.
>
> Oh. Hrm. Nevermind. You made it static. So that doesn't work. Hrm.
>
> Ok. I guess it's not _too_ magical. :/ Can you add a comment to the .h file so
that potential callers understand when reports are generated?
I've modified this whole bit.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:996:
ContentSecurityPolicy::DirectiveType::kUndefined)
On 2017/05/23 at 19:21:36, Mike West wrote:
> Style nit: {} after multi-line conditionals.
I've modified this whole bit.
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp (right):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp:1159: false);
On 2017/05/23 at 19:21:36, Mike West wrote:
> It would be nice to get a little more coverage here. Can you copy/paste some
items out of
//LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-*.html
to flesh this out with some edge cases?
>
> Ditto for the test we're upstreaming to WPT.
Done. I'll do the WPT tests separately for now. Raised crbug.com/726724
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp (left):
https://codereview.chromium.org/2896833002/diff/40001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp:149: if
(!value.GetString().ContainsOnlyASCII()) {
On 2017/05/23 at 19:21:36, Mike West wrote:
> We should probably add some tests for non-ASCII characters.
Done
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
3 years, 7 months ago
(2017-05-26 16:18:10 UTC)
#20
3 years, 7 months ago
(2017-05-26 16:18:11 UTC)
#21
Dry run: This issue passed the CQ dry run.
Mike West
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right): https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp#newcode995 third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:995: CSPDirectiveList::Create(policy, begin, end, header_type, header_source); I think this will ...
3 years, 6 months ago
(2017-05-29 07:46:21 UTC)
#22
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right):
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:995:
CSPDirectiveList::Create(policy, begin, end, header_type, header_source);
I think this will accept something like `script-src 'none', object-src 'none'`
(which is multiple policies due to the `,`). Can you add a check somewhere for
this case, which shouldn't be accepted as a `csp` attribute?
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h (right):
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h:132: return new
ContentSecurityPolicy(reporting_policy);
I don't think you need this, because we only collect parse errors in
`console_messages_` during parsing. We send them to the console during
`ApplyPolicySideEffectsToExecutionContext()`, which you'll never call on a CSP
object you only use for validity checking.
How does this sound: add a static `IsValidRequiredCSP(const String& attr)`
method to `ContentSecurityPolicy`, something along the lines of:
```
ContentSecurityPolicy* policy = ContentSecurityPolicy::Create();
policy->AddPolicyFromHeaderValue(attr, kContentSecurityPolicyHeaderTypeEnforce,
kContentSecurityPolicyHeaderSourceHTTP);
if (!policy->console_messages_.IsEmpty()) {
// Do some extra validity checks here, like checking for
`report-uri`/`report-to`?
return true;
}
return false;
```
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp (right):
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp:171: if
(!CSPDirectiveList::IsValid(
If you have a method on `ContentSecurityPolicy` itself, why do you need to
expose/use the version on CSPDirectiveList?
andypaicu
The CQ bit was checked by andypaicu@chromium.org to run a CQ dry run
3 years, 6 months ago
(2017-05-29 13:35:13 UTC)
#23
On 2017/05/29 at 07:46:21, mkwst wrote: > https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp > File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right): > > https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp#newcode995 ...
3 years, 6 months ago
(2017-05-29 13:45:24 UTC)
#28
On 2017/05/29 at 07:46:21, mkwst wrote:
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> File third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp (right):
>
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp:995:
CSPDirectiveList::Create(policy, begin, end, header_type, header_source);
> I think this will accept something like `script-src 'none', object-src 'none'`
(which is multiple policies due to the `,`). Can you add a check somewhere for
this case, which shouldn't be accepted as a `csp` attribute?
>
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h (right):
>
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h:132: return
new ContentSecurityPolicy(reporting_policy);
> I don't think you need this, because we only collect parse errors in
`console_messages_` during parsing. We send them to the console during
`ApplyPolicySideEffectsToExecutionContext()`, which you'll never call on a CSP
object you only use for validity checking.
>
> How does this sound: add a static `IsValidRequiredCSP(const String& attr)`
method to `ContentSecurityPolicy`, something along the lines of:
>
> ```
> ContentSecurityPolicy* policy = ContentSecurityPolicy::Create();
> policy->AddPolicyFromHeaderValue(attr,
kContentSecurityPolicyHeaderTypeEnforce,
kContentSecurityPolicyHeaderSourceHTTP);
> if (!policy->console_messages_.IsEmpty()) {
> // Do some extra validity checks here, like checking for
`report-uri`/`report-to`?
> return true;
> }
> return false;
> ```
>
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> File third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp (right):
>
>
https://codereview.chromium.org/2896833002/diff/60001/third_party/WebKit/Sour...
> third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp:171: if
(!CSPDirectiveList::IsValid(
> If you have a method on `ContentSecurityPolicy` itself, why do you need to
expose/use the version on CSPDirectiveList?
Good idea, I've done pretty much exactly that.
andypaicu
3 years, 6 months ago
(2017-05-29 13:46:03 UTC)
#29
Mike West
LGTM % nits. Thanks for working on this! https://codereview.chromium.org/2896833002/diff/80001/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html File third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html (right): https://codereview.chromium.org/2896833002/diff/80001/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html#newcode23 third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html:23: "expected": ...
3 years, 6 months ago
(2017-05-29 13:49:31 UTC)
#30
CQ is committing da patch. Bot data: {"patchset_id": 120001, "attempt_start_ts": 1496140655119470, "parent_rev": "2f78b5b66d3637fa3d2b2b13ff2d39d98985d27f", "commit_rev": "4124bfba87179d73b33c54d6add5b2ac82a090b4"}
3 years, 6 months ago
(2017-05-30 10:42:27 UTC)
#41
CQ is committing da patch.
Bot data: {"patchset_id": 120001, "attempt_start_ts": 1496140655119470,
"parent_rev": "2f78b5b66d3637fa3d2b2b13ff2d39d98985d27f", "commit_rev":
"4124bfba87179d73b33c54d6add5b2ac82a090b4"}
commit-bot: I haz the power
Description was changed from ========== Added validation of the policy specified in the 'csp' attribute ...
3 years, 6 months ago
(2017-05-30 10:42:34 UTC)
#42
Message was sent while issue was closed.
Description was changed from
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that documents this functionality
Fixed the expected and actual order in said test as it was reversed
BUG=647588
==========
to
==========
Added validation of the policy specified in the 'csp' attribute
Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute
The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one
Re-used the existing wpt test that documents this functionality
Fixed the expected and actual order in said test as it was reversed
BUG=647588
Review-Url: https://codereview.chromium.org/2896833002
Cr-Commit-Position: refs/heads/master@{#475487}
Committed:
https://chromium.googlesource.com/chromium/src/+/4124bfba87179d73b33c54d6add5...
==========
commit-bot: I haz the power
Committed patchset #7 (id:120001) as https://chromium.googlesource.com/chromium/src/+/4124bfba87179d73b33c54d6add5b2ac82a090b4
3 years, 6 months ago
(2017-05-30 10:42:35 UTC)
#43
Issue 2896833002: Added validation of the policy specified in the 'csp' attribute
(Closed)
Created 3 years, 7 months ago by andypaicu
Modified 3 years, 6 months ago
Reviewers: Mike West
Base URL:
Comments: 25
Chromium Code Reviews
Issue
2896833002:
Added validation of the policy specified in the 'csp' attribute (Closed)
