[ServiceWorker] CSP support for ServiceWorker environment.

Source/modules/serviceworkers/FetchManager.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "FetchManager.h"
 
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ScriptPromiseResolver.h"
 #include "bindings/core/v8/ScriptState.h"
 #include "bindings/core/v8/V8ThrowException.h"
 #include "core/dom/ExceptionCode.h"
 #include "core/fetch/FetchUtils.h"
 #include "core/fileapi/Blob.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/loader/ThreadableLoader.h"
 #include "core/loader/ThreadableLoaderClient.h"
 #include "modules/serviceworkers/FetchRequestData.h"
 #include "modules/serviceworkers/Response.h"
 #include "modules/serviceworkers/ResponseInit.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/WebURLRequest.h"
 #include "wtf/HashSet.h"
 
@@ skipping 125 matching lines @@
     // We set the referrer using workerGlobalScope's URL in
     // WorkerThreadableLoader.
 
     // "3. If |request|'s synchronous flag is unset and fetch is not invoked
     // recursively, run the remaining steps asynchronously."
     // We don't support synchronous flag.
 
     // "4. Let response be the value corresponding to the first matching
     // statement:"
 
-    // "- should fetching |request| be blocked as mixed content returns blocked
-    //  - should fetching |request| be blocked as content security returns
-    //    blocked
-    //      A network error."
-    // We do mixed content checking and CSP checking in ResourceFetcher.
+    // "- should fetching |request| be blocked as mixed content returns blocked"
+    // We do mixed content checking in ResourceFetcher.
+
+    // "- should fetching |request| be blocked as content security returns
+    //    blocked"
+    if (!ContentSecurityPolicy::shouldBypassMainWorld(m_executionContext) && !m_executionContext->contentSecurityPolicy()->allowConnectToSource(m_request->url())) {

[Mike West, 2014/11/19 10:31:49]

Why do we do the CSP check here, rather than in ResourceFetcher? It would be
nice to centralize the security checks we're applying to resource requests.

[horo, 2014/11/19 12:35:41]

The old comment was wrong.
We don't check CSP for fetch API currently.

The CSP check for "connect-src" is not handled in ResourceFetcher but in
XMLHttpRequest::open() and NavigatorBeacon::canSendBeacon() and
DOMWebSocket::connect().
So for fetch API it is better to check this in FetchManager::Loader.

[Mike West, 2014/11/19 12:40:45]

We check in both XMLHTTPRequest and ResourceFetcher, don't we? ResourceFetcher
catches redirects, which aren't visible from `open()`.

[horo, 2014/11/19 12:57:34]

Are you saying "both XMLHTTPRequest and DocumentThreadableLoader"?
Yes.
DocumentThreadableLoader::isAllowedByContentSecurityPolicy() is called to check
the redirected URL.

+        // "A network error."
+        performNetworkError();
+        return;
+    }
 
     // "- |request|'s url's origin is |request|'s origin and the |CORS flag| is
     //    unset"
     // "- |request|'s url's scheme is 'data' and |request|'s same-origin data
     //    URL flag is set"
     // "- |request|'s url's scheme is 'about'"
     if ((SecurityOrigin::create(m_request->url())->isSameSchemeHostPort(m_request->origin().get()) && !m_corsFlag)
         || (m_request->url().protocolIsData() && m_request->sameOriginDataURLFlag())
         || (m_request->url().protocolIsAbout())) {
         // "The result of performing a basic fetch using request."
@@ skipping 129 matching lines @@
     // mode is |include|, or |HTTPRequest|'s credentials mode is |same-origin|
     // and the |CORS flag| is unset, and unset otherwise.
     ResourceLoaderOptions resourceLoaderOptions;
     resourceLoaderOptions.dataBufferingPolicy = DoNotBufferData;
     if (m_request->credentials() == WebURLRequest::FetchCredentialsModeInclude
         || (m_request->credentials() == WebURLRequest::FetchCredentialsModeSameOrigin && !m_corsFlag)) {
         resourceLoaderOptions.allowCredentials = AllowStoredCredentials;
     }
 
     ThreadableLoaderOptions threadableLoaderOptions;
+    threadableLoaderOptions.contentSecurityPolicyEnforcement = ContentSecurityPolicy::shouldBypassMainWorld(m_executionContext) ? DoNotEnforceContentSecurityPolicy : EnforceConnectSrcDirective;
     if (m_corsPreflightFlag)
         threadableLoaderOptions.preflightPolicy = ForcePreflight;
     if (m_corsFlag)
         threadableLoaderOptions.crossOriginRequestPolicy = UseAccessControl;
     else
         threadableLoaderOptions.crossOriginRequestPolicy = AllowCrossOriginRequests;
 
-
     m_loader = ThreadableLoader::create(*m_executionContext, this, request, threadableLoaderOptions, resourceLoaderOptions);
 }
 
 void FetchManager::Loader::failed()
 {
     if (m_failed)
         return;
     if (!m_resolver->executionContext() || m_resolver->executionContext()->activeDOMObjectsAreStopped())
         return;
     m_failed = true;
@@ skipping 31 matching lines @@
     loader->start();
     return promise;
 }
 
 void FetchManager::onLoaderFinished(Loader* loader)
 {
     m_loaders.remove(loader);
 }
 
 } // namespace blink