[ServiceWorker] CSP support for ServiceWorker environment.

Source/web/WebEmbeddedWorkerImpl.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "web/WebEmbeddedWorkerImpl.h"
 
 #include "core/dom/CrossThreadTask.h"
 #include "core/dom/Document.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/inspector/WorkerDebuggerAgent.h"
 #include "core/inspector/WorkerInspectorController.h"
 #include "core/loader/FrameLoadRequest.h"
 #include "core/loader/SubstituteData.h"
 #include "core/workers/WorkerClients.h"
 #include "core/workers/WorkerGlobalScope.h"
 #include "core/workers/WorkerInspectorProxy.h"
 #include "core/workers/WorkerLoaderProxy.h"
 #include "core/workers/WorkerScriptLoader.h"
 #include "core/workers/WorkerScriptLoaderClient.h"
 #include "core/workers/WorkerThreadStartupData.h"
 #include "modules/serviceworkers/ServiceWorkerThread.h"
 #include "platform/SharedBuffer.h"
 #include "platform/heap/Handle.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
+#include "platform/network/ContentSecurityPolicyResponseHeaders.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebURLRequest.h"
 #include "public/web/WebDevToolsAgent.h"
 #include "public/web/WebServiceWorkerContextClient.h"
 #include "public/web/WebServiceWorkerNetworkProvider.h"
 #include "public/web/WebSettings.h"
 #include "public/web/WebView.h"
 #include "public/web/WebWorkerPermissionClientProxy.h"
 #include "web/ServiceWorkerGlobalScopeClientImpl.h"
 #include "web/ServiceWorkerGlobalScopeProxy.h"
@@ skipping 19 matching lines @@
 
     void load(ExecutionContext* loadingContext, const KURL& scriptURL, const Closure& callback)
     {
         ASSERT(loadingContext);
         m_callback = callback;
         m_scriptLoader->setRequestContext(WebURLRequest::RequestContextServiceWorker);
         m_scriptLoader->loadAsynchronously(
             *loadingContext, scriptURL, DenyCrossOriginRequests, this);
     }
 
+    void didReceiveResponse(unsigned long identifier, const ResourceResponse& response) override
+    {
+        m_contentSecurityPolicy = ContentSecurityPolicy::create();
+        m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
+        m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
+    }
+
     virtual void notifyFinished() override
     {
         m_callback();
     }
 
     void cancel()
     {
         m_scriptLoader->cancel();
     }
 
     bool failed() const { return m_scriptLoader->failed(); }
     const KURL& url() const { return m_scriptLoader->responseURL(); }
     String script() const { return m_scriptLoader->script(); }
+    PassRefPtr<ContentSecurityPolicy> releaseContentSecurityPolicy() { return m_contentSecurityPolicy.release(); }
 
 private:
     Loader() : m_scriptLoader(WorkerScriptLoader::create())
     {
     }
 
     RefPtr<WorkerScriptLoader> m_scriptLoader;
+    RefPtr<ContentSecurityPolicy> m_contentSecurityPolicy;
     Closure m_callback;
 };
 
 class WebEmbeddedWorkerImpl::LoaderProxy : public WorkerLoaderProxy {
 public:
     static PassOwnPtr<LoaderProxy> create(WebEmbeddedWorkerImpl& embeddedWorker)
     {
         return adoptPtr(new LoaderProxy(embeddedWorker));
     }
 
@@ skipping 279 matching lines @@
     if (InspectorInstrumentation::shouldPauseDedicatedWorkerOnStart(document))
         startMode = PauseWorkerGlobalScopeOnStart;
 
     // FIXME: this document's origin is pristine and without any extra privileges. (crbug.com/254993)
     SecurityOrigin* starterOrigin = document->securityOrigin();
 
     OwnPtrWillBeRawPtr<WorkerClients> workerClients = WorkerClients::create();
     providePermissionClientToWorker(workerClients.get(), m_permissionClient.release());
     provideServiceWorkerGlobalScopeClientToWorker(workerClients.get(), ServiceWorkerGlobalScopeClientImpl::create(*m_workerContextClient));
 
+    // We need to set the CSP to both the shadow page's document and the ServiceWorkerGlobalScope.
+    document->initContentSecurityPolicy(m_mainScriptLoader->releaseContentSecurityPolicy());
+
     KURL scriptURL = m_mainScriptLoader->url();
     OwnPtrWillBeRawPtr<WorkerThreadStartupData> startupData =
         WorkerThreadStartupData::create(
             scriptURL,
             m_workerStartData.userAgent,
             m_mainScriptLoader->script(),
             startMode,
-            // FIXME: fill appropriate CSP info and policy type.
-            String(),
-            ContentSecurityPolicyHeaderTypeEnforce,
+            document->contentSecurityPolicy()->deprecatedHeader(),

[Mike West, 2014/11/12 12:28:36]

I don't think this is correct; it differs from the flow described in
https://w3c.github.io/webappsec/specs/content-security-policy/#processing-mod....
In short, we should only inherit a policy from the creating document if we're
creating the Worker from a `blob:` or `filesystem:` (or `data:`, I guess) URL.

If we're loading an HTTPS URL, we should set the Worker's policy to whatever is
delivered via the HTTP header.

[horo, 2014/11/13 01:09:02]

This document is not the document who created (registered) the ServiceWorker.
It is the document of the shadow page which is created in
WebEmbeddedWorkerImpl::prepareShadowPageForLoader() for handling the resource
loading.
We create ContentSecurityPolicy from the HTTP headers of the script file in
WebEmbeddedWorkerImpl::Loader::didReceiveResponse().
And set the CSP to the document (at lint 422) and the ServiceWorkerGlobalScope.

We need to set CPS to the document because it will be used while handling the
redirect responses in
DocumentThreadableLoader::isAllowedByContentSecurityPolicy().

[Mike West, 2014/11/19 10:31:49]

Hrm. Ok, then I misunderstood the implementation here. You're basically creating
a dummy document in order to handle resource requests? That seems weird, but
it's certainly not something to change in this CL.

[horo, 2014/11/19 12:35:41]

Yes.
We create the dummy document which lives in the main thread and handles the
resource requests.

In the worker thread we use WorkerThreadableLoader to load the resources.
It communicates with the dummy document using
WorkerThreadableLoader::MainThreadBridge and WorkerLoaderProxy to go across the
threads.

+            document->contentSecurityPolicy()->deprecatedHeaderType(),
             starterOrigin,
             workerClients.release());
 
     m_mainScriptLoader.clear();
 
     m_workerGlobalScopeProxy = ServiceWorkerGlobalScopeProxy::create(*this, *document, *m_workerContextClient);
     m_loaderProxy = LoaderProxy::create(*this);
     m_workerThread = ServiceWorkerThread::create(*m_loaderProxy, *m_workerGlobalScopeProxy, startupData.release());
     m_workerThread->start();
     m_workerInspectorProxy->workerThreadCreated(document, m_workerThread.get(), scriptURL);
 }
 
 } // namespace blink