Initialize a default feature policy for all documents

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All
  * rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
@@ skipping 5625 matching lines @@
        link_element;
        link_element = Traversal<HTMLLinkElement>::NextSibling(*link_element)) {
     if (!link_element->RelAttribute().IsManifest())
       continue;
     return link_element;
   }
 
   return 0;
 }
 
+void Document::SetFeaturePolicy(const String& feature_policy_header) {
+  if (!RuntimeEnabledFeatures::featurePolicyEnabled())
+    return;
+
+  WebFeaturePolicy* parent_feature_policy = nullptr;
+  WebParsedFeaturePolicy container_policy;
+  Vector<String> messages;
+  const WebParsedFeaturePolicy& parsed_header =
+      ParseFeaturePolicy(feature_policy_header, GetSecurityOrigin(), &messages);
+
+  // If this frame is not the main frame, then get the appropriate parent policy
+  // and container policy to construct the policy for this frame.
+  if (frame_) {
+    if (!frame_->IsMainFrame()) {
+      parent_feature_policy =
+          frame_->Tree().Parent()->GetSecurityContext()->GetFeaturePolicy();
+    }
+    if (frame_->Owner())
+      container_policy = frame_->Owner()->ContainerPolicy();
+  }
+
+  // Check that if there is a parent frame, that its feature policy is
+  // correctly initialized. Crash if that is not the case. (Temporary crash for
+  // isolating the cause of https://crbug.com/722333)
+  // Note that even with this check removed, the process will stil crash in
+  // feature_policy.cc when it attempts to dereference parent_feature_policy.
+  // This check is to distinguish between two possible causes.
+  if (!container_policy.empty())
+    CHECK(frame_ && (frame_->IsMainFrame() || parent_feature_policy));
+
+  InitializeFeaturePolicy(parsed_header, container_policy,
+                          parent_feature_policy);
+
+  for (auto& message : messages) {

[jbroman, 2017/05/26 18:33:16]

nit: prefer "const auto&" where possible

[iclelland, 2017/05/26 19:14:25]

Done.

+    AddConsoleMessage(
+        ConsoleMessage::Create(kOtherMessageSource, kErrorMessageLevel,
+                               "Error with Feature-Policy header: " + message));
+  }
+  if (frame_ && !parsed_header.empty())
+    frame_->Client()->DidSetFeaturePolicyHeader(parsed_header);
+}
+
 void Document::InitSecurityContext(const DocumentInit& initializer) {
   DCHECK(!GetSecurityOrigin());
 
   if (!initializer.HasSecurityContext()) {
     // No source for a security context.
     // This can occur via document.implementation.createDocument().
     cookie_url_ = KURL(kParsedURLString, g_empty_string);
     SetSecurityOrigin(SecurityOrigin::CreateUnique());
     InitContentSecurityPolicy();
+    SetFeaturePolicy("");

[jbroman, 2017/05/26 18:33:16]

super-nit: g_empty_string is slightly more efficient than "", here and below

[iclelland, 2017/05/26 19:14:26]

Done (both instances).

     // Unique security origins cannot have a suborigin
     return;
   }
 
   // In the common case, create the security context from the currently
   // loading URL with a fresh content security policy.
   EnforceSandboxFlags(initializer.GetSandboxFlags());
   SetInsecureRequestPolicy(initializer.GetInsecureRequestPolicy());
   if (initializer.InsecureNavigationsToUpgrade()) {
     for (auto to_upgrade : *initializer.InsecureNavigationsToUpgrade())
@@ skipping 80 matching lines @@
     is_srcdoc_document_ = true;
     SetBaseURLOverride(initializer.ParentBaseURL());
   }
 
   if (GetSecurityOrigin()->IsUnique() &&
       SecurityOrigin::Create(url_)->IsPotentiallyTrustworthy())
     GetSecurityOrigin()->SetUniqueOriginIsPotentiallyTrustworthy(true);
 
   if (GetSecurityOrigin()->HasSuborigin())
     EnforceSuborigin(*GetSecurityOrigin()->GetSuborigin());
+
+  SetFeaturePolicy("");
 }
 
 void Document::InitContentSecurityPolicy(ContentSecurityPolicy* csp) {
   SetContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::Create());
 
   // We inherit the parent/opener's CSP for documents with "local" schemes:
   // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for
   // documents with empty/invalid URLs because we treat those URLs as
   // 'about:blank' in Blink.
   //
@@ skipping 1039 matching lines @@
 }
 
 void showLiveDocumentInstances() {
   WeakDocumentSet& set = liveDocumentSet();
   fprintf(stderr, "There are %u documents currently alive:\n", set.size());
   for (blink::Document* document : set)
     fprintf(stderr, "- Document %p URL: %s\n", document,
             document->Url().GetString().Utf8().data());
 }
 #endif